Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin: Howto skip/adjust config filter? #5890

Closed
ThaDafinser opened this issue Jul 28, 2014 · 10 comments
Closed

Plugin: Howto skip/adjust config filter? #5890

ThaDafinser opened this issue Jul 28, 2014 · 10 comments
Labels
Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Backlog (Help wan...

Comments

@ThaDafinser
Copy link
Contributor

I have a configuration for a plugin (release soon)...

But how can i skip input/output filter?

Converting like & to & destroying the valid ldap filter...

<?php
namespace Piwik\Plugins\LdapVisitorInfo;

use Piwik\Settings\SystemSetting;
use Piwik\Settings\Setting;

class Settings extends \Piwik\Plugin\Settings
{

    protected function init()
    {
        $setting = new SystemSetting('searchFilter', 'LDAP search filter');
        $setting->type = self::TYPE_STRING;
        $setting->defaultValue = '(&(objectclass=user)(samAccountName=%s))';
        $setting->inlineHelp = 'Search for username: "(&(objectclass=user)(samAccountName=%s))". Search for E-Mail (&(objectclass=user)(mail=%s))';
        $setting->transform = function ($value, Setting $setting)
        {
            return (string) $value;
        };
        $setting->validate = function ($value, Setting $setting)
        {};

        $this->addSetting($setting);
    }
}
@ThaDafinser ThaDafinser changed the title Plugin: Howto skip config filter? Plugin: Howto skip/adjust config filter? Jul 28, 2014
@mattab mattab added the Task label Aug 3, 2014
@mattab mattab added this to the Short term milestone Aug 3, 2014
@tsteur
Copy link
Member

tsteur commented Aug 4, 2014

I am pretty sure your code is already skipping the input / output filter. "Problem" is in CoreAdminHome controller which passes the value like this to the settings API see https://github.com/piwik/piwik/blob/master/plugins/CoreAdminHome/Controller.php#L160

It uses Common::getRequestVar() to get the sent value which will most likely already change it to &amp; This is kinda on purpose for security reasons I reckon. Not sure what best solution would be @mattab

@mattab
Copy link
Member

mattab commented Aug 4, 2014

@tsteur maybe it would work to get the raw value via Common::unsanitizeInputValue? it does a htmlspecialchars_decode($value, self::HTML_ENCODING_QUOTE_STYLE);

@ThaDafinser
Copy link
Contributor Author

"Auto" security is always a probelm IMO....see what happend to magic_quotes ...

I like the ZF2 way...define the filter/validators per default for each input type:
https://github.com/zendframework/zf2/blob/master/library/Zend/Form/Element/Email.php#L127-L139
https://github.com/zendframework/zf2/blob/master/library/Zend/Form/Element/DateTime.php#L183-L193

Then you can override it for each element if you want.

@tsteur
Copy link
Member

tsteur commented Aug 5, 2014

I was rather concert about changing it now regarding breaking the API. The settings API's might be already used in some plugins out there who maybe rely on this. Makes still sense to fix it though so should be ok if we announce it maybe even upfront or so.

@ThaDafinser
Copy link
Contributor Author

@tsteur i can be a BC, but don't have to.
If you do it like in the links i provided above, than you can per default define the filter / validators like they work today.

tsteur added a commit that referenced this issue Aug 5, 2014
@tsteur
refs #5890 make sure to pass the actual entered value to the setting
d9b09b0
tsteur added a commit that referenced this issue Aug 5, 2014
@tsteur
refs #5890 added a changelog file for developers so that they can fol…
9ce0924 
…low all the changes
@tsteur
Copy link
Member

tsteur commented Aug 5, 2014

That's a great idea @ThaDafinser Didn't think of that. I implemented it like this and then noticed it makes sense to actually pass the unmodified value to the settings as it otherwise just results in more problems. Think for instance of the control "password" where we should not change the value at all. Also the default validator which is used if $availableValues will only work correct in all cases if we do not alter the input. Otherwise we would show an error if an available value contains for instance & although the user chose an available value.

@mattab
Copy link
Member

mattab commented Aug 5, 2014

Nice @tsteur!

@ThaDafinser feel free to close ticket if the new code works for you. thanks for reporting!

@ThaDafinser
Copy link
Contributor Author

@tsteur @mattab just grabbed the master and it works fine for me.

@ThaDafinser
Copy link
Contributor Author

@tsteur @mattab works fine 😄

Plugin publish soon:
https://github.com/ThaDafinser/LdapConnection
https://github.com/ThaDafinser/LdapVisitorInfo

@ThaDafinser
Copy link
Contributor Author

Thx for the quick fix again :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
3 participants
@tsteur @mattab @ThaDafinser