Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing FormatException when the login screen is posted with values other than true/false for RememberMe (Lombiq Technologies: OCORE-132) #14845

Merged
merged 7 commits into from
Dec 14, 2023

Conversation

Piedone
Copy link
Member

@Piedone Piedone commented Dec 6, 2023

Fixes #14792


// When the value of the RememberMe field is set to anything else than "true" or "false" by the client, which is
// the case with automated cracking attempts, then otherwise we'd get a FormatException from the model binder.
if (!ViewContext.ModelState.IsValid &&
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we don't move the logic into the controller? The view should have a minimalistic logic that is related to the presentation

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a workaround solely for the <input asp-for="RememberMe" class="form-check-input" tabindex="3"> line below, that's where the exception is thrown, due to using the auto-generation of the editor with asp-for. With a different implementation of the field (like by having a checkbox implemented directly) the exception won't be thrown. So, for other implementations of this view the code wouldn't necessarily be appropriate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I initially thought about this issue, I didn't think of creating a workaround like you did. If it's fine for all to accept this workaround, or I might propose another PR to fix it in a proper way

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What did you think about? Alternatives I tried but didn't like better:

  • Nullable RememberMe but that would need a hand-crafted checkbox because the tag helper doesn't support nullable booleans.
  • Hand-crafted checkbox by itself.
  • Custom model binding but that would be just ugly.

@Piedone Piedone requested a review from MikeAlhayek December 13, 2023 02:44
@MikeAlhayek
Copy link
Member

@Piedone what happens if the client sends a bad value to DateTime or any other types? Likely we'll get similar behavior. Do we really need to implement a workaround for that?

@Piedone
Copy link
Member Author

Piedone commented Dec 13, 2023

I guess so. I'd expect this to be a simple validation issue that model binding should handle, but apparently, it doesn't, and I couldn't find any better options, see above. To be clear, the problem is only in the view, due to asp-for.

@MikeAlhayek
Copy link
Member

@Piedone implementing this kinds of work around feels wrong to me. So I am going to suggest that we stay away doing this. However, if you think we should support this kind of binding in OC, we should be able to register a custom boolean binder that would be applied through the app. Try implementing IModelBinderProvider and register it using MvcIOptions with something like this

services.AddMvc(options =>
{
    options.ModelBinderProviders.Insert(0, new StringToBoolBinderProvider());
});

@Piedone
Copy link
Member Author

Piedone commented Dec 13, 2023

I looked into that approach as well as mentioned, but I don't think it's better. Anyway, I changed it to that, please check.

@MikeAlhayek
Copy link
Member

I looked into that approach as well as mentioned, but I don't think it's better. Anyway, I changed it to that, please check.

@Piedone what do you not like about this approach?

I think this is a much cleaner approach. However, I don't think this logic should be in the Users module. I think it should be available in Orchardcore.Mvc.Core project instead. Maybe is can be added here instead https://github.com/OrchardCMS/OrchardCore/tree/8f0c371e95bea724534280f2ee81801699ab14d2/src/OrchardCore/OrchardCore.Mvc.Core/ModelBinding

then register it here

options.ModelBinderProviders.Insert(0, new CheckMarkModelBinderProvider());

@Piedone
Copy link
Member Author

Piedone commented Dec 13, 2023

The #14792 issue is specific to what the Users module does in its view, thus I don't think it warrants a custom model binder for the whole app. But perhaps other modules also display a similar checkbox that can benefit from this, so sure, I moved it up.

@Piedone
Copy link
Member Author

Piedone commented Dec 13, 2023

Thanks for the review! Anything you'd add @hishamco?

Copy link
Member

@hishamco hishamco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be looks better than the old workaround :)

@hishamco
Copy link
Member

@Piedone please merge after fixing the suggested format

Piedone and others added 2 commits December 14, 2023 15:02
Co-authored-by: Hisham Bin Ateya <hishamco_2007@yahoo.com>
@Piedone Piedone requested a review from hishamco December 14, 2023 14:03
@Piedone Piedone merged commit 5a26240 into OrchardCMS:main Dec 14, 2023
3 checks passed
urbanit pushed a commit to urbanit/OrchardCore that referenced this pull request Mar 18, 2024
…her than true/false for RememberMe (Lombiq Technologies: OCORE-132) (OrchardCMS#14845)

* Fixing FormatException when the login screen is posted with values other than true/false for RememberMe

* Changing anti-cracking attempt model binding to use a custom model binder instead

* Moving SafeBoolModelBinder to OrchardCore.Mvc.Core

* Sealing internal classes

* Formatting

Co-authored-by: Hisham Bin Ateya <hishamco_2007@yahoo.com>

---------

Co-authored-by: Hisham Bin Ateya <hishamco_2007@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

FormatException on the login screen when sending non-boolean value for RememberMe
3 participants