Feature proposal #2445
closed
Calculated fields should be able to be substituted by CB substitutions, and thus raw field substitution should use the API and not database directly
Description
When using [field_name] it is retrieving the field value from $user object instead of API. The same is said for userdata substitutions. This results in any integration that provides a value through dynamic means and has no user storage to always fail. For example with CB Query Field and [cb_query] is used, it simply returns [cb_query] instead of raw value.
Files
Updated by krileon over 13 years ago
- File 2445.patch 2445.patch added
- Status changed from New to Resolved
- Assignee changed from krileon to beat
- % Done changed from 0 to 100
Added new function to evaluate [FIELD] instead of simply looping through user object and replacing. New function checks to make sure the contents inside of [] is actually a field before returning the resulting value (stops [asdgag] from returning nothing for instance).
Updated by beat over 13 years ago
- Target version set to CB 1.7
- Estimated time set to 5:00 h
r1525 implements slightly differently the raw DATA but same principle and result.
For userfield the patch has 2 issues:
- it is not case-insensitive like the replaced old code, so [USERNAME] wouldn't work as it did.
- Additionally it doesn't handle $htmlspecialchar parameter properly, and as such would be a vulnerability if implemented that way.
Thus patch can't be applied to CB as is.
Preparing an alternate, secure, implementation solving the 2 issues detected above.
Updated by beat over 13 years ago
- Subject changed from raw field substitution not API driven to Calculated fields should be able to be substituted by CB substitutions, and thus raw field substitution should use the API and not database directly