Bug #77338
Updated by Bernhard Kraft over 7 years ago
In the @\TYPO3\CMS\Extbase\Validation\Validator\GenericObjectValidator@ is a cache for already validated object instances (@validatedInstancesContainer@).
This makes total sense but there is a big flaw in the concept: the validation results are not restored. This causes a problem in these scenarios:
h3. Action forwarding with @ignorevalidation
Imagine you have a @action1()@ and a @$property1@.
@action1()@ has an @@ignorevalidation@ annotation for @$property1@ and forwards to @action2()@.
@action2()@ has no @@ignorevalidation@ annotation but validation errors for @$property1@ are still ignored because the cache in the GenericObjectValidator is not reset and the previous validation results are not loaded.
This allows the user to pass invalid data to @action2()@.
h3. Object relations
The second scenario would be the following. You have two method arguments @$param1@ and @$param2@.
@$param1@ has a relation to @$param2@ and because child objects are validated you get the proper validation errors for @$param1.$param2@.
But you won't get any validation errors for your @$param2@ controller argument because of the cache.
This is problematic in two ways:
# If @$param1@ has an @@ignorevalidation@ annotation the user can submit invalid data to your action
# You can not display any validation errors in your form for @$param2@
My suggestion to solve this is to store the validation results in the cache as well and restore them if needed.
The problem is valid since 6.2 until current master.