[ticket/10005] Add validation of dropdown custom profile field values

PHPBB3-10005

phpBB/includes/functions_profile_fields.php

@@ -150,6 +150,17 @@ class custom_profile
 			case FIELD_DROPDOWN:
 				$field_value = (int) $field_value;
 
+				// retrieve option lang data if necessary
+				if (!isset($this->options_lang[$field_data['field_id']]) || !isset($this->options_lang[$field_data['field_id']][$field_data['lang_id']]) || !sizeof($this->options_lang[$file_data['field_id']][$field_data['lang_id']]))
+				{
+					$this->get_option_lang($field_data['field_id'], $field_data['lang_id'], FIELD_DROPDOWN, false);
+				}
+
+				if (!isset($this->options_lang[$field_data['field_id']][$field_data['lang_id']][$field_value]))
+				{
+					return 'FIELD_INVALID_VALUE';
+				}
+
 				if ($field_value == $field_data['field_novalue'] && $field_data['field_required'])
 				{
 					return 'FIELD_REQUIRED';
@@ -302,6 +313,7 @@ class custom_profile
 				switch ($cp_result)
 				{
 					case 'FIELD_INVALID_DATE':
+					case 'FIELD_INVALID_VALUE':
 					case 'FIELD_REQUIRED':
 						$error = sprintf($user->lang[$cp_result], $row['lang_name']);
 					break;

phpBB/language/en/ucp.php

@@ -194,6 +194,7 @@ $lang = array_merge($lang, array(
 	'FIELD_INVALID_CHARS_ALPHA_ONLY'	=> 'The field “%s” has invalid characters, only alphanumeric characters are allowed.',
 	'FIELD_INVALID_CHARS_SPACERS_ONLY'	=> 'The field “%s” has invalid characters, only alphanumeric, space or -+_[] characters are allowed.',
 	'FIELD_INVALID_DATE'				=> 'The field “%s” has an invalid date.',
+	'FIELD_INVALID_VALUE'				=> 'The field “%s” has an invalid value.',
 
 	'FOE_MESSAGE'				=> 'Message from foe',
 	'FOES_EXPLAIN'				=> 'Foes are users which will be ignored by default. Posts by these users will not be fully visible. Personal messages from foes are still permitted. Please note that you cannot ignore moderators or administrators.',

tests/profile/custom_test.php

@@ -0,0 +1,52 @@
+<?php
+/**
+*
+* @package testing
+* @copyright (c) 2011 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+*
+*/
+
+require_once dirname(__FILE__) . '/../../phpBB/includes/functions_profile_fields.php';
+
+class phpbb_profile_custom_test extends phpbb_database_test_case
+{
+	public function getDataSet()
+	{
+		return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/profile_fields.xml');
+	}
+
+	static public function dropdownFields()
+	{
+		return array(
+			//    novalue, required, value, expected
+			array(1,       1,        '0',   'FIELD_INVALID_VALUE'),
+			array(1,       1,        '1',   'FIELD_REQUIRED'),
+			array(1,       1,        '2',   false),
+			array(1,       0,        '0',   'FIELD_INVALID_VALUE'),
+			array(1,       0,        '1',   false),
+			array(1,       0,        '2',   false),
+		);
+	}
+
+	/**
+	* @dataProvider dropdownFields
+	*/
+	public function test_dropdown_validate($field_novalue, $field_required, $field_value, $expected)
+	{
+		global $db;
+		$db = $this->new_dbal();
+
+		$field_data = array(
+			'field_id'			=> 1,
+			'lang_id'			=> 1,
+			'field_novalue'		=> $field_novalue,
+			'field_required'	=> $field_required,
+		);
+
+		$cp = new custom_profile;
+		$result = $cp->validate_profile_field(FIELD_DROPDOWN, &$field_value, $field_data);
+
+		$this->assertEquals($expected, $result);
+	}
+}

tests/profile/fixtures/profile_fields.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_profile_fields_lang">
+		<column>field_id</column>
+		<column>lang_id</column>
+		<column>option_id</column>
+		<column>field_type</column>
+		<column>lang_value</column>
+		<row>
+			<value>1</value>
+			<value>1</value>
+			<value>0</value>
+			<value>5</value>
+			<value>Default Option</value>
+		</row>
+		<row>
+			<value>1</value>
+			<value>1</value>
+			<value>1</value>
+			<value>5</value>
+			<value>First Alternative</value>
+		</row>
+		<row>
+			<value>1</value>
+			<value>1</value>
+			<value>2</value>
+			<value>5</value>
+			<value>Third Alternative</value>
+		</row>
+	</table>
+</dataset>