[drupal-devel] Rewriting use of forms in Drupal

Fri Jun 3 09:23:25 UTC 2005

Hi there!

What follows is a proposal I sent to Dries before the security releases
were made. Since it hinted at the possibility of flaws in our current
way of handling forms I didn't want to make it available for public
viewing at that time. There are probably still errors in some forms, but
the most serious exploits should be fixed now. Although the proposal is
geared towards node forms, it could be easily extended for other forms.

Feedback would be appreciated.

Instead of

$output .= form_textfield(t('Title'), 'title', $edit->title, 60, 128, NULL, NULL, TRUE);

we'd write

$output['title'] = array('type' => 'textfield',
                         'title' => t('Title'),
                         'name' => 'title',
                         'value' => $edit->title,
                         'size' => 60,
                         'maxlenght' => 128,
                         'decription' => NULL,
                         'attributes' => NULL,
                         'required' => TRUE
                        );

(We could add a 'group' element to indicate elements that should be
grouped together, also a weight).

Only in form() itself we'd generate the html. form() should be a
themable function.

What would that buy us?

a) Easier value checking.

In _validate we would then build the form a second time to check that
all the fields still have the type and value they are supposed to have.

foreach ($form_elements as $name => $value) {
  switch($value['type']) {
    case 'textfield':
      if (!is_string($edit['value'])) {
        form_set_error(...);
      }
      if (is_empty($edit['value']) && $value['required']) {
        form_set_error(...);
      }
      break;
    case 'textarea':
     ....
  }
}

(special checks such as "authored by" can be done here, possibly add
another hook to get cleaner code)

This would eliminate form problems such as the ones we are fixing in the
bugfix release. Currently, a malicious user could try to spoof some of
the fields (I am unsure with what kind of success).

b) easier re-ordering of forms by modules and themes.
   Example: I'd like to add a description field to uploads uploaded
            through upload.module. I can do that through nodeapi(form
            post), but if I have three upload fields all my three
            description fields would appear after the three file
            selectors. If the existing form array would be passed around
            in "form post" I could add my fields in between.

I think that Chris' ideas of nicer admin screens (with all their
possible flaws) also require such a reorganization.

Cheers,
	Gerhard