Allow 0 and otherwise empty forwards #2470
Conversation
There was a problem hiding this comment.
This has the same problem described in #2281 (comment).
The client removes 0 pct forwards, but the server would still accept them because the validation is the same on both. The server should not accept 0 pct forwards like this:
curl -H "Content-Type: application/json" -X POST -d '{
"query": "mutation upsertDiscussionWithForwards($title: String!, $text: String!, $sub: String!, $forward: [ItemForwardInput]) { upsertDiscussion(title: $title, text: $text, sub: $sub, forward: $forward) { result { id } } }",
"variables": {
"title": "foobar",
"text": "asdf",
"sub": "art",
"forward": [
{
"nym": "anon",
"pct": 0
}
]
}
}' http://localhost:3000/api/graphql
Maybe all we need is to extend validateSchema like this:
diff --git a/lib/validate.js b/lib/validate.js
index ed71f3a1..243b10b4 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -4,7 +4,8 @@ import {
MIN_POLL_NUM_CHOICES, MAX_FORWARDS, BOOST_MULT, MAX_TERRITORY_DESC_LENGTH, POST_TYPES,
TERRITORY_BILLING_TYPES, MAX_COMMENT_TEXT_LENGTH, MAX_POST_TEXT_LENGTH, MIN_TITLE_LENGTH, BOUNTY_MIN, BOUNTY_MAX,
RESERVED_SUB_NAMES,
- BOOST_MAX
+ BOOST_MAX,
+ SSR
} from './constants'
import { SUPPORTED_CURRENCIES } from './currency'
import { NOSTR_MAX_RELAY_NUM, NOSTR_PUBKEY_BECH32, NOSTR_PUBKEY_HEX } from './nostr'
@@ -16,7 +17,7 @@ import { datePivot } from './time'
export async function validateSchema (schema, data, args) {
try {
if (typeof schema === 'function') {
- return await schema(args).validate(data)
+ return await schema({ server: SSR, ...args }).validate(data)
} else {
return await schema.validate(data)
}and then in advPostSchemaMembers, we keep the min check on the server but remove or set it to 0 on the client.
What do you think?
|
I realize there's a inconsistency between client and server validation. I agree with the fix for the distinction between the two validations; my implementation wasn't strict enough for the server, and it also made it vulnerable to direct API calls that bypassed the check. I'm implementing the fix now. |
t status echo "Status check"
pory-gone
force-pushed
the
empty_fowards
branch
from
d788fb5 to
ce52341
Compare
|
Thank you so much, if there are any other changes that need to be made, I'm here to do so. |
|
I fixed all the files and now everything should be fine. |
|
Hello, I recently updated our PR template to add a question about AI in #2507. Even though I already approved your PR, I updated your PR description to include it, see the end of the checklist. Can you please answer it? Thank you! |
2 participants
Description
fix #2271
Made client and server changes to handle forward recipients more robustly:
form.js:normalize forwards before sending the mutation. Convertspctto Number and filters out entries that have no recipient (nym) or have non-finite or non-positive percentages. This lets the browser accept 0 or empty input while preventing blank/zero forwards from being sent to the server.validate.js:adjusted the forwards schema so server-side validation remains strict but more precise:Additional Context
Only fully empty forward objects (no
nymand nopct) are compacted away.The total-sum check now skips when any
pctis non-finite so that field-level validators (e.g.required) produce the specific error the user should see (instead of a confusing "sum exceeds 100%" message).Screenshots
testing.mp4
Checklist
Are your changes backward compatible? Please answer below:
yes
On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:
7/10
**For frontend changes: Tested on mobile, light and dark mode? Please answer below:**nan
**Did you introduce any new environment variables? If so, call them out explicitly here:**nan
Did you use AI for this? If so, how much did it assist you?
I used AI to understand context and get some code drafts