Issue #2699489 by catch, tim.plunkett: FormBuilder $ajax_form_request check...

Issue #2699489 by catch, tim.plunkett: FormBuilder $ajax_form_request check does not check which AJAX form is being requested

Issue #2699489 by catch, tim.plunkett: FormBuilder $ajax_form_request check...
Issue #2699489 by catch, tim.plunkett: FormBuilder $ajax_form_request check does not check which AJAX form is being requested
8c22ddf5 · alexpott · db7834de · 8c22ddf5 · 8c22ddf5
Commit 8c22ddf5 authored Oct 11, 2016 by alexpott
Showing with 27 additions and 2 deletions

core/lib/Drupal/Core/Form/FormBuilder.php core/lib/Drupal/Core/Form/FormBuilder.php +4 -2

core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php +23 -0

No files found.
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -316,7 +316,7 @@ public function buildForm($form_id, FormStateInterface &$form_state) {
    // In case the post request exceeds the configured allowed size
    // (post_max_size), the post request is potentially broken. Add some
    // protection against that and at the same time have a nice error message.
-    if ($ajax_form_request && !isset($form_state->getUserInput()['form_id'])) {
+    if ($ajax_form_request && !$request->request->has('form_id')) {
      throw new BrokenPostRequestException($this->getFileUploadMaxSize());
    }

@@ -327,7 +327,9 @@ public function buildForm($form_id, FormStateInterface &$form_state) {
    // then passed through
    // \Drupal\Core\Form\FormAjaxResponseBuilderInterface::buildResponse() to
    // build a proper AJAX response.
-    if ($ajax_form_request && $form_state->isProcessingInput()) {
+    // Only do this when the form ID matches, since there is no guarantee from
+    // $ajax_form_request that it's an AJAX request for this particular form.
+    if ($ajax_form_request && $form_state->isProcessingInput() && $request->request->get('form_id') == $form_id) {
      throw new FormAjaxException($form, $form_state);
    }


--- a/core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
+++ b/core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
@@ -568,6 +568,29 @@ public function testExceededFileSize() {
    $this->formBuilder->buildForm($form_arg, $form_state);
  }

+  /**
+   * @covers ::buildForm
+   */
+  public function testGetPostAjaxRequest() {
+    $request = new Request([FormBuilderInterface::AJAX_FORM_REQUEST => TRUE], ['form_id' => 'different_form_id']);
+    $request->setMethod('POST');
+    $this->requestStack->push($request);
+
+    $form_state = (new FormState())
+      ->setUserInput([FormBuilderInterface::AJAX_FORM_REQUEST => TRUE])
+      ->setMethod('get')
+      ->setAlwaysProcess()
+      ->disableRedirect()
+      ->set('ajax', TRUE);
+
+    $form_id = '\Drupal\Tests\Core\Form\TestForm';
+    $expected_form = (new TestForm())->buildForm([], $form_state);
+
+    $form = $this->formBuilder->buildForm($form_id, $form_state);
+    $this->assertFormElement($expected_form, $form, 'test');
+    $this->assertSame('test-form', $form['#id']);
+  }
+
  /**
   * @covers ::buildForm
   *