Extbase validation cache allows invalid objects
\TYPO3\CMS\Extbase\Validation\Validator\GenericObjectValidator is a cache for already validated object instances (
This makes total sense but there is a big flaw in the concept: the validation results are not restored. This causes a problem in these scenarios:
Action forwarding with @ignorevalidation¶
Imagine you have a
action1() and a
action1() has an
@ignorevalidation annotation for
$property1 and forwards to
action2() has no
@ignorevalidation annotation but validation errors for
$property1 are still ignored because the cache in the GenericObjectValidator is not reset and the previous validation results are not loaded.
This allows the user to pass invalid data to
The second scenario would be the following. You have two method arguments
$param1 has a relation to
$param2 and because child objects are validated you get the proper validation errors for
But you won't get any validation errors for your
$param2 controller argument because of the cache.
This is problematic in two ways:
@ignorevalidationannotation the user can submit invalid data to your action
- You can not display any validation errors in your form for
My suggestion to solve this is to store the validation results in the cache as well and restore them if needed.
The problem is valid since 6.2 until current master.
[TASK] Add functional test for exbase validation caching
The tests demonstrate the issue described in the ticket
is not present anymore.
Reviewed-by: Christian Kuhn <email@example.com>
Tested-by: Christian Kuhn <firstname.lastname@example.org>
Tested-by: TYPO3com <email@example.com>
Reviewed-by: Anja Leichsenring <firstname.lastname@example.org>
Tested-by: Anja Leichsenring <email@example.com>
#4 Updated by Bernhard Kraft over 3 years ago
I would suggest an alternate solution. I can currently not run the functional unit tests you created because I am working on a machine running PHP5 and PHP7 is required. But in my setup this solution works for a problem similar to those described by you.
In fact the problem is buried in how the "GenericObjectValidator" gets instanced from within "ValidatorResolver". There only one instance is created for each type (class) of objects.
So if you have multiple "Blog" instances passed to your controller, or have multiple "Blog" objects in some kind of object structure the described problems will occur.
My solution is to have a "$this->resultStack" in GenericObjectValidator.