[TASK] Check if given validators from user input is same is set in th…

…e TypoScript configuration

This ensures, that it's not possible any more to give any validation string to the eID script for any field. Now it's checked if the given validators for the field are configured in the TypoScript. To handle this, now the tt_content.uid is also passed to the eID script. So there is s check which view is selected in the plugin and that make the decission which validation should be used.
If there is a change in the validation data-attribute (e.g. by browserconsole) or if someone directly wants to check if there is already a field filled in database from any field in fe_users, the message "Error: Field could not be validated" will be returned before any other clientside check will be validated.

Related: https://projekte.in2code.de/issues/32500

.gitignore

@@ -13,3 +13,4 @@ Thumbs.db
 .sass-cache
 .Build
 composer.lock
+package-lock.json

Classes/Controller/AbstractController.php

@@ -343,7 +343,8 @@ public function assignForAll()
             [
                 'languageUid' => FrontendUtility::getFrontendLanguageUid(),
                 'storagePid' => $this->allConfig['persistence']['storagePid'],
-                'Pid' => FrontendUtility::getCurrentPid()
+                'Pid' => FrontendUtility::getCurrentPid(),
+                'data' => $this->contentObject->data
             ]
         );
     }

Classes/Controller/UserController.php

@@ -87,14 +87,18 @@ public function imageDeleteAction(User $user)
      * @param string $field Fieldname like "username" or "email"
      * @param User $user Existing User
      * @param string $additionalValue Additional Values
+     * @param int $plugin tt_content.uid of the femanager plugin
+     * @param string $action current action name
      * @return void
      */
     public function validateAction(
         $validation = null,
         $value = null,
         $field = null,
         User $user = null,
-        $additionalValue = ''
+        $additionalValue = '',
+        int $plugin = 0,
+        string $action = ''
     ) {
         $clientsideValidator = $this->objectManager->get(ClientsideValidator::class);
         $result = $clientsideValidator
@@ -103,6 +107,8 @@ public function validateAction(
             ->setFieldName($field)
             ->setUser($user)
             ->setAdditionalValue($additionalValue)
+            ->setPlugin($plugin)
+            ->setActionName($action)
             ->validateField();
 
         $this->view->assignMultiple(

Classes/Domain/Repository/PluginRepository.php

@@ -3,6 +3,7 @@
 namespace In2code\Femanager\Domain\Repository;
 
 use In2code\Femanager\Utility\ObjectUtility;
+use TYPO3\CMS\Extbase\Service\FlexFormService;
 
 /**
  * Class PluginRepository
@@ -21,6 +22,22 @@ class PluginRepository
             . 'Invitation->update;Invitation->delete;Invitation->status;',
     ];
 
+    /**
+     * @param int $contentIdentifier
+     * @return string
+     */
+    public function getControllerNameByPluginSettings(int $contentIdentifier): string
+    {
+        $queryBuilder = ObjectUtility::getQueryBuilder(self::TABLE_NAME);
+        $flexForm = (string)$queryBuilder
+            ->select('pi_flexform')
+            ->from(self::TABLE_NAME)
+            ->where('uid=' . (int)$contentIdentifier)
+            ->execute()
+            ->fetchColumn(0);
+        return $this->getViewFromFlexForm($flexForm);
+    }
+
     /**
      * @param string $view can be "new", "edit" or "invitation"
      * @param int $pageIdentifier
@@ -43,6 +60,22 @@ public function isPluginWithViewOnGivenPage(string $view, int $pageIdentifier):
         return false;
     }
 
+    /**
+     * @param string $flexForm
+     * @return string
+     */
+    protected function getViewFromFlexForm(string $flexForm): string
+    {
+        $view = '';
+        $flexFormService = ObjectUtility::getObjectManager()->get(FlexFormService::class);
+        $settings = $flexFormService->convertFlexFormContentToArray($flexForm);
+        if (!empty($settings['switchableControllerActions'])
+            && in_array($settings['switchableControllerActions'], $this->scaString)) {
+            $view = array_search($settings['switchableControllerActions'], $this->scaString);
+        }
+        return $view;
+    }
+
     /**
      * @param string $view
      * @param string $pluginConfiguration

Classes/Domain/Service/ValidationSettingsService.php

@@ -63,11 +63,13 @@ public function getValidationStringForField(string $fieldName): string
     {
         $string = '';
         $validationSettings = $this->getSettings()[$this->controllerName][$this->validationName][$fieldName];
-        foreach ($validationSettings as $validation => $configuration) {
-            if (!empty($string)) {
-                $string .= ',';
+        if (is_array($validationSettings)) {
+            foreach ($validationSettings as $validation => $configuration) {
+                if (!empty($string)) {
+                    $string .= ',';
+                }
+                $string .= $this->getSingleValidationString($validation, $configuration);
             }
-            $string .= $this->getSingleValidationString($validation, $configuration);
         }
         return $string;
     }
@@ -105,7 +107,7 @@ protected function getSingleValidationString($validation, $configuration)
      * @param string $validation
      * @return bool
      */
-    protected function isSimpleValidation($validation)
+    protected function isSimpleValidation($validation): bool
     {
         if (in_array($validation, $this->simpleValidations)) {
             return true;

Classes/Domain/Validator/ClientsideValidator.php

@@ -3,6 +3,9 @@
 namespace In2code\Femanager\Domain\Validator;
 
 use In2code\Femanager\Domain\Model\User;
+use In2code\Femanager\Domain\Repository\PluginRepository;
+use In2code\Femanager\Domain\Service\ValidationSettingsService;
+use In2code\Femanager\Utility\ObjectUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use In2code\Femanager\Utility\LocalizationUtility;
 use In2code\Femanager\Utility\StringUtility;
@@ -59,17 +62,29 @@ class ClientsideValidator extends AbstractValidator
      */
     protected $additionalValue;
 
+    /**
+     * @var int
+     */
+    protected $plugin = 0;
+
+    /**
+     * @var string
+     */
+    protected $actionName = '';
+
     /**
      * Validate Field
      *
      * @return bool
      */
     public function validateField()
     {
-        $validationSettings = GeneralUtility::trimExplode(',', $this->validationSettingsString, true);
-        $validationSettings = str_replace('|', ',', $validationSettings);
+        if ($this->isValidationSettingsDifferentToGlobalSettings()) {
+            $this->addMessage('validationErrorGeneral');
+            return false;
+        }
 
-        foreach ($validationSettings as $validationSetting) {
+        foreach ($this->getValidationSettings() as $validationSetting) {
             switch ($validationSetting) {
                 case 'required':
                     if (!$this->validateRequired($this->getValue())) {
@@ -193,10 +208,9 @@ public function validateField()
                     $mainSetting = StringUtility::getValuesBeforeBrackets($validationSetting);
                     if (method_exists($this, 'validate' . ucfirst($mainSetting))) {
                         if (!$this->{'validate' . ucfirst($mainSetting)}(
-                                $this->getValue(),
-                                StringUtility::getValuesInBrackets($validationSetting)
-                            )
-                        ) {
+                            $this->getValue(),
+                            StringUtility::getValuesInBrackets($validationSetting)
+                        )) {
                             $this->addMessage('validationError' . ucfirst($mainSetting));
                             $this->isValid = false;
                         }
@@ -207,6 +221,18 @@ public function validateField()
         return $this->isValid;
     }
 
+    /**
+     * This function checks the given validation string from user input against settings in TypoScript. If both strings
+     * do not match, it could be possible that there is a manipulation. In this case, we stop validation and return a
+     * global error message
+     *
+     * @return bool
+     */
+    protected function isValidationSettingsDifferentToGlobalSettings(): bool
+    {
+        return $this->getValidationSettingsString() !== $this->getValidationSettingsFromTypoScript();
+    }
+
     /**
      * Set validation
      *
@@ -220,15 +246,37 @@ public function setValidationSettingsString($validationSettingsString)
     }
 
     /**
-     * Get validation
-     *
      * @return string
      */
     public function getValidationSettingsString()
     {
         return $this->validationSettingsString;
     }
 
+    /**
+     * @return string
+     */
+    public function getValidationSettingsFromTypoScript(): string
+    {
+        $controllerName = $this->getControllerName();
+        $validationService = ObjectUtility::getObjectManager()->get(
+            ValidationSettingsService::class,
+            $controllerName,
+            $this->getValidationName()
+        );
+        return $validationService->getValidationStringForField($this->fieldName);
+    }
+
+    /**
+     * @return array
+     */
+    protected function getValidationSettings(): array
+    {
+        $validationSettings = GeneralUtility::trimExplode(',', $this->validationSettingsString, true);
+        $validationSettings = str_replace('|', ',', $validationSettings);
+        return $validationSettings;
+    }
+
     /**
      * @param string $value
      * @return ClientsideValidator
@@ -330,6 +378,64 @@ public function getAdditionalValue()
         return $this->additionalValue;
     }
 
+    /**
+     * @return int
+     */
+    public function getPlugin(): int
+    {
+        return $this->plugin;
+    }
+
+    /**
+     * @param int $plugin
+     * @return ClientsideValidator
+     */
+    public function setPlugin(int $plugin)
+    {
+        $this->plugin = $plugin;
+        return $this;
+    }
+
+    /**
+     * @return string
+     */
+    public function getActionName(): string
+    {
+        return $this->actionName;
+    }
+
+    /**
+     * @param string $actionName
+     * @return ClientsideValidator
+     */
+    public function setActionName(string $actionName)
+    {
+        $this->actionName = $actionName;
+        return $this;
+    }
+
+    /**
+     * @return string
+     */
+    protected function getValidationName(): string
+    {
+        $validationName = 'validation';
+        if ($this->getControllerName() === 'invitation' && $this->getActionName() === 'edit') {
+            $validationName = 'validationEdit';
+        }
+        return $validationName;
+    }
+
+    /**
+     * @return string
+     */
+    protected function getControllerName(): string
+    {
+        $pluginRepository = ObjectUtility::getObjectManager()->get(PluginRepository::class);
+        $controllerName = $pluginRepository->getControllerNameByPluginSettings($this->getPlugin());
+        return $controllerName;
+    }
+
     /**
      * @param mixed $value
      */

Resources/Private/JavaScript/Validation.js

@@ -84,7 +84,9 @@ jQuery.fn.femanagerValidation = function($) {
 	 * @return void
 	 */
 	function validateField(element, countForSubmit) {
-		var user = element.closest('form').find('div:first').find('input[name="tx_femanager_pi1[user][__identity]"]').val();
+		var $form = element.closest('form');
+		var user = $form.find('div:first').find('input[name="tx_femanager_pi1[user][__identity]"]').val();
+		var action = $form.find('div:first').find('input[name="tx_femanager_pi1[__referrer][@action]"]').val();
 		var url = Femanager.getBaseUrl() + 'index.php' + '?eID=' + 'femanagerValidate';
 		var validations = getValidations(element);
 		var elementValue = element.val();
@@ -110,6 +112,8 @@ jQuery.fn.femanagerValidation = function($) {
 				'tx_femanager_pi1[field]': getFieldName(element),
 				'tx_femanager_pi1[user]': (user !== undefined ? user : ''),
 				'tx_femanager_pi1[additionalValue]=': (additionalValue ? additionalValue : ''),
+				'tx_femanager_pi1[plugin]=': $form.data('femanager-plugin'),
+				'tx_femanager_pi1[action]=': action,
 				'storagePid': $('#femanagerStoragePid').val(),
 				'L': $('#femanagerLanguage').val(),
 				'id': $('#femanagerPid').val()

Resources/Private/Language/locallang.xlf

@@ -245,6 +245,9 @@
 			<trans-unit id="validationErrorCaptcha">
 				<source>Wrong Captcha code</source>
 			</trans-unit>
+			<trans-unit id="validationErrorGeneral">
+				<source>Field could not be validated</source>
+			</trans-unit>
 
 			<trans-unit id="emailCreateAdminConfirmationSubject">
 				<source>Please confirm a new registration</source>

Resources/Private/Templates/Edit/Edit.html

@@ -19,6 +19,7 @@
 							object="{user}"
 							action="update"
 							enctype="multipart/form-data"
+							additionalAttributes="{data-femanager-plugin:data.uid}"
 							class="form-horizontal {f:if(condition:'{settings.edit.validation._enable.client}',then:'feManagerValidation',else:'')}">
 						<fieldset>
 							<legend>

Resources/Private/Templates/Invitation/Edit.html

@@ -12,7 +12,12 @@
 
 	<div class="femanager_invitation_edit">
 		<f:if condition="{user}">
-			<f:form name="user" object="{user}" action="update" class="form-horizontal {f:if(condition:'{settings.invitation.validation._enable.client}',then:'feManagerValidation',else:'')}">
+			<f:form
+					name="user"
+					object="{user}"
+					action="update"
+					additionalAttributes="{data-femanager-plugin:data.uid}"
+					class="form-horizontal {f:if(condition:'{settings.invitation.validation._enable.client}',then:'feManagerValidation',else:'')}">
 				<fieldset>
 					<legend>
 						<f:translate key="titleInvitationSetPassword" />

Resources/Private/Templates/Invitation/New.html

@@ -14,7 +14,12 @@
 	<f:render partial="Misc/FormErrors" arguments="{object:User}" />
 
 	<div class="femanager_invitation_new">
-		<f:form name="user" object="{user}" action="create" class="form-horizontal {f:if(condition:'{settings.invitation.validation._enable.client}',then:'feManagerValidation',else:'')}">
+		<f:form
+				name="user"
+				object="{user}"
+				action="create"
+				additionalAttributes="{data-femanager-plugin:data.uid}"
+				class="form-horizontal {f:if(condition:'{settings.invitation.validation._enable.client}',then:'feManagerValidation',else:'')}">
 			<fieldset>
 				<legend>
 					<f:translate key="titleInvitationProfile" />

Resources/Private/Templates/New/New.html

@@ -16,6 +16,7 @@
 				object="{user}"
 				action="create"
 				enctype="multipart/form-data"
+				additionalAttributes="{data-femanager-plugin:data.uid}"
 				class="form-horizontal {f:if(condition:'{settings.new.validation._enable.client}',then:'feManagerValidation',else:'')}">
 			<fieldset>
 				<legend>