Search code examples
formstokenconcrete5

Concrete5 form token validation

I have the following form:

<form method="post" action="<?php echo $this->action('delete');?>">
<?php
    $token = Loader::helper('validation/token');
    $token->output('delete_event');
    echo $form->hidden('id', $row['bID']);
    echo $form->submit(null, t('Delete'), array('class' => 'delete', 'onclick' => 'return false'));
?>
</form>

and the controller method:

public function action_delete() {
    if($this->authenticate() && $this->isAdmin()){
        $id = (int) $_POST['id'];

        $val = Loader::helper('validation/form');
        $val->addRequiredToken('delete_event');

        if($val->test() == 0){
            //delete from DB
        }
    }
}

But for some reason the token does not get validated. Any insights?

Solution

  • The API docs are incorrect.

    You should test with if ($val->test()) {} as in Jake's example. Comparing it to 0 is essentially saying == false (false and 0 are both falsey), and if you look at the code, it returns true or false based on success or failure:

    return count($this->fieldsInvalid) == 0;

    https://github.com/concrete5/concrete5/blob/master/web/concrete/core/helpers/validation/form.php#L217

    Though, now that I've also read mkly's post, he's right too. You don't need to check the token in a block action. However, it's important to remember the correct $val->test() usage in general.

    James