Cms: Image validation fails

Created on 19 Jun 2020 · 12Comments · Source: statamic/cms

Bug Description

I have an asset field called image that has validate: image set. When I go to create a blog entry and try to save, I get an invalidation error even though the image is a valid .jpg image.

How to Reproduce

Create a Blog Collection
Create a Blog Blueprint with an Image and Bard Field (see below)
Mount the Blog Blueprint to Blog Collection
Create new Blog entry
Add an valid .jpg image to a valid Assets container
Watch image invalidate

title: Blog
sections:
  main:
    display: Main
    fields:
      -
        handle: image
        field:
          mode: grid
          container: assets
          restrict: false
          allow_uploads: true
          max_files: 1
          type: assets
          localizable: false
          listable: hidden
          display: Image
          validate: image
      -
        handle: bard
        field:
          buttons:
            - h2
            - h3
            - bold
            - italic
            - unorderedlist
            - orderedlist
            - removeformat
            - quote
            - anchor
            - image
            - table
          container: assets
          save_html: false
          toolbar_mode: fixed
          link_noopener: true
          link_noreferrer: true
          target_blank: true
          reading_time: true
          fullscreen: true
          allow_source: true
          type: bard
          localizable: false
          listable: hidden
          display: Bard

Extra Detail

Environment

Statamic version: 3.0.0.-beta.31
PHP version: 7.4.6
Install method (choose one): Fresh install from statamic/statamic

assets

Source

jdsimcoe

👍3

Most helpful comment

It's failing because the image has already been uploaded by the time you hit save. What's actually being validated is just an array of asset IDs.

The validation also doesn't work for files uploaded using a frontend form. So it doesn't seem to be related to the AJAX upload of the CP only.

This issue should get more attention, because this can be a huge security problem.

FlorianMoser on 5 Jan 2021

👍3

All 12 comments

It's failing because the image has already been uploaded by the time you hit save. What's actually being validated is just an array of asset IDs.

This is basically a duplicate of https://github.com/statamic/ideas/issues/2

I want to be able to add validation rules to an asset container that'll apply to the actual files.

jasonvarga on 19 Jun 2020

To add to this, using the mimes and mimetypes validation on the asset field also fails. Tested using mimes:jpeg and mimetypes:text/plain.

edit: Woops sorry Jason didn't see your reply.

JonKaric on 19 Jun 2020

Ah got it @jasonvarga... I also tried validate: file and the same thing occurred. Should I just remove validation on that field then if the Assets container already has validation?

jdsimcoe on 19 Jun 2020

The container doesn't have validation, its just a feature request at the moment, but yes, that'd be the intention.

You could try this though (untested):

validate: '*.ends_with:jpg,jpeg,gif,png'

jasonvarga on 20 Jun 2020

Here's what it shows, I'll just remove validation for now @jasonvarga:

jdsimcoe on 20 Jun 2020

Also a duplicate of #1341.

jesseleite on 23 Jun 2020

I think this may be related to this issue. When I try and have an image validate via its mime type AND allow it to be optional, it fails validation and says 'Image must be a file etc.'

validate:
        - nullable
        - sometimes
        - image
        - 'mimes:jpg,jpeg,png'
        - 'max:3000'

ryanscherler on 15 Sep 2020

👍1

Yes, see this comment: https://github.com/statamic/cms/issues/1956#issuecomment-646866146

jasonvarga on 15 Sep 2020

Gotcha - So it's handling it like an array of integers and not an asset / file type.

ryanscherler on 15 Sep 2020

It's failing because the image has already been uploaded by the time you hit save. What's actually being validated is just an array of asset IDs.

The validation also doesn't work for files uploaded using a frontend form. So it doesn't seem to be related to the AJAX upload of the CP only.

This issue should get more attention, because this can be a huge security problem.

FlorianMoser on 5 Jan 2021

👍3

is there currently any workaroud for the frontend forms at least?

radovanobal on 9 Feb 2021

for anyone to stumble upon this. My workaround was to extend the statamic FromController then intercept any assets validation mimes/mimetypes, run those trough my own laravel rules and then remove the mimes/mimetypes from the fields that had them and allowing the rest of the statamic code to do it's thing.

Also I have added a route that intercepts this specific form like this:
Route::post('/!/forms/online_prijava_za_volontere', \App\Http\Controllers\FormController::class . '@submit')->name('forms.submit.post');

Also also, the form submit function expects a statamic Form to be passed.
Then just public function submit(Request $request, $form = null) and then

    $formName = collect($request->segments())->last();
    $form = Form::find($formName);

radovanobal on 10 Feb 2021

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Unable to use "globals" in email templates

billmn · 4Comments

Column select pop-up could be wider

sauerbraten · 3Comments

Multi-site: Unable to have empty desynced Replicator field

aerni · 3Comments

Subject line in forms is not localisable

robdekort · 3Comments

Revealer inside a grid inside a Bard doesn't hide fields

riasvdv · 4Comments