Contrib.social

Honeypot fields not filled in WebformSubmissionForm::validateFormValues

Open on Drupal.org β†’
Created on 14 June 2023, about 1 year ago
Updated 8 April 2024, 3 months ago

Problem/Motivation

Honeypot fields are not correctly validated when using the combination of modules webform, honeypot and webform_rest. This has already been reported in webform_rest#3036145 ✨ Support Honeypot Active ).

The Honeypot module adds a hidden field "homepage" that is meant to fail validation when it has been filled by the user.

webform_rest uses WebformSubmissionForm::validateFormValues() to verify everything is fine, but a filled honeypot homepage field does not fail validation - although it should.

Problem cause

When using WebformSubmissionForm::validateFormValues(), the form field values that are used for validation are ultimately filled from $element['#default_value'] in FormBuilder::handleInputElement().
Honeypot elements do not have that #default_value set.

#default_value of form elements is filled by WebformSubmissionForm::populateElements().
When populateElements() is called by WebformSubmissionForm::buildForm() (via EntityForm::buildForm() and WebformSubmissionForm::form()), the honeypot fields have not yet been added to the form.

The honeypot fields are only later added in WebformSubmissionForm::buildForm() when thirdPartySettingsManager->alter() is called.
Also, the WebformSubmission instance with the input data is not passed to WebformThirdPartySettingsManager::alter(), so ultimately honeypot does not have the possibility to fill the default value for its fields.

Steps to reproduce

  1. Install webform, webform_rest and honeypot modules
  2. Create webform
  3. Enable honeypot fields in webform
  4. Submit webform via webform_rest while having the honeypot "homepage" field filled
  5. Validation should fail but does not

Proposed resolution

$webform_submission should be passed on to the third party settings manager and then ultimately to honeypot.

πŸ› Bug report
Status

Active

Version

6.2

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany cweiske

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @cweiske
  • Status changed to Closed: won't fix about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany cweiske

    It seems that it is possible to fetch the input values via $form_state->getFormObject()->getEntity()->data, so honeypot can set the default values itself.
    This bug is invalid then.

  • Status changed to Active about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany cweiske

    My patch for honeypot πŸ› homepage field not filled in WebformSubmissionForm::validateFormValues Closed: works as designed that sets #default_value when a webform_submission is available was rejected with the justifiction that honeypot uses the Form API correctly, which I understand.

    Now there is the problem that webform expects the input in #default_value for programmatic submissions via WebformSubmissionForm::submitFormValues(), but honeypot fields do not provide them.

    The only solution I see is that honeypot_webform_submission_form_alter modifies the honeypot fields after they have been added to the form by honeypot and adds the #default_value when necessary.

    Is that evaluation correct? Or is there a better way?

  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jrockowitz Brooklyn, NY
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024