ESubDocumentValidator stopped working properly

[kate-kate]

Hi! After last upgrade I've found, that some fileds in my model were not saving. I investigated this problem and found, that the reason lied in ESubdocumentValidator. And everything started to work only after commenting the following rows:

 if($this->preserveKeys)
    $newFieldValue[$index] = $c->getRawDocument();
else
    $newFieldValue[] = $c->getRawDocument();

and of course changing $object->$attribute = $newFieldValue;
back to $object->$attribute = $fieldValue;

Symptoms of this bug (I think, it's bug) are following: I had a very complex array for this attribute, like

$attribute = array('type'=>array('USD'=>array('UAH'=>array('course'=>8))));

and validator gave me back

$attribute = array('type'=>null);

[Sammaye]

I'll take a look thanks

[Sammaye]

Sorry for the delay, Can you show me a bit of your model code?

Enough to understand how you have set this up.

[kate-kate]

like this? here are the settings for validation for this attribute:

array(
    'currency_params',
    'subdocument',
    'type' => 'many',
    'rules' => array(
        array(
            'course',
            'numerical'
        )
    )
);

[Sammaye]

Hmm there is no rule for type there, by default Yii will only set safe variables, i.e. those defined within the model rules.

[Sammaye]

I think that might why this is happening because the codde change allows for filters to be used but sacrifices the ability to just send in random data and get it back again. Now it all has to be validated and if it doesn't validate correctly as a field that should be there it will be omitted since of course $c is the new model created.

[kate-kate]

does it mean that i have to declare safe validation rule for every subarray stage? if yes, it would be difficult, cause i have dynamic subarray configuration

[Sammaye]

Hmm Unfortunately the only way to get aorund this is to not actually validate what fields you have in that array.

I realised this in my last message, that the subdocument validator, before that fix, potentially would allow unsafe fields through to the database.

This is a very difficult one to solve. I am quite unsure how to solve it without either producing a security risk or making people unhappy.

[kate-kate]

Maybe you should try to create the paramater, that would define the validator behavior? If people consciously permit a security risk, they would get what they want)

[Sammaye]

Yeah I can do that, so long as it is ok to have to add a param to the rules required?

How about filter?

[kate-kate]

It's ok, I think. You just need to warn about this param.
How about strict?)

[Sammaye]

Try that out: 2fe8a99

Let me know if it works

[kate-kate]

It works, thanks

[Sammaye]

Sweet I'll release it then thanks :)