symfony: [RFC][Form] a fully disabled form should not pass isValid()

Symfony version(s) affected: 4.0

Description
I’m implementing a brute force protection for my login/register etc. forms. I have a “soft threshold” (CAPTCHA needed) and a “hard threshold” (no further interaction is allowed).

To achieve the latter, I’ve set disabled: true on the form itself. This works as I’d have expect, fully disabling the form for user interaction while rendered in the browser.

What I did not expect was that now, since there are no types being considered, the form suddenly becomes valid and passes any validations, it even claims it’s been submitted (but this shouldn’t even be possible with a fully disabled form).

It seems to me disabling the root form object should mean it’s not considered submitted / valid.

How to reproduce

Create a form with a validator, submit to confirm it fails. Now change to disabled: true and submit again. Now it suddenly passes validation even though the form is disabled and shouldn’t work at all.

Possible Solution
Perhaps isSubmitted(): false if disabled: true?

About this issue

Original URL
State: open
Created 6 years ago
Reactions: 5
Comments: 26 (24 by maintainers)

Commits related to this issue

feature #33381 [Form] dispatch submit events for disabled forms too (xabbuh) This PR was merged into the 5.2-dev branch. Discussion ---------- [Form] dispatch submit events for disabled forms too ... — committed to symfony/symfony by fabpot 4 years ago

Most upvoted comments

Whatever his implementation is, the question is this:

if a form is disabled server-side
AND the disabled property is removed client-side
AND the form is submitted anyway

THEN isValid() SHOULD be false while it seems currently it is true.

Aerendir on May 14, 2018

@HeahDude @stof @yceruto and me discussed this yesterday at the hackathon. I think we now better understand what is going on here and this indeed looks like a bug. I created a small example which allowed me to reproduce it. I am working on a fix now.

xabbuh on Apr 8, 2019

Usually I try to ask for a reproducible example application. I am sure that would have made things clear immediately. Sorry for not asking here.

xabbuh on Apr 8, 2019

I’m agree that according to this comment in isDisabled() method: https://github.com/symfony/symfony/blob/0d365a8c7fa0ef8822625d7ff4b5c725dfd07169/src/Symfony/Component/Form/FormInterface.php#L240-L241

The next check in isValid() is contradictory: https://github.com/symfony/symfony/blob/0d365a8c7fa0ef8822625d7ff4b5c725dfd07169/src/Symfony/Component/Form/Form.php#L746-L748

We all agree with that? Can we just return false here (bugfix)?

yceruto on Aug 29, 2019

@xabbuh can you point out which part specifically wasn’t clear enough before the discussion?

I was pretty sure it was communicated clearly already, but if not, I’m alway happy to learn what I could have communicated better to begin with. 😄

dkarlovi on Apr 8, 2019

Only when form was modified

ostrolucky on Apr 7, 2019

I agree on the general point: a disabled form should never pass any check as I decided it is disabled.

This told, I think also that is technically possible to submit a disabled form: as @ostrolucky pointed out, it is sufficient to remove the disabled property from the form (for example via the Chrome Dev Console) and the form can be submitted again.

Now the question is: how to handle such a situation?

I think, as @ostrolucky told, that the form is technically submitted, so the isSubmitted() method should return true.

Also tru is that the form was disabled, so it is not valid.

So, I think, isSubmitted() should return true while maybe isValid() should check for disabled and return false if the form was disabled when submitted.

Aerendir on May 14, 2018

Yes, I think root object being disabled should be a special case, you can’t submit a disabled form, hence the request should be considered invalid.

dkarlovi on May 10, 2018