Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[api/lib] instrument endpoints and lib - no data validation #9826

New issue
New issue
Open
Open
[api/lib] instrument endpoints and lib - no data validation#9826
Assignees
regisoc
Labels
26.0.0-bugsIssues that were raised during the release testing for 26.0.0Area: APIPR or issue related to the APIArea: InstrumentsPR or issue related instrumentsCategory: BugPR or issue that aims to report or fix a bugLanguage: PHPPR or issue that update PHP codeModule: apiPR or issue related to api modulePriority: HighPR or issue should be prioritised over others for review and testingProject: HBCDIssue or PR related to the HBCD project
@regisoc

Description

@regisoc
regisoc
opened on Jun 4, 2025

Describe the bug

Instrument class validate() method should validate data against the instrument definition, but ends up only doing the same as determineDataEntryAllowed() method (alias).

Loris/php/libraries/NDB_BVL_Instrument.class.inc

Lines 3130 to 3133 in 0883fde

function validate(array $values): bool
{
return $this->determineDataEntryAllowed();
}

This is confusing in the code, as this is making the API instrument endpoints checks not validating data even if the code seems pretty explicit about it. The process is:

  1. check if data entry is allowed = instrument not in complete state.
  2. get the data from the request payload.
  3. check if the data is valid for that instrument.

Step 3. should data validated against the instrument, but ends up only doing the same as step 1.

Loris/modules/api/php/endpoints/candidate/visit/instrument/instrument.class.inc

Lines 171 to 191 in 0883fde

*/
private function _handlePUT(ServerRequestInterface $request) : ResponseInterface
{
if (!$this->_instrument->determineDataEntryAllowed()) {
return new \LORIS\Http\Response\JSON\Forbidden(
'Can not update instruments that are flagged as complete.'
);
}
$data = json_decode((string) $request->getBody(), true);
if (!is_array($data)) {
return new \LORIS\Http\Response\JSON\BadRequest(
'Invalid request'
);
}
if (!$this->_instrument->validate($data)) {
return new \LORIS\Http\Response\JSON\Forbidden(
'Could not update.'
);
}

This makes that the instrument API endpoint is accepting any data.

To Reproduce
Steps to reproduce the behavior (attach screenshots if applicable):

  1. Get an instrument with different types of fields (get the commentID/candidate/visit label/instrument).
  2. Go to api_docs: Tools > API documentation.
  3. Get the instrument data with the GET endpoint /candidates/{candid}/{visit}/instruments/{instrument}.
  4. Copy paste it to the PUT endpoint /candidates/{candid}/{visit}/instruments/{instrument}.
  5. Change some values, also changing select/multiselect (dropdown) to options that do not even exist in the option list of these fields.
  6. send the request, see the 200 ok code.
  7. Check the corresponding data from the db.

What did you expect to happen?
An error code returned if the validation of data fails.

Metadata

Metadata

Assignees

Labels

26.0.0-bugsIssues that were raised during the release testing for 26.0.0Area: APIPR or issue related to the APIArea: InstrumentsPR or issue related instrumentsCategory: BugPR or issue that aims to report or fix a bugLanguage: PHPPR or issue that update PHP codeModule: apiPR or issue related to api modulePriority: HighPR or issue should be prioritised over others for review and testingProject: HBCDIssue or PR related to the HBCD project

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions