Problem/Motivation
In NodeForm we put the currently changed timestamp in the form and sent it to the client, for later overwrite error checking, so that we prevent the current user from saving the node, if the node got saved by another user in the meantime.
The problem is, we set the changed in the form as hidden default_value, which means the user might manipulate it.
More importantly, EntityChangedConstraint seems to rely solely on this element existing which it doesn't for other entity types. For example Block Content has the constraint but does not throw an error in the same circumstances listed below. This could lead to data loss.
Steps to reproduce:
- Create a node.
- Go to node/{node}/edit.
- Save the node in the background to cause the entity changed constraint validator to raise an error.
- Submit the form.
- As a result you get the validation error message " The content has either been modified by another user, or you have already submitted modifications. As a result, your changes cannot be saved.".
- Now manipulate the changed timestamp and set it to the current time in the DOM using Firebug or whatever...
- Submit the form again.
- Watch how you succesfully overcome the entity changed constraint validator.
The attached test shows the problem.
Proposed resolution
None at the moment.
Remaining tasks
Find a solution of the problem.
User interface changes
none
API changes
none
Data model changes
none