In which case is it better to use the Validate model? Example: I have two model
AgreementForm
Agreement
When I create data - I use
$model = new AgreementForm();
if ( $model->load( \Yii::$app->request->post() ) && $model->save() ) {
....
}
Code of AgreemtnForm
AgreementForm extemds Model {
......
public function save() {
if(!$this->validate()) {
return null;
}
$model = new Agreement();
$model->content = $this->content;
if( $model->save() ) {
return true;
}
}
But when I update data, I use only that code:
public function actionUpdate( $id ) {
$model = Agreement::findOne( $id );
if( $model->load( \Yii::$app->request->post() ) && $model->save() ){
$this->refresh();
}
else {
return $this->render('update', [
'model' => $model,
]);
}
}
What is the validation model in this case, if I duplicate the validation in another model? Can I only use 1 model?
I will try to explain why you should almost always use a Form model to validate your data, providing some cases:
1) Doing
if( $model->load( \Yii::$app->request->post() ) && $model->save() )
could be dangerous, the user can send post data that he was not supposed to.
eg. Agreement has a userid column that gets id of the user that created it. If a user, sends this field in the post request, he could potentially change its value.
Your form model should define the properties that you expect to be sent.
2) You want to define additional validation for your model based on eg. the user role, the time the Agreement is valid etc.
Lets say you have 2 user roles:
Retailer
Merchant
Retailer can create an Agreement that is 300 characters long and max price 1000, opposed to 700 and 10000 for the merchant.
How do you cope with that?
You create 2 different forms:
$user = Yii::$app->user;
if ($user->can('retailer')) {
$model = new RetailerAgreementForm();
}
else {
$model = new MerchantAgreementForm();
}
if ( $model->load( \Yii::$app->request->post() ) && $model->save() ) {
....
}
In the form models, you can add the additional validation for your fields:
public function rules()
{
return [
['body', 'string', 'max' => 300],
['price', 'integer', 'max'=> 1000],
];
}
Using different forms for this I believe is the best option.
3) Your form model fields do not correspond to Database model columns 1 to 1.
Consider this example:
Your want to save the address of the agreement, street, state and city. You have a list of cities, states and streets.
The only thing you want to do with the address is save it and load it, eg. nobody is going to search per city.
So you just define a column address(type text) in your table and save the data as a JSON.
Your AgreementForm defines the address as separate fields and validates them accordingly and your Agreement model just validates address to be a string.
Do not duplicate your validation between AgreementForm and Agreement models. They should define different validation rules.
Note: Even if you do not render the form in a view and just post some data, it is good to use a form model to get exactly the fields you want to change and if needed, validate them with additional rules. The only case that I could think to just use the DB model directly is when you want to provide just some basic crud operations for your model.
Related
I have user table. I created a form with 3 fields:
Username
phonenumber
status
The first two fields are unique. Model rules for those fields look like this:
[['Username', 'phonenumber'], 'required'],
[['Username', 'phonenumber'], 'unique'],
I use soft deletion, so when record is deleted, it actually stays in database but status value will change to 0.
The problem is, if I add a record with existing username it shows an error message like "already added". I need to ignore validation if username have a status with value 0.
Use filter property of UniqueValidator
public function rules()
{
return [
...
['username', 'unique', 'filter' => ['<>', 'status', 0]];
...
];
}
It's better to declare constant instead of 0 (something like const STATUS_DELETED = 0) and user it as self::STATUS_DELETED inside of User class. Also you can use != instead of <>.
The last recommendation will be to use username instead of Username to follow convention of naming database table columns.
Read more about ways of declaring filter in official docs.
The ways of setting filter condition as array is described here.
You can use your own function to decide the given username already exists in active status or not. Use this function in "when" property of your unique validation rule.
Have a look :
public function rules()
{
$check = function($model) {
$existActiveUser = User::model()->findByAttributes(array("username"=>$model->username,"status"=>1));
if($existActiveUser)
return true;
else
return false;
};
return [
['Username', 'phonenumber'], 'required'],
[['Username','phonenumber'],'unique','when'=>$check],
}
Here is a basic add action:
public function add()
{
$article = $this->Articles->newEntity();
if ($this->request->is('post')) {
$article = $this->Articles->patchEntity($article, $this->request->data);
if ($this->Articles->save($article)) {
$this->Flash->success('Success.');
return $this->redirect(['action' => 'index']);
} else {
$this->Flash->error('Fail.');
}
}
$this->set(compact('article'));
}
If a malicious user injects at form a field with name id and set the value of this field to 2. Since the user do that the id value will be in $this->request->data so at $this->Articles->patchEntity($article, $this->request->data) this id will be patched and at $this->Articles->save($article) the record 2 will be updated instead of create a new record??
Depends.
Entity::$_accessible
If you baked your models, then this shouldn't happen, as the primary key field will not be included in the entities _accessible property, which defines the fields that can be mass assigned when creating/patching entities. (this behavior changed lately)
If you baked your models, then this shouldn't happen, as the primary key field(s) will be set to be non-assignable in the entities _accessible property, which means that these the fields cannot be set via mass assignment when creating/patching entities.
If you didn't baked your models and haven't defined the _accessible property, or added the primary key field to it, then yes, in case the posted data makes it to the patching mechanism, then that is what will happen, you'll be left with an UPDATE instead of an INSERT.
The Security component
The Security component will prevent form tampering, and reject requests with modified forms. If you'd use it, then the form data wouldn't make it to the add() method in the first place.
There's also the fieldList option
The fieldList option can be used when creating/patching entities in order to specifiy the fields that are allowed to be set on the entity. Sparse out the id field, and it cannot be injected anymore.
$article = $this->Articles->patchEntity($article, $this->request->data, [
'fieldList' => [
'title',
'body',
//...
]
]);
And finally, validation
Validation can prevent injections too, however that might be considered a little wonky. A custom rule that simply returns false would for example do it, you could create an additional validator, something like
public function validationAdd(Validator $validator) {
return
$this->validationDefault($validator)
->add('id', 'mustNotBePresent', ['rule' => function() {
return false;
}]);
}
which could then be used when patching the entity like
$article = $this->Articles->patchEntity($article, $this->request->data, [
'validate' => 'add'
]);
I have tried all kinds of methods of limiting the columns which are returned in my many-to-many relationship, and none seem to work.
Background - Not really necessary, but to give the big picture
Essentially, in my app, I want to build a list of contacts for the currently logged in user. Administrator and Billing users should be able to contact everybody including users of group Customer.
Customer should only be able to contact Administrator and Billing.
So my way to tackle this is firstly to determine the groups that the user is in.
$userGroups = Sentry::getUser()->getGroups()->lists('name', 'id');
Then iterate over the groups, to see if the user is in the group Administrator or Billing or Customer and build the contact groups for that user.
foreach($userGroups as $group)
{
if ($group === 'Administrator' || $group === 'Billing')
{
$contactGroups = \Group::with('users')->get(['id', 'name']);
}
else if ($group === 'Customer')
{
$contactGroups = \Group::where('name', 'Administrator')
->orWhere('name', 'Billing')
->with('users')
->get(['id', 'name']);
}
else
{
return Response::json('No Contacts found', 404);
}
}
The problem - It appears that I am unable to select specific columns to select on belongsToMany relations.
I have tried:
$contactGroups = \Group::where('name', 'Administrator')
->orWhere('name', 'Billing')
->with(['users', function($q){
$q->select('id', 'first_name', 'last_name');
}])
->get(['id', 'name']);
I have also tried limiting the select within the Group model
class Group extends Eloquent
{
protected $table = 'groups';
public function users()
{
return $this->belongsToMany('User', 'users_groups')
->select('id', 'first_name', 'last_name', 'email', 'telephone');
}
}
Either way, the query runs, but it returns the entire user object and completely ignores my selects.
As such, when I return a json response, everything that I do not want is included.
So what I have done as a temporary fix is iterate over each of the users in each of the groups, and unset all the attributes which I do not want.
foreach ($contactGroups as $group)
{
foreach($group->users as $user)
{
unset($user->persist_code);
unset($user->created_at);
unset($user->updated_at);
unset($user->deleted_at);
unset($user->last_login);
unset($user->permissions);
unset($user->activated_at);
unset($user->activated);
unset($user->reset_password_code);
unset($user->pivot);
}
}
return Response::json($contactGroups, 200);
This is really clunky, inefficient and seems like a waste of time. Is there a better way of achieving the above?
For some reason selecting specific columns with belongsToMany is not working.
But i have found an alternate solution.
There is a provision in laravel, Converting to Arrays or json that allows you to whitelist/blacklist specific columns when using toArray() or toJson.
To prevent specific fields from appearing in the relation :
class User extends Eloquent{
protected $hidden = array("persist_code","created_at","updated_at","deleted_at","last_login");
}
Instead if you wish to allow specific fields :
protected $visible = array("Visibile fields");
try this
$contactGroups = \Group::where('name', 'Administrator')
->orWhere('name', 'Billing')
->with(['users', function($q){
$q->get(['id', 'first_name', 'last_name']);
}])
->get(['id', 'name']);
or this
$contactGroups = \Group::where('name', 'Administrator')
->orWhere('name', 'Billing')
->with(['users:id,first_name,last_name'])
->get(['id', 'name']);
The validation on Kohana ORM is done using rules
function rules()
{
return array(
'username' => array(
array('not_empty'),
array(array($this, 'availability')),
)
);
}
I'm struggling to validate a JSON encoded column using $_serialize_columns.
class Model_Admin extends ORM {
protected $_belongs_to = array();
protected $_has_many = array(
'plans' => array(),
'groups' => array(),
'transactions' => array(),
'logins' => array()
);
protected $_serialize_columns = array('data');
/**
* #param array $data
* #param Validation $validation
*
* #return bool
*/
public function data($data, $validation)
{
return
Validation::factory(json_decode($data, TRUE))
// ... rules ...
->check();
}
public function rules()
{
return array(
'data' => array(
array(array($this, 'data'), array(':value',':validation')
)
);
}
}
the array that gets encoded is:
array(
'name' => '',
'address' => '',
'phone' => '',
'postalcode' => ''
);
the data method receives the json encoded data, because the ORM runs the filters before doing the validation, so I need to convert it back to an associative array, then create a new validation object to check specifically for the content of that array. Because I can't merge Validation rules from another Validation instance
Updated Answer
The use of a second validation object is necessary since save() causes the internal model validation object to be checked. This means that rules added to the validation object being checked from a validation rule will be ignored (Validation->check() imports the rules into local scope before looping).
Since the data itself is technically another object (in the sense of object relationships, it has its own dataset that needs validation) the ideal solution would be to find a way to create a real model that saves the data.
There are numerous other benefits to saving data with proper database column definitions, not least if you need to perform data property lookups, make in-situ changes etc. (which would otherwise require unserializing the data column, potetnailly in all rows).
There are some alternatives, but they feel like kludges to me:
Create a model that represents the data object and add rules to it, using check() to validate the data (problem: will require a lot of maintenance, no real-world table means columns must be manually defined).
Set the data as real columns in the Admin model, and use a filter that will convert it into the data column on set (problem: again, must manually define the columns and exclude the additional columns from the save operation).
I hope this is of some use.
Original Answer
The Kohana ORM save() method permits the inclusion of an "extra" validation object, which is merged into the main ORM validation object namespace.
This is documented briefly here.
If I have understood correctly, I think you are looking to do something like this:
// another script, e.g., a controller
// Create the model
$admin = ORM::factory('Admin');
// $data = the data as an array, before serialization ...
$extra_validation = Validation::factory($data)
// add ->rule() calls here, but DO NOT chain ->check()
;
// Set $data in the model if it is going to be saved, e.g., $admin->data = $data;
// Set other data... e.g., $admin->foo = 'bar';
// Save the model
try {
$admin->save($extra_validation);
}
catch (ORM_Validation_Exception $e)
{
// Manipulate the exception result
}
While in this example you must still create another validation object, you are now able to catch all exceptions in a single block. I would recommend using var_dump() or similar on $e->errors() to check the namespace if you are using i18n messages to provide a human-readable error message. You should find that a namespace called "_external" has been created in the response.
I have the database just like this
==== Invoices ====
id
costumer_id
description
==== Costumers ===
id
firstname
lastname
Now I have made the relation in between models just like this.In Invoices models the relation is as like this
public function relations()
{
return array(
'customer' => array(self::BELONGS_TO, 'Customer', 'customer_id')
);
}
In costumer model the relation is just like this
public function relations()
{
return array(
'invoice' => array(self::HAS_MANY, 'Invoices','customer_id')
);
}
Now as my relation is defined one costumer has many invoices and the invoice is belongs to the costumer.
Now I made multimodel and loaded the Costumer model into Invoice model just like this.
public function actionCreate()
{
$model = new Invoices;
$customers = new Customers;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if (isset($_POST['Invoices'],$_POST['Customers']))
{
$model->attributes = $_POST['Invoices'];
$customers->attributes = $_POST['Customers'];
$valid = $model->validate();
$valid = $customers->validate();
if($valid)
{
$model->save(false);
$customers->id = $model->customer_id;
$customers->save(false);
$this->redirect(array('view','id'=>$model->id));
}
}
$this->render('create',array(
'model'=>$model,
'customers'=>$customers,
));
}
Here every thing is okay. I can insert the data for both models easily. But my problem comes here in the way that when I am inserting data from Invoice multimodel the foreign key id is not changing. It is showing zero everytime. Can some one tell me where I am wrong.Any help and suggestions will be highly appriciable.
My guess is that you are overriding the customer's primary key with the invoice's foreign key. I do not say that's not correct that way (maybe in your scenario it makes sense).
Let me explain what you are doing in that code:
First, you create new instances of two models, Invoices and Customers. Yii understands that as "they wish to insert new items in the database".
Then, you check if there are the items coming from an ajax form. If true, then,
You populate Invoices (defined as $model. I'd change it to $invoice, in case you need to edit and understand it further).
You also popupulate the customer's information, overriding the $valid value (so, you don't know if invoice is actually valid).
If valid (remember you're only validating customer's information), do,
Save the invoice
Override customer's id with invoice's foreing key to customer.
Save the customer, and redirect.
Now, what I got from that:
$valid doesn't work as expected: I'd change that to an incremental assignment.
You may not be passing a customer_id coming from the ajax form. Foreing keys are integers, and so if not defined within a model, it becomes 0 or NULL.
You are always passing id = 0 / NULL to Customer's model, so it would probably warn you when validating. However, you are using save(false), which means it doesn't pre-validate on save, so you never know it doesn't work.
So, according to this:
public function actionCreate()
{
$invoice = new Invoices;
$customers = new Customers;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($invoice);
if (isset($_POST['Invoices'],$_POST['Customers']))
{
$invoice->attributes = $_POST['Invoices'];
$customers->attributes = $_POST['Customers'];
$valid = true; /* expect it is always valid */
$valid &= $invoice->validate(); /* if $invoice is not valid, $valid will be false (true&false = false) */
$valid &= $customers->validate(); /* same as the above line */
if($valid)
{
$customers->save(); /* First save customers. It's the Foreign item */
$invoice->customer_id = $customers->getPrimaryKey(); /* new instances use getPrimaryKey() to get its id */
$invoice->save(); /* Save invoice AFTER getting customer's primary key */
$this->redirect(array('view','id'=>$invoice->id));
}
}
$this->render('create',array(
'invoice'=>$invoice,
'customers'=>$customers,
));
}
I hope this solves your problem.
Please you need to understand a clear scenerio here. why would you use
if($valid)
{
$model->save(false);
$customers->id = $model->customer_id;
$customers->save(false);
$this->redirect(array('view','id'=>$model->id));
}
$model->save(false); tells model that if this record is not save(), the it shoud set the $customers->id = $model->customer_id;
This will only return false because. I do rather prefer if you call ( $customers->id = $model->customer_id;) before the $model->save();
REMEMBER, if you need to check if Save() returns true, then set it to $model->save(true)