Ticket #1621 (new defect)

Opened 1 year ago

Last modified 3 days ago

[TEST] CompoundFormField widget can sometimes bypass validation

Reported by: plewis Assigned to: anonymous
Priority: normal Milestone: 1.1 maintenance
Component: TurboGears Version: 1.0.3.2
Severity: normal Keywords:
Cc:

Description

If a CompoundFormField is defined in a Form (with an associated Schema for validation), it is possible for a crafted url (or form entry) to bypass validation. If the url does not include the widget at all, validation does not appear to occur unless there is a specific reference to the widget in the parameters for the target (validating) controller.

Furthermore, the widget parameter must have a default value of a dict in order for validation to always work. If the widget parameter has a default value of None (or no default value), then if the widget is missing from the url, validation will pass.

Attached are two files. One is a test project where the /index controller has a link that demonstrates good and bad behavior. The second is a patch to the turbogears 1.0 branch that contains tests showing the behavior in a bit more detail.

Some discussion about the issue

Attachments

compoundformtestproj.zip (103.3 kB) - added by plewis on 11/29/07 05:09:48.
Test project showing the issue
compoundformfieldtest.patch (5.8 kB) - added by plewis on 11/29/07 05:40:37.

Change History

11/29/07 05:09:48 changed by plewis

  • attachment compoundformtestproj.zip added.

Test project showing the issue

11/29/07 05:40:37 changed by plewis

  • attachment compoundformfieldtest.patch added.

01/21/08 08:40:10 changed by Chris Arndt

  • milestone changed from 1.0.4 to 1.1.

08/24/08 10:26:59 changed by faide

  • milestone changed from 1.5 to 1.1.

11/19/08 14:25:54 changed by faide

  • milestone changed from 1.1 to 1.1 maintenance.