From 788ac89cf06e6fbc53ff8d4357514eae054b5275 Mon Sep 17 00:00:00 2001
From: Thierry Bugier <tbugier@teclib.com>
Date: Sat, 25 Jul 2020 22:41:18 +0200
Subject: [PATCH] fix(formanswer): missing validation checks when user updates
 a refused form

Signed-off-by: Thierry Bugier <tbugier@teclib.com>
---
 front/formanswer.form.php |  4 +++-
 inc/formanswer.class.php  | 28 +++++++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/front/formanswer.form.php b/front/formanswer.form.php
index 4acbdb1fb..373b6ca7c 100644
--- a/front/formanswer.form.php
+++ b/front/formanswer.form.php
@@ -59,7 +59,9 @@
    $formanswer->redirectToList();
 
 } else if (isset($_POST['save_formanswer'])) {
-   $formanswer->updateAnswers($_POST);
+   if (!$formanswer->updateAnswers($_POST)) {
+      Html::back();
+   }
    if (plugin_formcreator_replaceHelpdesk()) {
       $issue = new PluginFormcreatorIssue();
       $issue->redirectToList();
diff --git a/inc/formanswer.class.php b/inc/formanswer.class.php
index 1fb2007c4..541e51de2 100644
--- a/inc/formanswer.class.php
+++ b/inc/formanswer.class.php
@@ -848,10 +848,36 @@ public function updateAnswers($input) {
       $form->getFromDB((int) $input['plugin_formcreator_forms_id']);
       $input['status'] = self::STATUS_WAITING;
 
+      $valid = true;
+      $fieldValidities = [];
+
       $fields = $form->getFields();
       foreach ($fields as $id => $question) {
-         $fields[$id]->parseAnswerValues($input);
+         $fieldValidities[$id] = $fields[$id]->parseAnswerValues($input);
+      }
+      // any invalid field will invalidate the answers
+      $valid = !in_array(false, $fieldValidities, true);
+
+      // Mandatory field must be filled
+      // and fields must contain a value matching the constraints of the field (range for example)
+      if ($valid) {
+         foreach ($fields as $id => $field) {
+            if (!$fields[$id]->isPrerequisites()) {
+               continue;
+            }
+            if (PluginFormcreatorFields::isVisible($field->getQuestion(), $fields) && !$fields[$id]->isValid()) {
+               $valid = false;
+               break;
+            }
+         }
+      }
+
+      if (!$valid) {
+         // Save answers in session to display it again with the same values
+         $_SESSION['formcreator']['data'] = Toolbox::stripslashes_deep($input);
+         return false;
       }
+
       return $this->saveAnswers($form, $input, $fields);
    }