'submit', * '#value' => t('Submit'), * ); * return $form; * } * function my_module_example_form_validate($form, &$form_state) { * // Validation logic. * } * function my_module_example_form_submit($form, &$form_state) { * // Submission logic. * } * @endcode * * Or with any number of additional arguments: * @code * $extra = "extra"; * $form = drupal_get_form('my_module_example_form', $extra); * ... * function my_module_example_form($form, &$form_state, $extra) { * $form['submit'] = array( * '#type' => 'submit', * '#value' => $extra, * ); * return $form; * } * @endcode * * The $form argument to form-related functions is a structured array containing * the elements and properties of the form. For information on the array * components and format, and more detailed explanations of the Form API * workflow, see the * @link forms_api_reference.html Form API reference @endlink * and the * @link http://drupal.org/node/37775 Form API documentation section. @endlink * In addition, there is a set of Form API tutorials in * @link form_example_tutorial.inc the Form Example Tutorial @endlink which * provide basics all the way up through multistep forms. * * In the form builder, validation, submission, and other form functions, * $form_state is the primary influence on the processing of the form and is * passed by reference to most functions, so they use it to communicate with * the form system and each other. * * See drupal_build_form() for documentation of $form_state keys. */ /** * Returns a renderable form array for a given form ID. * * This function should be used instead of drupal_build_form() when $form_state * is not needed (i.e., when initially rendering the form) and is often * used as a menu callback. * * @param $form_id * The unique string identifying the desired form. If a function with that * name exists, it is called to build the form array. Modules that need to * generate the same form (or very similar forms) using different $form_ids * can implement hook_forms(), which maps different $form_id values to the * proper form constructor function. Examples may be found in node_forms(), * and search_forms(). hook_forms() can also be used to define forms in * classes. * @param ... * Any additional arguments are passed on to the functions called by * drupal_get_form(), including the unique form constructor function. For * example, the node_edit form requires that a node object is passed in here * when it is called. These are available to implementations of * hook_form_alter() and hook_form_FORM_ID_alter() as the array * $form_state['build_info']['args']. * * @return * The form array. * * @see drupal_build_form() */ function drupal_get_form($form_id) { $form_state = array(); $args = func_get_args(); // Remove $form_id from the arguments. array_shift($args); $form_state['build_info']['args'] = $args; return drupal_build_form($form_id, $form_state); } /** * Builds and process a form based on a form id. * * The form may also be retrieved from the cache if the form was built in a * previous page-load. The form is then passed on for processing, validation * and submission if there is proper input. * * @param $form_id * The unique string identifying the desired form. If a function with that * name exists, it is called to build the form array. Modules that need to * generate the same form (or very similar forms) using different $form_ids * can implement hook_forms(), which maps different $form_id values to the * proper form constructor function. Examples may be found in node_forms(), * and search_forms(). * @param $form_state * An array which stores information about the form. This is passed as a * reference so that the caller can use it to examine what in the form changed * when the form submission process is complete. Furthermore, it may be used * to store information related to the processed data in the form, which will * persist across page requests when the 'cache' or 'rebuild' flag is set. * The following parameters may be set in $form_state to affect how the form * is rendered: * - build_info: Internal. An associative array of information stored by Form * API that is necessary to build and rebuild the form from cache when the * original context may no longer be available: * - args: A list of arguments to pass to the form constructor. * - files: An optional array defining include files that need to be loaded * for building the form. Each array entry may be the path to a file or * another array containing values for the parameters 'type', 'module' and * 'name' as needed by module_load_include(). The files listed here are * automatically loaded by form_get_cache(). By default the current menu * router item's 'file' definition is added, if any. Use * form_load_include() to add include files from a form constructor. * - form_id: Identification of the primary form being constructed and * processed. * - base_form_id: Identification for a base form, as declared in a * hook_forms() implementation. * - immutable: If this flag is set to TRUE, a new form build id is * generated when the form is loaded from the cache. If it is subsequently * saved to the cache again, it will have another cache id and therefore * the original form and form-state will remain unaltered. This is * important when page caching is enabled in order to prevent form state * from leaking between anonymous users. * - rebuild_info: Internal. Similar to 'build_info', but pertaining to * drupal_rebuild_form(). * - rebuild: Normally, after the entire form processing is completed and * submit handlers have run, a form is considered to be done and * drupal_redirect_form() will redirect the user to a new page using a GET * request (so a browser refresh does not re-submit the form). However, if * 'rebuild' has been set to TRUE, then a new copy of the form is * immediately built and sent to the browser, instead of a redirect. This is * used for multi-step forms, such as wizards and confirmation forms. * Normally, $form_state['rebuild'] is set by a submit handler, since it is * usually logic within a submit handler that determines whether a form is * done or requires another step. However, a validation handler may already * set $form_state['rebuild'] to cause the form processing to bypass submit * handlers and rebuild the form instead, even if there are no validation * errors. * - redirect: Used to redirect the form on submission. It may either be a * string containing the destination URL, or an array of arguments * compatible with drupal_goto(). See drupal_redirect_form() for complete * information. * - no_redirect: If set to TRUE the form will NOT perform a drupal_goto(), * even if 'redirect' is set. * - method: The HTTP form method to use for finding the input for this form. * May be 'post' or 'get'. Defaults to 'post'. Note that 'get' method * forms do not use form ids so are always considered to be submitted, which * can have unexpected effects. The 'get' method should only be used on * forms that do not change data, as that is exclusively the domain of * 'post.' * - cache: If set to TRUE the original, unprocessed form structure will be * cached, which allows the entire form to be rebuilt from cache. A typical * form workflow involves two page requests; first, a form is built and * rendered for the user to fill in. Then, the user fills the form in and * submits it, triggering a second page request in which the form must be * built and processed. By default, $form and $form_state are built from * scratch during each of these page requests. Often, it is necessary or * desired to persist the $form and $form_state variables from the initial * page request to the one that processes the submission. 'cache' can be set * to TRUE to do this. A prominent example is an Ajax-enabled form, in which * ajax_process_form() enables form caching for all forms that include an * element with the #ajax property. (The Ajax handler has no way to build * the form itself, so must rely on the cached version.) Note that the * persistence of $form and $form_state happens automatically for * (multi-step) forms having the 'rebuild' flag set, regardless of the value * for 'cache'. * - no_cache: If set to TRUE the form will NOT be cached, even if 'cache' is * set. * - values: An associative array of values submitted to the form. The * validation functions and submit functions use this array for nearly all * their decision making. (Note that #tree determines whether the values are * a flat array or an array whose structure parallels the $form array. See * @link forms_api_reference.html Form API reference @endlink for more * information.) These are raw and unvalidated, so should not be used * without a thorough understanding of security implications. In almost all * cases, code should use the data in the 'values' array exclusively. The * most common use of this key is for multi-step forms that need to clear * some of the user input when setting 'rebuild'. The values correspond to * $_POST or $_GET, depending on the 'method' chosen. * - always_process: If TRUE and the method is GET, a form_id is not * necessary. This should only be used on RESTful GET forms that do NOT * write data, as this could lead to security issues. It is useful so that * searches do not need to have a form_id in their query arguments to * trigger the search. * - must_validate: Ordinarily, a form is only validated once, but there are * times when a form is resubmitted internally and should be validated * again. Setting this to TRUE will force that to happen. This is most * likely to occur during Ajax operations. * - programmed: If TRUE, the form was submitted programmatically, usually * invoked via drupal_form_submit(). Defaults to FALSE. * - programmed_bypass_access_check: If TRUE, programmatic form submissions * are processed without taking #access into account. Set this to FALSE * when submitting a form programmatically with values that may have been * input by the user executing the current request; this will cause #access * to be respected as it would on a normal form submission. Defaults to * TRUE. * - process_input: Boolean flag. TRUE signifies correct form submission. * This is always TRUE for programmed forms coming from drupal_form_submit() * (see 'programmed' key), or if the form_id coming from the $_POST data is * set and matches the current form_id. * - submitted: If TRUE, the form has been submitted. Defaults to FALSE. * - executed: If TRUE, the form was submitted and has been processed and * executed. Defaults to FALSE. * - triggering_element: (read-only) The form element that triggered * submission. This is the same as the deprecated * $form_state['clicked_button']. It is the element that caused submission, * which may or may not be a button (in the case of Ajax forms). This key is * often used to distinguish between various buttons in a submit handler, * and is also used in Ajax handlers. * - clicked_button: Deprecated. Use triggering_element instead. * - has_file_element: Internal. If TRUE, there is a file element and Form API * will set the appropriate 'enctype' HTML attribute on the form. * - groups: Internal. An array containing references to fieldsets to render * them within vertical tabs. * - storage: $form_state['storage'] is not a special key, and no specific * support is provided for it in the Form API. By tradition it was * the location where application-specific data was stored for communication * between the submit, validation, and form builder functions, especially * in a multi-step-style form. Form implementations may use any key(s) * within $form_state (other than the keys listed here and other reserved * ones used by Form API internals) for this kind of storage. The * recommended way to ensure that the chosen key doesn't conflict with ones * used by the Form API or other modules is to use the module name as the * key name or a prefix for the key name. For example, the Node module uses * $form_state['node'] in node editing forms to store information about the * node being edited, and this information stays available across successive * clicks of the "Preview" button as well as when the "Save" button is * finally clicked. * - buttons: A list containing copies of all submit and button elements in * the form. * - complete form: A reference to the $form variable containing the complete * form structure. #process, #after_build, #element_validate, and other * handlers being invoked on a form element may use this reference to access * other information in the form the element is contained in. * - temporary: An array holding temporary data accessible during the current * page request only. All $form_state properties that are not reserved keys * (see form_state_keys_no_cache()) persist throughout a multistep form * sequence. Form API provides this key for modules to communicate * information across form-related functions during a single page request. * It may be used to temporarily save data that does not need to or should * not be cached during the whole form workflow; e.g., data that needs to be * accessed during the current form build process only. There is no use-case * for this functionality in Drupal core. * - wrapper_callback: Modules that wish to pre-populate certain forms with * common elements, such as back/next/save buttons in multi-step form * wizards, may define a form builder function name that returns a form * structure, which is passed on to the actual form builder function. * Such implementations may either define the 'wrapper_callback' via * hook_forms() or have to invoke drupal_build_form() (instead of * drupal_get_form()) on their own in a custom menu callback to prepare * $form_state accordingly. * Information on how certain $form_state properties control redirection * behavior after form submission may be found in drupal_redirect_form(). * * @return * The rendered form. This function may also perform a redirect and hence may * not return at all, depending upon the $form_state flags that were set. * * @see drupal_redirect_form() */ function drupal_build_form($form_id, &$form_state) { // Ensure some defaults; if already set they will not be overridden. $form_state += form_state_defaults(); if (!isset($form_state['input'])) { $form_state['input'] = $form_state['method'] == 'get' ? $_GET : $_POST; } if (isset($_SESSION['batch_form_state'])) { // We've been redirected here after a batch processing. The form has // already been processed, but needs to be rebuilt. See _batch_finished(). $form_state = $_SESSION['batch_form_state']; unset($_SESSION['batch_form_state']); return drupal_rebuild_form($form_id, $form_state); } // If the incoming input contains a form_build_id, we'll check the cache for a // copy of the form in question. If it's there, we don't have to rebuild the // form to proceed. In addition, if there is stored form_state data from a // previous step, we'll retrieve it so it can be passed on to the form // processing code. $check_cache = isset($form_state['input']['form_id']) && $form_state['input']['form_id'] == $form_id && !empty($form_state['input']['form_build_id']); if ($check_cache) { $form = form_get_cache($form_state['input']['form_build_id'], $form_state); } // If the previous bit of code didn't result in a populated $form object, we // are hitting the form for the first time and we need to build it from // scratch. if (!isset($form)) { // If we attempted to serve the form from cache, uncacheable $form_state // keys need to be removed after retrieving and preparing the form, except // any that were already set prior to retrieving the form. if ($check_cache) { $form_state_before_retrieval = $form_state; } $form = drupal_retrieve_form($form_id, $form_state); drupal_prepare_form($form_id, $form, $form_state); // form_set_cache() removes uncacheable $form_state keys defined in // form_state_keys_no_cache() in order for multi-step forms to work // properly. This means that form processing logic for single-step forms // using $form_state['cache'] may depend on data stored in those keys // during drupal_retrieve_form()/drupal_prepare_form(), but form // processing should not depend on whether the form is cached or not, so // $form_state is adjusted to match what it would be after a // form_set_cache()/form_get_cache() sequence. These exceptions are // allowed to survive here: // - always_process: Does not make sense in conjunction with form caching // in the first place, since passing form_build_id as a GET parameter is // not desired. // - temporary: Any assigned data is expected to survives within the same // page request. if ($check_cache) { $uncacheable_keys = array_flip(array_diff(form_state_keys_no_cache(), array('always_process', 'temporary'))); $form_state = array_diff_key($form_state, $uncacheable_keys); $form_state += $form_state_before_retrieval; } } // Now that we have a constructed form, process it. This is where: // - Element #process functions get called to further refine $form. // - User input, if any, gets incorporated in the #value property of the // corresponding elements and into $form_state['values']. // - Validation and submission handlers are called. // - If this submission is part of a multistep workflow, the form is rebuilt // to contain the information of the next step. // - If necessary, the form and form state are cached or re-cached, so that // appropriate information persists to the next page request. // All of the handlers in the pipeline receive $form_state by reference and // can use it to know or update information about the state of the form. drupal_process_form($form_id, $form, $form_state); // If this was a successful submission of a single-step form or the last step // of a multi-step form, then drupal_process_form() issued a redirect to // another page, or back to this page, but as a new request. Therefore, if // we're here, it means that this is either a form being viewed initially // before any user input, or there was a validation error requiring the form // to be re-displayed, or we're in a multi-step workflow and need to display // the form's next step. In any case, we have what we need in $form, and can // return it for rendering. return $form; } /** * Retrieves default values for the $form_state array. */ function form_state_defaults() { return array( 'rebuild' => FALSE, 'rebuild_info' => array(), 'redirect' => NULL, // @todo 'args' is usually set, so no other default 'build_info' keys are // appended via += form_state_defaults(). 'build_info' => array( 'args' => array(), 'files' => array(), ), 'temporary' => array(), 'submitted' => FALSE, 'executed' => FALSE, 'programmed' => FALSE, 'programmed_bypass_access_check' => TRUE, 'cache'=> FALSE, 'method' => 'post', 'groups' => array(), 'buttons' => array(), ); } /** * Constructs a new $form from the information in $form_state. * * This is the key function for making multi-step forms advance from step to * step. It is called by drupal_process_form() when all user input processing, * including calling validation and submission handlers, for the request is * finished. If a validate or submit handler set $form_state['rebuild'] to TRUE, * and if other conditions don't preempt a rebuild from happening, then this * function is called to generate a new $form, the next step in the form * workflow, to be returned for rendering. * * Ajax form submissions are almost always multi-step workflows, so that is one * common use-case during which form rebuilding occurs. See ajax_form_callback() * for more information about creating Ajax-enabled forms. * * @param $form_id * The unique string identifying the desired form. If a function * with that name exists, it is called to build the form array. * Modules that need to generate the same form (or very similar forms) * using different $form_ids can implement hook_forms(), which maps * different $form_id values to the proper form constructor function. Examples * may be found in node_forms() and search_forms(). * @param $form_state * A keyed array containing the current state of the form. * @param $old_form * (optional) A previously built $form. Used to retain the #build_id and * #action properties in Ajax callbacks and similar partial form rebuilds. The * only properties copied from $old_form are the ones which both exist in * $old_form and for which $form_state['rebuild_info']['copy'][PROPERTY] is * TRUE. If $old_form is not passed, the entire $form is rebuilt freshly. * 'rebuild_info' needs to be a separate top-level property next to * 'build_info', since the contained data must not be cached. * * @return * The newly built form. * * @see drupal_process_form() * @see ajax_form_callback() */ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) { $form = drupal_retrieve_form($form_id, $form_state); // If only parts of the form will be returned to the browser (e.g., Ajax or // RIA clients), or if the form already had a new build ID regenerated when it // was retrieved from the form cache, reuse the existing #build_id. // Otherwise, a new #build_id is generated, to not clobber the previous // build's data in the form cache; also allowing the user to go back to an // earlier build, make changes, and re-submit. // @see drupal_prepare_form() $enforce_old_build_id = isset($old_form['#build_id']) && !empty($form_state['rebuild_info']['copy']['#build_id']); $old_form_is_mutable_copy = isset($old_form['#build_id_old']); if ($enforce_old_build_id || $old_form_is_mutable_copy) { $form['#build_id'] = $old_form['#build_id']; if ($old_form_is_mutable_copy) { $form['#build_id_old'] = $old_form['#build_id_old']; } } else { if (isset($old_form['#build_id'])) { $form['#build_id_old'] = $old_form['#build_id']; } $form['#build_id'] = 'form-' . drupal_random_key(); } // #action defaults to request_uri(), but in case of Ajax and other partial // rebuilds, the form is submitted to an alternate URL, and the original // #action needs to be retained. if (isset($old_form['#action']) && !empty($form_state['rebuild_info']['copy']['#action'])) { $form['#action'] = $old_form['#action']; } drupal_prepare_form($form_id, $form, $form_state); // Caching is normally done in drupal_process_form(), but what needs to be // cached is the $form structure before it passes through form_builder(), // so we need to do it here. // @todo For Drupal 8, find a way to avoid this code duplication. if (empty($form_state['no_cache'])) { form_set_cache($form['#build_id'], $form, $form_state); } // Clear out all group associations as these might be different when // re-rendering the form. $form_state['groups'] = array(); // Return a fully built form that is ready for rendering. return form_builder($form_id, $form, $form_state); } /** * Fetches a form from cache. */ function form_get_cache($form_build_id, &$form_state) { if ($cached = cache_get('form_' . $form_build_id, 'cache_form')) { $form = $cached->data; global $user; if ((isset($form['#cache_token']) && drupal_valid_token($form['#cache_token'])) || (!isset($form['#cache_token']) && !$user->uid)) { if ($cached = cache_get('form_state_' . $form_build_id, 'cache_form')) { // Re-populate $form_state for subsequent rebuilds. $form_state = $cached->data + $form_state; // If the original form is contained in include files, load the files. // @see form_load_include() $form_state['build_info'] += array('files' => array()); foreach ($form_state['build_info']['files'] as $file) { if (is_array($file)) { $file += array('type' => 'inc', 'name' => $file['module']); module_load_include($file['type'], $file['module'], $file['name']); } elseif (file_exists($file)) { require_once DRUPAL_ROOT . '/' . $file; } } } // Generate a new #build_id if the cached form was rendered on a cacheable // page. if (!empty($form_state['build_info']['immutable'])) { $form['#build_id_old'] = $form['#build_id']; $form['#build_id'] = 'form-' . drupal_random_key(); $form['form_build_id']['#value'] = $form['#build_id']; $form['form_build_id']['#id'] = $form['#build_id']; unset($form_state['build_info']['immutable']); } return $form; } } } /** * Stores a form in the cache. */ function form_set_cache($form_build_id, $form, $form_state) { // The default cache_form expiration is 6 hours. On busy sites, the cache_form // table can become very large. A shorter cache lifetime can help to keep the // table's size under control. $expire = variable_get('form_cache_expiration', 21600); // Ensure that the form build_id embedded in the form structure is the same as // the one passed in as a parameter. This is an additional safety measure to // prevent legacy code operating directly with form_get_cache and // form_set_cache from accidentally overwriting immutable form state. if ($form['#build_id'] != $form_build_id) { watchdog('form', 'Form build-id mismatch detected while attempting to store a form in the cache.', array(), WATCHDOG_ERROR); return; } // Cache form structure. if (isset($form)) { if ($GLOBALS['user']->uid) { $form['#cache_token'] = drupal_get_token(); } unset($form['#build_id_old']); cache_set('form_' . $form_build_id, $form, 'cache_form', REQUEST_TIME + $expire); } // Cache form state. if (variable_get('cache', 0) && drupal_page_is_cacheable()) { $form_state['build_info']['immutable'] = TRUE; } if ($data = array_diff_key($form_state, array_flip(form_state_keys_no_cache()))) { cache_set('form_state_' . $form_build_id, $data, 'cache_form', REQUEST_TIME + $expire); } } /** * Returns an array of $form_state keys that shouldn't be cached. */ function form_state_keys_no_cache() { return array( // Public properties defined by form constructors and form handlers. 'always_process', 'must_validate', 'rebuild', 'rebuild_info', 'redirect', 'no_redirect', 'temporary', // Internal properties defined by form processing. 'buttons', 'triggering_element', 'clicked_button', 'complete form', 'groups', 'input', 'method', 'submit_handlers', 'submitted', 'executed', 'validate_handlers', 'values', ); } /** * Ensures an include file is loaded whenever the form is processed. * * Example: * @code * // Load node.admin.inc from Node module. * form_load_include($form_state, 'inc', 'node', 'node.admin'); * @endcode * * Use this function instead of module_load_include() from inside a form * constructor or any form processing logic as it ensures that the include file * is loaded whenever the form is processed. In contrast to using * module_load_include() directly, form_load_include() makes sure the include * file is correctly loaded also if the form is cached. * * @param $form_state * The current state of the form. * @param $type * The include file's type (file extension). * @param $module * The module to which the include file belongs. * @param $name * (optional) The base file name (without the $type extension). If omitted, * $module is used; i.e., resulting in "$module.$type" by default. * * @return * The filepath of the loaded include file, or FALSE if the include file was * not found or has been loaded already. * * @see module_load_include() */ function form_load_include(&$form_state, $type, $module, $name = NULL) { if (!isset($name)) { $name = $module; } if (!isset($form_state['build_info']['files']["$module:$name.$type"])) { // Only add successfully included files to the form state. if ($result = module_load_include($type, $module, $name)) { $form_state['build_info']['files']["$module:$name.$type"] = array( 'type' => $type, 'module' => $module, 'name' => $name, ); return $result; } } return FALSE; } /** * Retrieves, populates, and processes a form. * * This function allows you to supply values for form elements and submit a * form for processing. Compare to drupal_get_form(), which also builds and * processes a form, but does not allow you to supply values. * * There is no return value, but you can check to see if there are errors * by calling form_get_errors(). * * @param $form_id * The unique string identifying the desired form. If a function * with that name exists, it is called to build the form array. * Modules that need to generate the same form (or very similar forms) * using different $form_ids can implement hook_forms(), which maps * different $form_id values to the proper form constructor function. Examples * may be found in node_forms() and search_forms(). * @param $form_state * A keyed array containing the current state of the form. Most important is * the $form_state['values'] collection, a tree of data used to simulate the * incoming $_POST information from a user's form submission. If a key is not * filled in $form_state['values'], then the default value of the respective * element is used. To submit an unchecked checkbox or other control that * browsers submit by not having a $_POST entry, include the key, but set the * value to NULL. * @param ... * Any additional arguments are passed on to the functions called by * drupal_form_submit(), including the unique form constructor function. * For example, the node_edit form requires that a node object be passed * in here when it is called. Arguments that need to be passed by reference * should not be included here, but rather placed directly in the $form_state * build info array so that the reference can be preserved. For example, a * form builder function with the following signature: * @code * function mymodule_form($form, &$form_state, &$object) { * } * @endcode * would be called via drupal_form_submit() as follows: * @code * $form_state['values'] = $my_form_values; * $form_state['build_info']['args'] = array(&$object); * drupal_form_submit('mymodule_form', $form_state); * @endcode * For example: * @code * // register a new user * $form_state = array(); * $form_state['values']['name'] = 'robo-user'; * $form_state['values']['mail'] = 'robouser@example.com'; * $form_state['values']['pass']['pass1'] = 'password'; * $form_state['values']['pass']['pass2'] = 'password'; * $form_state['values']['op'] = t('Create new account'); * drupal_form_submit('user_register_form', $form_state); * @endcode */ function drupal_form_submit($form_id, &$form_state) { if (!isset($form_state['build_info']['args'])) { $args = func_get_args(); array_shift($args); array_shift($args); $form_state['build_info']['args'] = $args; } // Merge in default values. $form_state += form_state_defaults(); // Populate $form_state['input'] with the submitted values before retrieving // the form, to be consistent with what drupal_build_form() does for // non-programmatic submissions (form builder functions may expect it to be // there). $form_state['input'] = $form_state['values']; $form_state['programmed'] = TRUE; $form = drupal_retrieve_form($form_id, $form_state); // Programmed forms are always submitted. $form_state['submitted'] = TRUE; // Reset form validation. $form_state['must_validate'] = TRUE; form_clear_error(); drupal_prepare_form($form_id, $form, $form_state); drupal_process_form($form_id, $form, $form_state); } /** * Retrieves the structured array that defines a given form. * * @param $form_id * The unique string identifying the desired form. If a function * with that name exists, it is called to build the form array. * Modules that need to generate the same form (or very similar forms) * using different $form_ids can implement hook_forms(), which maps * different $form_id values to the proper form constructor function. * @param $form_state * A keyed array containing the current state of the form, including the * additional arguments to drupal_get_form() or drupal_form_submit() in the * 'args' component of the array. */ function drupal_retrieve_form($form_id, &$form_state) { $forms = &drupal_static(__FUNCTION__); // Record the $form_id. $form_state['build_info']['form_id'] = $form_id; // Record the filepath of the include file containing the original form, so // the form builder callbacks can be loaded when the form is being rebuilt // from cache on a different path (such as 'system/ajax'). See // form_get_cache(). Don't do this in maintenance mode as Drupal may not be // fully bootstrapped (i.e. during installation) in which case // menu_get_item() is not available. if (!isset($form_state['build_info']['files']['menu']) && !defined('MAINTENANCE_MODE')) { $item = menu_get_item(); if (!empty($item['include_file'])) { // Do not use form_load_include() here, as the file is already loaded. // Anyway, form_get_cache() is able to handle filepaths too. $form_state['build_info']['files']['menu'] = $item['include_file']; } } // We save two copies of the incoming arguments: one for modules to use // when mapping form ids to constructor functions, and another to pass to // the constructor function itself. $args = $form_state['build_info']['args']; // We first check to see if there's a function named after the $form_id. // If there is, we simply pass the arguments on to it to get the form. if (!function_exists($form_id)) { // In cases where many form_ids need to share a central constructor function, // such as the node editing form, modules can implement hook_forms(). It // maps one or more form_ids to the correct constructor functions. // // We cache the results of that hook to save time, but that only works // for modules that know all their form_ids in advance. (A module that // adds a small 'rate this comment' form to each comment in a list // would need a unique form_id for each one, for example.) // // So, we call the hook if $forms isn't yet populated, OR if it doesn't // yet have an entry for the requested form_id. if (!isset($forms) || !isset($forms[$form_id])) { $forms = module_invoke_all('forms', $form_id, $args); } $form_definition = $forms[$form_id]; if (isset($form_definition['callback arguments'])) { $args = array_merge($form_definition['callback arguments'], $args); } if (isset($form_definition['callback'])) { $callback = $form_definition['callback']; $form_state['build_info']['base_form_id'] = isset($form_definition['base_form_id']) ? $form_definition['base_form_id'] : $callback; } // In case $form_state['wrapper_callback'] is not defined already, we also // allow hook_forms() to define one. if (!isset($form_state['wrapper_callback']) && isset($form_definition['wrapper_callback'])) { $form_state['wrapper_callback'] = $form_definition['wrapper_callback']; } } $form = array(); // We need to pass $form_state by reference in order for forms to modify it, // since call_user_func_array() requires that referenced variables are passed // explicitly. $args = array_merge(array($form, &$form_state), $args); // When the passed $form_state (not using drupal_get_form()) defines a // 'wrapper_callback', then it requests to invoke a separate (wrapping) form // builder function to pre-populate the $form array with form elements, which // the actual form builder function ($callback) expects. This allows for // pre-populating a form with common elements for certain forms, such as // back/next/save buttons in multi-step form wizards. See drupal_build_form(). if (isset($form_state['wrapper_callback']) && is_callable($form_state['wrapper_callback'])) { $form = call_user_func_array($form_state['wrapper_callback'], $args); // Put the prepopulated $form into $args. $args[0] = $form; } // If $callback was returned by a hook_forms() implementation, call it. // Otherwise, call the function named after the form id. $form = call_user_func_array(isset($callback) ? $callback : $form_id, $args); $form['#form_id'] = $form_id; return $form; } /** * Processes a form submission. * * This function is the heart of form API. The form gets built, validated and in * appropriate cases, submitted and rebuilt. * * @param $form_id * The unique string identifying the current form. * @param $form * An associative array containing the structure of the form. * @param $form_state * A keyed array containing the current state of the form. This * includes the current persistent storage data for the form, and * any data passed along by earlier steps when displaying a * multi-step form. Additional information, like the sanitized $_POST * data, is also accumulated here. */ function drupal_process_form($form_id, &$form, &$form_state) { $form_state['values'] = array(); // With $_GET, these forms are always submitted if requested. if ($form_state['method'] == 'get' && !empty($form_state['always_process'])) { if (!isset($form_state['input']['form_build_id'])) { $form_state['input']['form_build_id'] = $form['#build_id']; } if (!isset($form_state['input']['form_id'])) { $form_state['input']['form_id'] = $form_id; } if (!isset($form_state['input']['form_token']) && isset($form['#token'])) { $form_state['input']['form_token'] = drupal_get_token($form['#token']); } } // form_builder() finishes building the form by calling element #process // functions and mapping user input, if any, to #value properties, and also // storing the values in $form_state['values']. We need to retain the // unprocessed $form in case it needs to be cached. $unprocessed_form = $form; $form = form_builder($form_id, $form, $form_state); // Only process the input if we have a correct form submission. if ($form_state['process_input']) { drupal_validate_form($form_id, $form, $form_state); // drupal_html_id() maintains a cache of element IDs it has seen, // so it can prevent duplicates. We want to be sure we reset that // cache when a form is processed, so scenarios that result in // the form being built behind the scenes and again for the // browser don't increment all the element IDs needlessly. if (!form_get_errors()) { // In case of errors, do not break HTML IDs of other forms. drupal_static_reset('drupal_html_id'); } if ($form_state['submitted'] && !form_get_errors() && !$form_state['rebuild']) { // Execute form submit handlers. form_execute_handlers('submit', $form, $form_state); // We'll clear out the cached copies of the form and its stored data // here, as we've finished with them. The in-memory copies are still // here, though. if (!variable_get('cache', 0) && !empty($form_state['values']['form_build_id'])) { cache_clear_all('form_' . $form_state['values']['form_build_id'], 'cache_form'); cache_clear_all('form_state_' . $form_state['values']['form_build_id'], 'cache_form'); } // If batches were set in the submit handlers, we process them now, // possibly ending execution. We make sure we do not react to the batch // that is already being processed (if a batch operation performs a // drupal_form_submit). if ($batch =& batch_get() && !isset($batch['current_set'])) { // Store $form_state information in the batch definition. // We need the full $form_state when either: // - Some submit handlers were saved to be called during batch // processing. See form_execute_handlers(). // - The form is multistep. // In other cases, we only need the information expected by // drupal_redirect_form(). if ($batch['has_form_submits'] || !empty($form_state['rebuild'])) { $batch['form_state'] = $form_state; } else { $batch['form_state'] = array_intersect_key($form_state, array_flip(array('programmed', 'rebuild', 'storage', 'no_redirect', 'redirect'))); } $batch['progressive'] = !$form_state['programmed']; batch_process(); // Execution continues only for programmatic forms. // For 'regular' forms, we get redirected to the batch processing // page. Form redirection will be handled in _batch_finished(), // after the batch is processed. } // Set a flag to indicate that the form has been processed and executed. $form_state['executed'] = TRUE; // Redirect the form based on values in $form_state. drupal_redirect_form($form_state); } // Don't rebuild or cache form submissions invoked via drupal_form_submit(). if (!empty($form_state['programmed'])) { return; } // If $form_state['rebuild'] has been set and input has been processed // without validation errors, we are in a multi-step workflow that is not // yet complete. A new $form needs to be constructed based on the changes // made to $form_state during this request. Normally, a submit handler sets // $form_state['rebuild'] if a fully executed form requires another step. // However, for forms that have not been fully executed (e.g., Ajax // submissions triggered by non-buttons), there is no submit handler to set // $form_state['rebuild']. It would not make sense to redisplay the // identical form without an error for the user to correct, so we also // rebuild error-free non-executed forms, regardless of // $form_state['rebuild']. // @todo D8: Simplify this logic; considering Ajax and non-HTML front-ends, // along with element-level #submit properties, it makes no sense to have // divergent form execution based on whether the triggering element has // #executes_submit_callback set to TRUE. if (($form_state['rebuild'] || !$form_state['executed']) && !form_get_errors()) { // Form building functions (e.g., _form_builder_handle_input_element()) // may use $form_state['rebuild'] to determine if they are running in the // context of a rebuild, so ensure it is set. $form_state['rebuild'] = TRUE; $form = drupal_rebuild_form($form_id, $form_state, $form); } } // After processing the form, the form builder or a #process callback may // have set $form_state['cache'] to indicate that the form and form state // shall be cached. But the form may only be cached if the 'no_cache' property // is not set to TRUE. Only cache $form as it was prior to form_builder(), // because form_builder() must run for each request to accommodate new user // input. Rebuilt forms are not cached here, because drupal_rebuild_form() // already takes care of that. if (!$form_state['rebuild'] && $form_state['cache'] && empty($form_state['no_cache'])) { form_set_cache($form['#build_id'], $unprocessed_form, $form_state); } } /** * Prepares a structured form array. * * Adds required elements, executes any hook_form_alter functions, and * optionally inserts a validation token to prevent tampering. * * @param $form_id * A unique string identifying the form for validation, submission, * theming, and hook_form_alter functions. * @param $form * An associative array containing the structure of the form. * @param $form_state * A keyed array containing the current state of the form. Passed * in here so that hook_form_alter() calls can use it, as well. */ function drupal_prepare_form($form_id, &$form, &$form_state) { global $user; $form['#type'] = 'form'; $form_state['programmed'] = isset($form_state['programmed']) ? $form_state['programmed'] : FALSE; // Fix the form method, if it is 'get' in $form_state, but not in $form. if ($form_state['method'] == 'get' && !isset($form['#method'])) { $form['#method'] = 'get'; } // Generate a new #build_id for this form, if none has been set already. The // form_build_id is used as key to cache a particular build of the form. For // multi-step forms, this allows the user to go back to an earlier build, make // changes, and re-submit. // @see drupal_build_form() // @see drupal_rebuild_form() if (!isset($form['#build_id'])) { $form['#build_id'] = 'form-' . drupal_random_key(); } $form['form_build_id'] = array( '#type' => 'hidden', '#value' => $form['#build_id'], '#id' => $form['#build_id'], '#name' => 'form_build_id', // Form processing and validation requires this value, so ensure the // submitted form value appears literally, regardless of custom #tree // and #parents being set elsewhere. '#parents' => array('form_build_id'), ); // Add a token, based on either #token or form_id, to any form displayed to // authenticated users. This ensures that any submitted form was actually // requested previously by the user and protects against cross site request // forgeries. // This does not apply to programmatically submitted forms. Furthermore, since // tokens are session-bound and forms displayed to anonymous users are very // likely cached, we cannot assign a token for them. // During installation, there is no $user yet. if (!empty($user->uid) && !$form_state['programmed']) { // Form constructors may explicitly set #token to FALSE when cross site // request forgery is irrelevant to the form, such as search forms. if (isset($form['#token']) && $form['#token'] === FALSE) { unset($form['#token']); } // Otherwise, generate a public token based on the form id. else { $form['#token'] = $form_id; $form['form_token'] = array( '#id' => drupal_html_id('edit-' . $form_id . '-form-token'), '#type' => 'token', '#default_value' => drupal_get_token($form['#token']), // Form processing and validation requires this value, so ensure the // submitted form value appears literally, regardless of custom #tree // and #parents being set elsewhere. '#parents' => array('form_token'), ); } } if (isset($form_id)) { $form['form_id'] = array( '#type' => 'hidden', '#value' => $form_id, '#id' => drupal_html_id("edit-$form_id"), // Form processing and validation requires this value, so ensure the // submitted form value appears literally, regardless of custom #tree // and #parents being set elsewhere. '#parents' => array('form_id'), ); } if (!isset($form['#id'])) { $form['#id'] = drupal_html_id($form_id); } $form += element_info('form'); $form += array('#tree' => FALSE, '#parents' => array()); if (!isset($form['#validate'])) { // Ensure that modules can rely on #validate being set. $form['#validate'] = array(); // Check for a handler specific to $form_id. if (function_exists($form_id . '_validate')) { $form['#validate'][] = $form_id . '_validate'; } // Otherwise check whether this is a shared form and whether there is a // handler for the shared $form_id. elseif (isset($form_state['build_info']['base_form_id']) && function_exists($form_state['build_info']['base_form_id'] . '_validate')) { $form['#validate'][] = $form_state['build_info']['base_form_id'] . '_validate'; } } if (!isset($form['#submit'])) { // Ensure that modules can rely on #submit being set. $form['#submit'] = array(); // Check for a handler specific to $form_id. if (function_exists($form_id . '_submit')) { $form['#submit'][] = $form_id . '_submit'; } // Otherwise check whether this is a shared form and whether there is a // handler for the shared $form_id. elseif (isset($form_state['build_info']['base_form_id']) && function_exists($form_state['build_info']['base_form_id'] . '_submit')) { $form['#submit'][] = $form_state['build_info']['base_form_id'] . '_submit'; } } // If no #theme has been set, automatically apply theme suggestions. // theme_form() itself is in #theme_wrappers and not #theme. Therefore, the // #theme function only has to care for rendering the inner form elements, // not the form itself. if (!isset($form['#theme'])) { $form['#theme'] = array($form_id); if (isset($form_state['build_info']['base_form_id'])) { $form['#theme'][] = $form_state['build_info']['base_form_id']; } } // Invoke hook_form_alter(), hook_form_BASE_FORM_ID_alter(), and // hook_form_FORM_ID_alter() implementations. $hooks = array('form'); if (isset($form_state['build_info']['base_form_id'])) { $hooks[] = 'form_' . $form_state['build_info']['base_form_id']; } $hooks[] = 'form_' . $form_id; drupal_alter($hooks, $form, $form_state, $form_id); } /** * Helper function to call form_set_error() if there is a token error. */ function _drupal_invalid_token_set_form_error() { // Setting this error will cause the form to fail validation. form_set_error('form_token', t('The form has become outdated. Press the back button, copy any unsaved work in the form, and then reload the page.')); } /** * Validates user-submitted form data in the $form_state array. * * @param $form_id * A unique string identifying the form for validation, submission, * theming, and hook_form_alter functions. * @param $form * An associative array containing the structure of the form, which is passed * by reference. Form validation handlers are able to alter the form structure * (like #process and #after_build callbacks during form building) in case of * a validation error. If a validation handler alters the form structure, it * is responsible for validating the values of changed form elements in * $form_state['values'] to prevent form submit handlers from receiving * unvalidated values. * @param $form_state * A keyed array containing the current state of the form. The current * user-submitted data is stored in $form_state['values'], though * form validation functions are passed an explicit copy of the * values for the sake of simplicity. Validation handlers can also use * $form_state to pass information on to submit handlers. For example: * $form_state['data_for_submission'] = $data; * This technique is useful when validation requires file parsing, * web service requests, or other expensive requests that should * not be repeated in the submission step. */ function drupal_validate_form($form_id, &$form, &$form_state) { $validated_forms = &drupal_static(__FUNCTION__, array()); if (isset($validated_forms[$form_id]) && empty($form_state['must_validate'])) { return; } // If the session token was set by drupal_prepare_form(), ensure that it // matches the current user's session. This is duplicate to code in // form_builder() but left to protect any custom form handling code. if (!empty($form['#token'])) { if (!drupal_valid_token($form_state['values']['form_token'], $form['#token']) || !empty($form_state['invalid_token'])) { _drupal_invalid_token_set_form_error(); // Ignore all submitted values. $form_state['input'] = array(); $_POST = array(); // Make sure file uploads do not get processed. $_FILES = array(); // Stop here and don't run any further validation handlers, because they // could invoke non-safe operations which opens the door for CSRF // vulnerabilities. $validated_forms[$form_id] = TRUE; return; } } _form_validate($form, $form_state, $form_id); $validated_forms[$form_id] = TRUE; // If validation errors are limited then remove any non validated form values, // so that only values that passed validation are left for submit callbacks. if (isset($form_state['triggering_element']['#limit_validation_errors']) && $form_state['triggering_element']['#limit_validation_errors'] !== FALSE) { $values = array(); foreach ($form_state['triggering_element']['#limit_validation_errors'] as $section) { // If the section exists within $form_state['values'], even if the value // is NULL, copy it to $values. $section_exists = NULL; $value = drupal_array_get_nested_value($form_state['values'], $section, $section_exists); if ($section_exists) { drupal_array_set_nested_value($values, $section, $value); } } // A button's #value does not require validation, so for convenience we // allow the value of the clicked button to be retained in its normal // $form_state['values'] locations, even if these locations are not included // in #limit_validation_errors. if (isset($form_state['triggering_element']['#button_type'])) { $button_value = $form_state['triggering_element']['#value']; // Like all input controls, the button value may be in the location // dictated by #parents. If it is, copy it to $values, but do not override // what may already be in $values. $parents = $form_state['triggering_element']['#parents']; if (!drupal_array_nested_key_exists($values, $parents) && drupal_array_get_nested_value($form_state['values'], $parents) === $button_value) { drupal_array_set_nested_value($values, $parents, $button_value); } // Additionally, form_builder() places the button value in // $form_state['values'][BUTTON_NAME]. If it's still there, after // validation handlers have run, copy it to $values, but do not override // what may already be in $values. $name = $form_state['triggering_element']['#name']; if (!isset($values[$name]) && isset($form_state['values'][$name]) && $form_state['values'][$name] === $button_value) { $values[$name] = $button_value; } } $form_state['values'] = $values; } } /** * Redirects the user to a URL after a form has been processed. * * After a form is submitted and processed, normally the user should be * redirected to a new destination page. This function figures out what that * destination should be, based on the $form_state array and the 'destination' * query string in the request URL, and redirects the user there. * * Usually (for exceptions, see below) $form_state['redirect'] determines where * to redirect the user. This can be set either to a string (the path to * redirect to), or an array of arguments for drupal_goto(). If * $form_state['redirect'] is missing, the user is usually (again, see below for * exceptions) redirected back to the page they came from, where they should see * a fresh, unpopulated copy of the form. * * Here is an example of how to set up a form to redirect to the path 'node': * @code * $form_state['redirect'] = 'node'; * @endcode * And here is an example of how to redirect to 'node/123?foo=bar#baz': * @code * $form_state['redirect'] = array( * 'node/123', * array( * 'query' => array( * 'foo' => 'bar', * ), * 'fragment' => 'baz', * ), * ); * @endcode * * There are several exceptions to the "usual" behavior described above: * - If $form_state['programmed'] is TRUE, the form submission was usually * invoked via drupal_form_submit(), so any redirection would break the script * that invoked drupal_form_submit() and no redirection is done. * - If $form_state['rebuild'] is TRUE, the form is being rebuilt, and no * redirection is done. * - If $form_state['no_redirect'] is TRUE, redirection is disabled. This is * set, for instance, by ajax_get_form() to prevent redirection in Ajax * callbacks. $form_state['no_redirect'] should never be set or altered by * form builder functions or form validation/submit handlers. * - If $form_state['redirect'] is set to FALSE, redirection is disabled. * - If none of the above conditions has prevented redirection, then the * redirect is accomplished by calling drupal_goto(), passing in the value of * $form_state['redirect'] if it is set, or the current path if it is * not. drupal_goto() preferentially uses the value of $_GET['destination'] * (the 'destination' URL query string) if it is present, so this will * override any values set by $form_state['redirect']. Note that during * installation, install_goto() is called in place of drupal_goto(). * * @param $form_state * An associative array containing the current state of the form. * * @see drupal_process_form() * @see drupal_build_form() */ function drupal_redirect_form($form_state) { // Skip redirection for form submissions invoked via drupal_form_submit(). if (!empty($form_state['programmed'])) { return; } // Skip redirection if rebuild is activated. if (!empty($form_state['rebuild'])) { return; } // Skip redirection if it was explicitly disallowed. if (!empty($form_state['no_redirect'])) { return; } // Only invoke drupal_goto() if redirect value was not set to FALSE. if (!isset($form_state['redirect']) || $form_state['redirect'] !== FALSE) { if (isset($form_state['redirect'])) { if (is_array($form_state['redirect'])) { call_user_func_array('drupal_goto', $form_state['redirect']); } else { // This function can be called from the installer, which guarantees // that $redirect will always be a string, so catch that case here // and use the appropriate redirect function. $function = drupal_installation_attempted() ? 'install_goto' : 'drupal_goto'; $function($form_state['redirect']); } } drupal_goto(current_path(), array('query' => drupal_get_query_parameters())); } } /** * Performs validation on form elements. * * First ensures required fields are completed, #maxlength is not exceeded, and * selected options were in the list of options given to the user. Then calls * user-defined validators. * * @param $elements * An associative array containing the structure of the form. * @param $form_state * A keyed array containing the current state of the form. The current * user-submitted data is stored in $form_state['values'], though * form validation functions are passed an explicit copy of the * values for the sake of simplicity. Validation handlers can also * $form_state to pass information on to submit handlers. For example: * $form_state['data_for_submission'] = $data; * This technique is useful when validation requires file parsing, * web service requests, or other expensive requests that should * not be repeated in the submission step. * @param $form_id * A unique string identifying the form for validation, submission, * theming, and hook_form_alter functions. */ function _form_validate(&$elements, &$form_state, $form_id = NULL) { // Also used in the installer, pre-database setup. $t = get_t(); // Recurse through all children. foreach (element_children($elements) as $key) { if (isset($elements[$key]) && $elements[$key]) { _form_validate($elements[$key], $form_state); } } // Validate the current input. if (!isset($elements['#validated']) || !$elements['#validated']) { // The following errors are always shown. if (isset($elements['#needs_validation'])) { // Verify that the value is not longer than #maxlength. if (isset($elements['#maxlength']) && (isset($elements['#value']) && !is_scalar($elements['#value']))) { form_error($elements, $t('An illegal value has been detected. Please contact the site administrator.')); } elseif (isset($elements['#maxlength']) && drupal_strlen($elements['#value']) > $elements['#maxlength']) { form_error($elements, $t('!name cannot be longer than %max characters but is currently %length characters long.', array('!name' => empty($elements['#title']) ? $elements['#parents'][0] : $elements['#title'], '%max' => $elements['#maxlength'], '%length' => drupal_strlen($elements['#value'])))); } if (isset($elements['#options']) && isset($elements['#value'])) { if ($elements['#type'] == 'select') { $options = form_options_flatten($elements['#options']); } else { $options = $elements['#options']; } if (is_array($elements['#value'])) { $value = in_array($elements['#type'], array('checkboxes', 'tableselect')) ? array_keys($elements['#value']) : $elements['#value']; foreach ($value as $v) { if (!isset($options[$v])) { form_error($elements, $t('An illegal choice has been detected. Please contact the site administrator.')); watchdog('form', 'Illegal choice %choice in !name element.', array('%choice' => $v, '!name' => empty($elements['#title']) ? $elements['#parents'][0] : $elements['#title']), WATCHDOG_ERROR); } } } // Non-multiple select fields always have a value in HTML. If the user // does not change the form, it will be the value of the first option. // Because of this, form validation for the field will almost always // pass, even if the user did not select anything. To work around this // browser behavior, required select fields without a #default_value get // an additional, first empty option. In case the submitted value is // identical to the empty option's value, we reset the element's value // to NULL to trigger the regular #required handling below. // @see form_process_select() elseif ($elements['#type'] == 'select' && $elements['#required'] && (!array_key_exists('#multiple', $elements) || !$elements['#multiple']) && !isset($elements['#default_value']) && $elements['#value'] === $elements['#empty_value']) { $elements['#value'] = NULL; form_set_value($elements, NULL, $form_state); } elseif (!isset($options[$elements['#value']])) { form_error($elements, $t('An illegal choice has been detected. Please contact the site administrator.')); watchdog('form', 'Illegal choice %choice in %name element.', array('%choice' => $elements['#value'], '%name' => empty($elements['#title']) ? $elements['#parents'][0] : $elements['#title']), WATCHDOG_ERROR); } } } // While this element is being validated, it may be desired that some calls // to form_set_error() be suppressed and not result in a form error, so // that a button that implements low-risk functionality (such as "Previous" // or "Add more") that doesn't require all user input to be valid can still // have its submit handlers triggered. The triggering element's // #limit_validation_errors property contains the information for which // errors are needed, and all other errors are to be suppressed. The // #limit_validation_errors property is ignored if submit handlers will run, // but the element doesn't have a #submit property, because it's too large a // security risk to have any invalid user input when executing form-level // submit handlers. if (isset($form_state['triggering_element']['#limit_validation_errors']) && ($form_state['triggering_element']['#limit_validation_errors'] !== FALSE) && !($form_state['submitted'] && !isset($form_state['triggering_element']['#submit']))) { form_set_error(NULL, '', $form_state['triggering_element']['#limit_validation_errors']); } // If submit handlers won't run (due to the submission having been triggered // by an element whose #executes_submit_callback property isn't TRUE), then // it's safe to suppress all validation errors, and we do so by default, // which is particularly useful during an Ajax submission triggered by a // non-button. An element can override this default by setting the // #limit_validation_errors property. For button element types, // #limit_validation_errors defaults to FALSE (via system_element_info()), // so that full validation is their default behavior. elseif (isset($form_state['triggering_element']) && !isset($form_state['triggering_element']['#limit_validation_errors']) && !$form_state['submitted']) { form_set_error(NULL, '', array()); } // As an extra security measure, explicitly turn off error suppression if // one of the above conditions wasn't met. Since this is also done at the // end of this function, doing it here is only to handle the rare edge case // where a validate handler invokes form processing of another form. else { drupal_static_reset('form_set_error:limit_validation_errors'); } // Make sure a value is passed when the field is required. if (isset($elements['#needs_validation']) && $elements['#required']) { // A simple call to empty() will not cut it here as some fields, like // checkboxes, can return a valid value of '0'. Instead, check the // length if it's a string, and the item count if it's an array. // An unchecked checkbox has a #value of integer 0, different than string // '0', which could be a valid value. $is_countable = is_array($elements['#value']) || $elements['#value'] instanceof Countable; $is_empty_multiple = $is_countable && count($elements['#value']) == 0; $is_empty_string = (is_string($elements['#value']) && drupal_strlen(trim($elements['#value'])) == 0); $is_empty_value = ($elements['#value'] === 0); $is_empty_null = is_null($elements['#value']); if ($is_empty_multiple || $is_empty_string || $is_empty_value || $is_empty_null) { // Although discouraged, a #title is not mandatory for form elements. In // case there is no #title, we cannot set a form error message. // Instead of setting no #title, form constructors are encouraged to set // #title_display to 'invisible' to improve accessibility. if (isset($elements['#title'])) { form_error($elements, $t('!name field is required.', array('!name' => $elements['#title']))); } else { form_error($elements); } } } // Call user-defined form level validators. if (isset($form_id)) { form_execute_handlers('validate', $elements, $form_state); } // Call any element-specific validators. These must act on the element // #value data. elseif (isset($elements['#element_validate'])) { foreach ($elements['#element_validate'] as $function) { $function($elements, $form_state, $form_state['complete form']); } } $elements['#validated'] = TRUE; } // Done validating this element, so turn off error suppression. // _form_validate() turns it on again when starting on the next element, if // it's still appropriate to do so. drupal_static_reset('form_set_error:limit_validation_errors'); } /** * Executes custom validation and submission handlers for a given form. * * Button-specific handlers are checked first. If none exist, the function * falls back to form-level handlers. * * @param $type * The type of handler to execute. 'validate' or 'submit' are the * defaults used by Form API. * @param $form * An associative array containing the structure of the form. * @param $form_state * A keyed array containing the current state of the form. If the user * submitted the form by clicking a button with custom handler functions * defined, those handlers will be stored here. */ function form_execute_handlers($type, &$form, &$form_state) { $return = FALSE; // If there was a button pressed, use its handlers. if (isset($form_state[$type . '_handlers'])) { $handlers = $form_state[$type . '_handlers']; } // Otherwise, check for a form-level handler. elseif (isset($form['#' . $type])) { $handlers = $form['#' . $type]; } else { $handlers = array(); } foreach ($handlers as $function) { // Check if a previous _submit handler has set a batch, but make sure we // do not react to a batch that is already being processed (for instance // if a batch operation performs a drupal_form_submit()). if ($type == 'submit' && ($batch =& batch_get()) && !isset($batch['id'])) { // Some previous submit handler has set a batch. To ensure correct // execution order, store the call in a special 'control' batch set. // See _batch_next_set(). $batch['sets'][] = array('form_submit' => $function); $batch['has_form_submits'] = TRUE; } else { $function($form, $form_state); } $return = TRUE; } return $return; } /** * Files an error against a form element. * * When a validation error is detected, the validator calls form_set_error() to * indicate which element needs to be changed and provide an error message. This * causes the Form API to not execute the form submit handlers, and instead to * re-display the form to the user with the corresponding elements rendered with * an 'error' CSS class (shown as red by default). * * The standard form_set_error() behavior can be changed if a button provides * the #limit_validation_errors property. Multistep forms not wanting to * validate the whole form can set #limit_validation_errors on buttons to * limit validation errors to only certain elements. For example, pressing the * "Previous" button in a multistep form should not fire validation errors just * because the current step has invalid values. If #limit_validation_errors is * set on a clicked button, the button must also define a #submit property * (may be set to an empty array). Any #submit handlers will be executed even if * there is invalid input, so extreme care should be taken with respect to any * actions taken by them. This is typically not a problem with buttons like * "Previous" or "Add more" that do not invoke persistent storage of the * submitted form values. Do not use the #limit_validation_errors property on * buttons that trigger saving of form values to the database. * * The #limit_validation_errors property is a list of "sections" within * $form_state['values'] that must contain valid values. Each "section" is an * array with the ordered set of keys needed to reach that part of * $form_state['values'] (i.e., the #parents property of the element). * * Example 1: Allow the "Previous" button to function, regardless of whether any * user input is valid. * * @code * $form['actions']['previous'] = array( * '#type' => 'submit', * '#value' => t('Previous'), * '#limit_validation_errors' => array(), // No validation. * '#submit' => array('some_submit_function'), // #submit required. * ); * @endcode * * Example 2: Require some, but not all, user input to be valid to process the * submission of a "Previous" button. * * @code * $form['actions']['previous'] = array( * '#type' => 'submit', * '#value' => t('Previous'), * '#limit_validation_errors' => array( * array('step1'), // Validate $form_state['values']['step1']. * array('foo', 'bar'), // Validate $form_state['values']['foo']['bar']. * ), * '#submit' => array('some_submit_function'), // #submit required. * ); * @endcode * * This will require $form_state['values']['step1'] and everything within it * (for example, $form_state['values']['step1']['choice']) to be valid, so * calls to form_set_error('step1', $message) or * form_set_error('step1][choice', $message) will prevent the submit handlers * from running, and result in the error message being displayed to the user. * However, calls to form_set_error('step2', $message) and * form_set_error('step2][groupX][choiceY', $message) will be suppressed, * resulting in the message not being displayed to the user, and the submit * handlers will run despite $form_state['values']['step2'] and * $form_state['values']['step2']['groupX']['choiceY'] containing invalid * values. Errors for an invalid $form_state['values']['foo'] will be * suppressed, but errors flagging invalid values for * $form_state['values']['foo']['bar'] and everything within it will be * flagged and submission prevented. * * Partial form validation is implemented by suppressing errors rather than by * skipping the input processing and validation steps entirely, because some * forms have button-level submit handlers that call Drupal API functions that * assume that certain data exists within $form_state['values'], and while not * doing anything with that data that requires it to be valid, PHP errors * would be triggered if the input processing and validation steps were fully * skipped. * * @param $name * The name of the form element. If the #parents property of your form * element is array('foo', 'bar', 'baz') then you may set an error on 'foo' * or 'foo][bar][baz'. Setting an error on 'foo' sets an error for every * element where the #parents array starts with 'foo'. * @param $message * The error message to present to the user. * @param $limit_validation_errors * Internal use only. The #limit_validation_errors property of the clicked * button, if it exists. * * @return * Return value is for internal use only. To get a list of errors, use * form_get_errors() or form_get_error(). * * @see http://drupal.org/node/370537 * @see http://drupal.org/node/763376 */ function form_set_error($name = NULL, $message = '', $limit_validation_errors = NULL) { $form = &drupal_static(__FUNCTION__, array()); $sections = &drupal_static(__FUNCTION__ . ':limit_validation_errors'); if (isset($limit_validation_errors)) { $sections = $limit_validation_errors; } if (isset($name) && !isset($form[$name])) { $record = TRUE; if (isset($sections)) { // #limit_validation_errors is an array of "sections" within which user // input must be valid. If the element is within one of these sections, // the error must be recorded. Otherwise, it can be suppressed. // #limit_validation_errors can be an empty array, in which case all // errors are suppressed. For example, a "Previous" button might want its // submit action to be triggered even if none of the submitted values are // valid. $record = FALSE; foreach ($sections as $section) { // Exploding by '][' reconstructs the element's #parents. If the // reconstructed #parents begin with the same keys as the specified // section, then the element's values are within the part of // $form_state['values'] that the clicked button requires to be valid, // so errors for this element must be recorded. As the exploded array // will all be strings, we need to cast every value of the section // array to string. if (array_slice(explode('][', $name), 0, count($section)) === array_map('strval', $section)) { $record = TRUE; break; } } } if ($record) { $form[$name] = $message; if ($message) { drupal_set_message($message, 'error'); } } } return $form; } /** * Clears all errors against all form elements made by form_set_error(). */ function form_clear_error() { drupal_static_reset('form_set_error'); } /** * Returns an associative array of all errors if any. * * @return array|null * The form errors if any, NULL otherwise. */ function form_get_errors() { $form = form_set_error(); if (!empty($form)) { return $form; } } /** * Returns the error message filed against the given form element. * * Form errors higher up in the form structure override deeper errors as well as * errors on the element itself. */ function form_get_error($element) { $form = form_set_error(); $parents = array(); foreach ($element['#parents'] as $parent) { $parents[] = $parent; $key = implode('][', $parents); if (isset($form[$key])) { return $form[$key]; } } } /** * Flags an element as having an error. */ function form_error(&$element, $message = '') { form_set_error(implode('][', $element['#parents']), $message); } /** * Builds and processes all elements in the structured form array. * * Adds any required properties to each element, maps the incoming input data * to the proper elements, and executes any #process handlers attached to a * specific element. * * This is one of the three primary functions that recursively iterates a form * array. This one does it for completing the form building process. The other * two are _form_validate() (invoked via drupal_validate_form() and used to * invoke validation logic for each element) and drupal_render() (for rendering * each element). Each of these three pipelines provides ample opportunity for * modules to customize what happens. For example, during this function's life * cycle, the following functions get called for each element: * - $element['#value_callback']: A function that implements how user input is * mapped to an element's #value property. This defaults to a function named * 'form_type_TYPE_value' where TYPE is $element['#type']. * - $element['#process']: An array of functions called after user input has * been mapped to the element's #value property. These functions can be used * to dynamically add child elements: for example, for the 'date' element * type, one of the functions in this array is form_process_date(), which adds * the individual 'year', 'month', 'day', etc. child elements. These functions * can also be used to set additional properties or implement special logic * other than adding child elements: for example, for the 'fieldset' element * type, one of the functions in this array is form_process_fieldset(), which * adds the attributes and JavaScript needed to make the fieldset collapsible * if the #collapsible property is set. The #process functions are called in * preorder traversal, meaning they are called for the parent element first, * then for the child elements. * - $element['#after_build']: An array of functions called after form_builder() * is done with its processing of the element. These are called in postorder * traversal, meaning they are called for the child elements first, then for * the parent element. * There are similar properties containing callback functions invoked by * _form_validate() and drupal_render(), appropriate for those operations. * * Developers are strongly encouraged to integrate the functionality needed by * their form or module within one of these three pipelines, using the * appropriate callback property, rather than implementing their own recursive * traversal of a form array. This facilitates proper integration between * multiple modules. For example, module developers are familiar with the * relative order in which hook_form_alter() implementations and #process * functions run. A custom traversal function that affects the building of a * form is likely to not integrate with hook_form_alter() and #process in the * expected way. Also, deep recursion within PHP is both slow and memory * intensive, so it is best to minimize how often it's done. * * As stated above, each element's #process functions are executed after its * #value has been set. This enables those functions to execute conditional * logic based on the current value. However, all of form_builder() runs before * drupal_validate_form() is called, so during #process function execution, the * element's #value has not yet been validated, so any code that requires * validated values must reside within a submit handler. * * As a security measure, user input is used for an element's #value only if the * element exists within $form, is not disabled (as per the #disabled property), * and can be accessed (as per the #access property, except that forms submitted * using drupal_form_submit() bypass #access restrictions). When user input is * ignored due to #disabled and #access restrictions, the element's default * value is used. * * Because of the preorder traversal, where #process functions of an element run * before user input for its child elements is processed, and because of the * Form API security of user input processing with respect to #access and * #disabled described above, this generally means that #process functions * should not use an element's (unvalidated) #value to affect the #disabled or * #access of child elements. Use-cases where a developer may be tempted to * implement such conditional logic usually fall into one of two categories: * - Where user input from the current submission must affect the structure of a * form, including properties like #access and #disabled that affect how the * next submission needs to be processed, a multi-step workflow is needed. * This is most commonly implemented with a submit handler setting persistent * data within $form_state based on *validated* values in * $form_state['values'] and setting $form_state['rebuild']. The form building * functions must then be implemented to use the $form_state data to rebuild * the form with the structure appropriate for the new state. * - Where user input must affect the rendering of the form without affecting * its structure, the necessary conditional rendering logic should reside * within functions that run during the rendering phase (#pre_render, #theme, * #theme_wrappers, and #post_render). * * @param $form_id * A unique string identifying the form for validation, submission, * theming, and hook_form_alter functions. * @param $element * An associative array containing the structure of the current element. * @param $form_state * A keyed array containing the current state of the form. In this * context, it is used to accumulate information about which button * was clicked when the form was submitted, as well as the sanitized * $_POST data. */ function form_builder($form_id, &$element, &$form_state) { // Initialize as unprocessed. $element['#processed'] = FALSE; // Use element defaults. if (isset($element['#type']) && empty($element['#defaults_loaded']) && ($info = element_info($element['#type']))) { // Overlay $info onto $element, retaining preexisting keys in $element. $element += $info; $element['#defaults_loaded'] = TRUE; } // Assign basic defaults common for all form elements. $element += array( '#required' => FALSE, '#attributes' => array(), '#title_display' => 'before', ); // Special handling if we're on the top level form element. if (isset($element['#type']) && $element['#type'] == 'form') { if (!empty($element['#https']) && variable_get('https', FALSE) && !url_is_external($element['#action'])) { global $base_root; // Not an external URL so ensure that it is secure. $element['#action'] = str_replace('http://', 'https://', $base_root) . $element['#action']; } // Store a reference to the complete form in $form_state prior to building // the form. This allows advanced #process and #after_build callbacks to // perform changes elsewhere in the form. $form_state['complete form'] = &$element; // Set a flag if we have a correct form submission. This is always TRUE for // programmed forms coming from drupal_form_submit(), or if the form_id coming // from the POST data is set and matches the current form_id. if ($form_state['programmed'] || (!empty($form_state['input']) && (isset($form_state['input']['form_id']) && ($form_state['input']['form_id'] == $form_id)))) { $form_state['process_input'] = TRUE; // If the session token was set by drupal_prepare_form(), ensure that it // matches the current user's session. $form_state['invalid_token'] = FALSE; if (!empty($element['#token'])) { if (empty($form_state['input']['form_token']) || !drupal_valid_token($form_state['input']['form_token'], $element['#token'])) { // Set an early form error to block certain input processing since that // opens the door for CSRF vulnerabilities. _drupal_invalid_token_set_form_error(); // This value is checked in _form_builder_handle_input_element(). $form_state['invalid_token'] = TRUE; // Ignore all submitted values. $form_state['input'] = array(); $_POST = array(); // Make sure file uploads do not get processed. $_FILES = array(); } } } else { $form_state['process_input'] = FALSE; } // All form elements should have an #array_parents property. $element['#array_parents'] = array(); } if (!isset($element['#id'])) { $element['#id'] = drupal_html_id('edit-' . implode('-', $element['#parents'])); } // Handle input elements. if (!empty($element['#input'])) { _form_builder_handle_input_element($form_id, $element, $form_state); } // Allow for elements to expand to multiple elements, e.g., radios, // checkboxes and files. if (isset($element['#process']) && !$element['#processed']) { foreach ($element['#process'] as $process) { $element = $process($element, $form_state, $form_state['complete form']); } $element['#processed'] = TRUE; } // We start off assuming all form elements are in the correct order. $element['#sorted'] = TRUE; // Recurse through all child elements. $count = 0; foreach (element_children($element) as $key) { // Prior to checking properties of child elements, their default properties // need to be loaded. if (isset($element[$key]['#type']) && empty($element[$key]['#defaults_loaded']) && ($info = element_info($element[$key]['#type']))) { $element[$key] += $info; $element[$key]['#defaults_loaded'] = TRUE; } // Don't squash an existing tree value. if (!isset($element[$key]['#tree'])) { $element[$key]['#tree'] = $element['#tree']; } // Deny access to child elements if parent is denied. if (isset($element['#access']) && !$element['#access']) { $element[$key]['#access'] = FALSE; } // Make child elements inherit their parent's #disabled and #allow_focus // values unless they specify their own. foreach (array('#disabled', '#allow_focus') as $property) { if (isset($element[$property]) && !isset($element[$key][$property])) { $element[$key][$property] = $element[$property]; } } // Don't squash existing parents value. if (!isset($element[$key]['#parents'])) { // Check to see if a tree of child elements is present. If so, // continue down the tree if required. $element[$key]['#parents'] = $element[$key]['#tree'] && $element['#tree'] ? array_merge($element['#parents'], array($key)) : array($key); } // Ensure #array_parents follows the actual form structure. $array_parents = $element['#array_parents']; $array_parents[] = $key; $element[$key]['#array_parents'] = $array_parents; // Assign a decimal placeholder weight to preserve original array order. if (!isset($element[$key]['#weight'])) { $element[$key]['#weight'] = $count/1000; } else { // If one of the child elements has a weight then we will need to sort // later. unset($element['#sorted']); } $element[$key] = form_builder($form_id, $element[$key], $form_state); $count++; } // The #after_build flag allows any piece of a form to be altered // after normal input parsing has been completed. if (isset($element['#after_build']) && !isset($element['#after_build_done'])) { foreach ($element['#after_build'] as $function) { $element = $function($element, $form_state); } $element['#after_build_done'] = TRUE; } // If there is a file element, we need to flip a flag so later the // form encoding can be set. if (isset($element['#type']) && $element['#type'] == 'file') { $form_state['has_file_element'] = TRUE; } // Final tasks for the form element after form_builder() has run for all other // elements. if (isset($element['#type']) && $element['#type'] == 'form') { // If there is a file element, we set the form encoding. if (isset($form_state['has_file_element'])) { $element['#attributes']['enctype'] = 'multipart/form-data'; } // Allow Ajax submissions to the form action to bypass verification. This is // especially useful for multipart forms, which cannot be verified via a // response header. $element['#attached']['js'][] = array( 'type' => 'setting', 'data' => array( 'urlIsAjaxTrusted' => array( $element['#action'] => TRUE, ), ), ); // If a form contains a single textfield, and the ENTER key is pressed // within it, Internet Explorer submits the form with no POST data // identifying any submit button. Other browsers submit POST data as though // the user clicked the first button. Therefore, to be as consistent as we // can be across browsers, if no 'triggering_element' has been identified // yet, default it to the first button. if (!$form_state['programmed'] && !isset($form_state['triggering_element']) && !empty($form_state['buttons'])) { $form_state['triggering_element'] = $form_state['buttons'][0]; } // If the triggering element specifies "button-level" validation and submit // handlers to run instead of the default form-level ones, then add those to // the form state. foreach (array('validate', 'submit') as $type) { if (isset($form_state['triggering_element']['#' . $type])) { $form_state[$type . '_handlers'] = $form_state['triggering_element']['#' . $type]; } } // If the triggering element executes submit handlers, then set the form // state key that's needed for those handlers to run. if (!empty($form_state['triggering_element']['#executes_submit_callback'])) { $form_state['submitted'] = TRUE; } // Special processing if the triggering element is a button. if (isset($form_state['triggering_element']['#button_type'])) { // Because there are several ways in which the triggering element could // have been determined (including from input variables set by JavaScript // or fallback behavior implemented for IE), and because buttons often // have their #name property not derived from their #parents property, we // can't assume that input processing that's happened up until here has // resulted in $form_state['values'][BUTTON_NAME] being set. But it's // common for forms to have several buttons named 'op' and switch on // $form_state['values']['op'] during submit handler execution. $form_state['values'][$form_state['triggering_element']['#name']] = $form_state['triggering_element']['#value']; // @todo Legacy support. Remove in Drupal 8. $form_state['clicked_button'] = $form_state['triggering_element']; } } return $element; } /** * Adds the #name and #value properties of an input element before rendering. */ function _form_builder_handle_input_element($form_id, &$element, &$form_state) { static $safe_core_value_callbacks = array( 'form_type_token_value', 'form_type_textarea_value', 'form_type_textfield_value', 'form_type_checkbox_value', 'form_type_checkboxes_value', 'form_type_radios_value', 'form_type_password_confirm_value', 'form_type_select_value', 'form_type_tableselect_value', 'list_boolean_allowed_values_callback', ); if (!isset($element['#name'])) { $name = array_shift($element['#parents']); $element['#name'] = $name; if ($element['#type'] == 'file') { // To make it easier to handle $_FILES in file.inc, we place all // file fields in the 'files' array. Also, we do not support // nested file names. $element['#name'] = 'files[' . $element['#name'] . ']'; } elseif (count($element['#parents'])) { $element['#name'] .= '[' . implode('][', $element['#parents']) . ']'; } array_unshift($element['#parents'], $name); } // Setting #disabled to TRUE results in user input being ignored, regardless // of how the element is themed or whether JavaScript is used to change the // control's attributes. However, it's good UI to let the user know that input // is not wanted for the control. HTML supports two attributes for this: // http://www.w3.org/TR/html401/interact/forms.html#h-17.12. If a form wants // to start a control off with one of these attributes for UI purposes only, // but still allow input to be processed if it's sumitted, it can set the // desired attribute in #attributes directly rather than using #disabled. // However, developers should think carefully about the accessibility // implications of doing so: if the form expects input to be enterable under // some condition triggered by JavaScript, how would someone who has // JavaScript disabled trigger that condition? Instead, developers should // consider whether a multi-step form would be more appropriate (#disabled can // be changed from step to step). If one still decides to use JavaScript to // affect when a control is enabled, then it is best for accessibility for the // control to be enabled in the HTML, and disabled by JavaScript on document // ready. if (!empty($element['#disabled'])) { if (!empty($element['#allow_focus'])) { $element['#attributes']['readonly'] = 'readonly'; } else { $element['#attributes']['disabled'] = 'disabled'; } } // With JavaScript or other easy hacking, input can be submitted even for // elements with #access=FALSE or #disabled=TRUE. For security, these must // not be processed. Forms that set #disabled=TRUE on an element do not // expect input for the element, and even forms submitted with // drupal_form_submit() must not be able to get around this. Forms that set // #access=FALSE on an element usually allow access for some users, so forms // submitted with drupal_form_submit() may bypass access restriction and be // treated as high-privilege users instead. $process_input = empty($element['#disabled']) && ($element['#type'] !== 'value') && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access']))); // Set the element's #value property. if (!isset($element['#value']) && !array_key_exists('#value', $element)) { $value_callback = !empty($element['#value_callback']) ? $element['#value_callback'] : 'form_type_' . $element['#type'] . '_value'; if ($process_input) { // Get the input for the current element. NULL values in the input need to // be explicitly distinguished from missing input. (see below) $input_exists = NULL; $input = drupal_array_get_nested_value($form_state['input'], $element['#parents'], $input_exists); // For browser-submitted forms, the submitted values do not contain values // for certain elements (empty multiple select, unchecked checkbox). // During initial form processing, we add explicit NULL values for such // elements in $form_state['input']. When rebuilding the form, we can // distinguish elements having NULL input from elements that were not part // of the initially submitted form and can therefore use default values // for the latter, if required. Programmatically submitted forms can // submit explicit NULL values when calling drupal_form_submit(), so we do // not modify $form_state['input'] for them. if (!$input_exists && !$form_state['rebuild'] && !$form_state['programmed']) { // Add the necessary parent keys to $form_state['input'] and sets the // element's input value to NULL. drupal_array_set_nested_value($form_state['input'], $element['#parents'], NULL); $input_exists = TRUE; } // If we have input for the current element, assign it to the #value // property, optionally filtered through $value_callback. if ($input_exists) { if (function_exists($value_callback)) { // Skip all value callbacks except safe ones like text if the CSRF // token was invalid. if (empty($form_state['invalid_token']) || in_array($value_callback, $safe_core_value_callbacks)) { $element['#value'] = $value_callback($element, $input, $form_state); } else { $input = NULL; } } if (!isset($element['#value']) && isset($input)) { $element['#value'] = $input; } } // Mark all posted values for validation. if (isset($element['#value']) || (!empty($element['#required']))) { $element['#needs_validation'] = TRUE; } } // Load defaults. if (!isset($element['#value'])) { // Call #type_value without a second argument to request default_value handling. if (function_exists($value_callback)) { $element['#value'] = $value_callback($element, FALSE, $form_state); } // Final catch. If we haven't set a value yet, use the explicit default value. // Avoid image buttons (which come with garbage value), so we only get value // for the button actually clicked. if (!isset($element['#value']) && empty($element['#has_garbage_value'])) { $element['#value'] = isset($element['#default_value']) ? $element['#default_value'] : ''; } } } // Determine which element (if any) triggered the submission of the form and // keep track of all the clickable buttons in the form for // form_state_values_clean(). Enforce the same input processing restrictions // as above. if ($process_input) { // Detect if the element triggered the submission via Ajax. if (_form_element_triggered_scripted_submission($element, $form_state)) { $form_state['triggering_element'] = $element; } // If the form was submitted by the browser rather than via Ajax, then it // can only have been triggered by a button, and we need to determine which // button within the constraints of how browsers provide this information. if (isset($element['#button_type'])) { // All buttons in the form need to be tracked for // form_state_values_clean() and for the form_builder() code that handles // a form submission containing no button information in $_POST. $form_state['buttons'][] = $element; if (_form_button_was_clicked($element, $form_state)) { $form_state['triggering_element'] = $element; } } } // Set the element's value in $form_state['values'], but only, if its key // does not exist yet (a #value_callback may have already populated it). if (!drupal_array_nested_key_exists($form_state['values'], $element['#parents'])) { form_set_value($element, $element['#value'], $form_state); } } /** * Detects if an element triggered the form submission via Ajax. * * This detects button or non-button controls that trigger a form submission via * Ajax or some other scriptable environment. These environments can set the * special input key '_triggering_element_name' to identify the triggering * element. If the name alone doesn't identify the element uniquely, the input * key '_triggering_element_value' may also be set to require a match on element * value. An example where this is needed is if there are several buttons all * named 'op', and only differing in their value. */ function _form_element_triggered_scripted_submission($element, &$form_state) { if (!empty($form_state['input']['_triggering_element_name']) && $element['#name'] == $form_state['input']['_triggering_element_name']) { if (empty($form_state['input']['_triggering_element_value']) || $form_state['input']['_triggering_element_value'] == $element['#value']) { return TRUE; } } return FALSE; } /** * Determines if a given button triggered the form submission. * * This detects button controls that trigger a form submission by being clicked * and having the click processed by the browser rather than being captured by * JavaScript. Essentially, it detects if the button's name and value are part * of the POST data, but with extra code to deal with the convoluted way in * which browsers submit data for image button clicks. * * This does not detect button clicks processed by Ajax (that is done in * _form_element_triggered_scripted_submission()) and it does not detect form * submissions from Internet Explorer in response to an ENTER key pressed in a * textfield (form_builder() has extra code for that). * * Because this function contains only part of the logic needed to determine * $form_state['triggering_element'], it should not be called from anywhere * other than within the Form API. Form validation and submit handlers needing * to know which button was clicked should get that information from * $form_state['triggering_element']. */ function _form_button_was_clicked($element, &$form_state) { // First detect normal 'vanilla' button clicks. Traditionally, all // standard buttons on a form share the same name (usually 'op'), // and the specific return value is used to determine which was // clicked. This ONLY works as long as $form['#name'] puts the // value at the top level of the tree of $_POST data. if (isset($form_state['input'][$element['#name']]) && $form_state['input'][$element['#name']] == $element['#value']) { return TRUE; } // When image buttons are clicked, browsers do NOT pass the form element // value in $_POST. Instead they pass an integer representing the // coordinates of the click on the button image. This means that image // buttons MUST have unique $form['#name'] values, but the details of // their $_POST data should be ignored. elseif (!empty($element['#has_garbage_value']) && isset($element['#value']) && $element['#value'] !== '') { return TRUE; } return FALSE; } /** * Removes internal Form API elements and buttons from submitted form values. * * This function can be used when a module wants to store all submitted form * values, for example, by serializing them into a single database column. In * such cases, all internal Form API values and all form button elements should * not be contained, and this function allows to remove them before the module * proceeds to storage. Next to button elements, the following internal values * are removed: * - form_id * - form_token * - form_build_id * - op * * @param $form_state * A keyed array containing the current state of the form, including * submitted form values; altered by reference. */ function form_state_values_clean(&$form_state) { // Remove internal Form API values. unset($form_state['values']['form_id'], $form_state['values']['form_token'], $form_state['values']['form_build_id'], $form_state['values']['op']); // Remove button values. // form_builder() collects all button elements in a form. We remove the button // value separately for each button element. foreach ($form_state['buttons'] as $button) { // Remove this button's value from the submitted form values by finding // the value corresponding to this button. // We iterate over the #parents of this button and move a reference to // each parent in $form_state['values']. For example, if #parents is: // array('foo', 'bar', 'baz') // then the corresponding $form_state['values'] part will look like this: // array( // 'foo' => array( // 'bar' => array( // 'baz' => 'button_value', // ), // ), // ) // We start by (re)moving 'baz' to $last_parent, so we are able unset it // at the end of the iteration. Initially, $values will contain a // reference to $form_state['values'], but in the iteration we move the // reference to $form_state['values']['foo'], and finally to // $form_state['values']['foo']['bar'], which is the level where we can // unset 'baz' (that is stored in $last_parent). $parents = $button['#parents']; $last_parent = array_pop($parents); $key_exists = NULL; $values = &drupal_array_get_nested_value($form_state['values'], $parents, $key_exists); if ($key_exists && is_array($values)) { unset($values[$last_parent]); } } } /** * Determines the value for an image button form element. * * @param $form * The form element whose value is being populated. * @param $input * The incoming input to populate the form element. If this is FALSE, * the element's default value should be returned. * @param $form_state * A keyed array containing the current state of the form. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_image_button_value($form, $input, $form_state) { if ($input !== FALSE) { if (!empty($input)) { // If we're dealing with Mozilla or Opera, we're lucky. It will // return a proper value, and we can get on with things. return $form['#return_value']; } else { // Unfortunately, in IE we never get back a proper value for THIS // form element. Instead, we get back two split values: one for the // X and one for the Y coordinates on which the user clicked the // button. We'll find this element in the #post data, and search // in the same spot for its name, with '_x'. $input = $form_state['input']; foreach (explode('[', $form['#name']) as $element_name) { // chop off the ] that may exist. if (substr($element_name, -1) == ']') { $element_name = substr($element_name, 0, -1); } if (!isset($input[$element_name])) { if (isset($input[$element_name . '_x'])) { return $form['#return_value']; } return NULL; } $input = $input[$element_name]; } return $form['#return_value']; } } } /** * Determines the value for a checkbox form element. * * @param $form * The form element whose value is being populated. * @param $input * The incoming input to populate the form element. If this is FALSE, * the element's default value should be returned. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_checkbox_value($element, $input = FALSE) { if ($input === FALSE) { // Use #default_value as the default value of a checkbox, except change // NULL to 0, because _form_builder_handle_input_element() would otherwise // replace NULL with empty string, but an empty string is a potentially // valid value for a checked checkbox. return isset($element['#default_value']) ? $element['#default_value'] : 0; } else { // Checked checkboxes are submitted with a value (possibly '0' or ''): // http://www.w3.org/TR/html401/interact/forms.html#successful-controls. // For checked checkboxes, browsers submit the string version of // #return_value, but we return the original #return_value. For unchecked // checkboxes, browsers submit nothing at all, but // _form_builder_handle_input_element() detects this, and calls this // function with $input=NULL. Returning NULL from a value callback means to // use the default value, which is not what is wanted when an unchecked // checkbox is submitted, so we use integer 0 as the value indicating an // unchecked checkbox. Therefore, modules must not use integer 0 as a // #return_value, as doing so results in the checkbox always being treated // as unchecked. The string '0' is allowed for #return_value. The most // common use-case for setting #return_value to either 0 or '0' is for the // first option within a 0-indexed array of checkboxes, and for this, // form_process_checkboxes() uses the string rather than the integer. return isset($input) ? $element['#return_value'] : 0; } } /** * Determines the value for a checkboxes form element. * * @param $element * The form element whose value is being populated. * @param $input * The incoming input to populate the form element. If this is FALSE, * the element's default value should be returned. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_checkboxes_value($element, $input = FALSE) { if ($input === FALSE) { $value = array(); $element += array('#default_value' => array()); foreach ($element['#default_value'] as $key) { $value[$key] = $key; } return $value; } elseif (is_array($input)) { // Programmatic form submissions use NULL to indicate that a checkbox // should be unchecked; see drupal_form_submit(). We therefore remove all // NULL elements from the array before constructing the return value, to // simulate the behavior of web browsers (which do not send unchecked // checkboxes to the server at all). This will not affect non-programmatic // form submissions, since all values in $_POST are strings. foreach ($input as $key => $value) { if (!isset($value)) { unset($input[$key]); } } return drupal_map_assoc($input); } else { return array(); } } /** * Determines the value for a tableselect form element. * * @param $element * The form element whose value is being populated. * @param $input * The incoming input to populate the form element. If this is FALSE, * the element's default value should be returned. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_tableselect_value($element, $input = FALSE) { // If $element['#multiple'] == FALSE, then radio buttons are displayed and // the default value handling is used. if (isset($element['#multiple']) && $element['#multiple']) { // Checkboxes are being displayed with the default value coming from the // keys of the #default_value property. This differs from the checkboxes // element which uses the array values. if ($input === FALSE) { $value = array(); $element += array('#default_value' => array()); foreach ($element['#default_value'] as $key => $flag) { if ($flag) { $value[$key] = $key; } } return $value; } else { return is_array($input) ? drupal_map_assoc($input) : array(); } } } /** * Form value callback: Determines the value for a #type radios form element. * * @param $element * The form element whose value is being populated. * @param $input * (optional) The incoming input to populate the form element. If FALSE, the * element's default value is returned. Defaults to FALSE. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_radios_value(&$element, $input = FALSE) { if ($input !== FALSE) { // When there's user input (including NULL), return it as the value. // However, if NULL is submitted, _form_builder_handle_input_element() will // apply the default value, and we want that validated against #options // unless it's empty. (An empty #default_value, such as NULL or FALSE, can // be used to indicate that no radio button is selected by default.) if (!isset($input) && !empty($element['#default_value'])) { $element['#needs_validation'] = TRUE; } return $input; } else { // For default value handling, simply return #default_value. Additionally, // for a NULL default value, set #has_garbage_value to prevent // _form_builder_handle_input_element() converting the NULL to an empty // string, so that code can distinguish between nothing selected and the // selection of a radio button whose value is an empty string. $value = isset($element['#default_value']) ? $element['#default_value'] : NULL; if (!isset($value)) { $element['#has_garbage_value'] = TRUE; } return $value; } } /** * Determines the value for a password_confirm form element. * * @param $element * The form element whose value is being populated. * @param $input * The incoming input to populate the form element. If this is FALSE, * the element's default value should be returned. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_password_confirm_value($element, $input = FALSE) { if ($input === FALSE) { $element += array('#default_value' => array()); return $element['#default_value'] + array('pass1' => '', 'pass2' => ''); } $value = array('pass1' => '', 'pass2' => ''); // Throw out all invalid array keys; we only allow pass1 and pass2. foreach ($value as $allowed_key => $default) { // These should be strings, but allow other scalars since they might be // valid input in programmatic form submissions. Any nested array values // are ignored. if (isset($input[$allowed_key]) && is_scalar($input[$allowed_key])) { $value[$allowed_key] = (string) $input[$allowed_key]; } } return $value; } /** * Determines the value for a select form element. * * @param $element * The form element whose value is being populated. * @param $input * The incoming input to populate the form element. If this is FALSE, * the element's default value should be returned. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_select_value($element, $input = FALSE) { if ($input !== FALSE) { if (isset($element['#multiple']) && $element['#multiple']) { // If an enabled multi-select submits NULL, it means all items are // unselected. A disabled multi-select always submits NULL, and the // default value should be used. if (empty($element['#disabled'])) { return (is_array($input)) ? drupal_map_assoc($input) : array(); } else { return (isset($element['#default_value']) && is_array($element['#default_value'])) ? $element['#default_value'] : array(); } } // Non-multiple select elements may have an empty option preprended to them // (see form_process_select()). When this occurs, usually #empty_value is // an empty string, but some forms set #empty_value to integer 0 or some // other non-string constant. PHP receives all submitted form input as // strings, but if the empty option is selected, set the value to match the // empty value exactly. elseif (isset($element['#empty_value']) && $input === (string) $element['#empty_value']) { return $element['#empty_value']; } else { return $input; } } } /** * Determines the value for a textarea form element. * * @param array $element * The form element whose value is being populated. * @param mixed $input * The incoming input to populate the form element. If this is FALSE, the * element's default value should be returned. * * @return string * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_textarea_value($element, $input = FALSE) { if ($input !== FALSE && $input !== NULL) { // This should be a string, but allow other scalars since they might be // valid input in programmatic form submissions. return is_scalar($input) ? (string) $input : ''; } } /** * Determines the value for a textfield form element. * * @param $element * The form element whose value is being populated. * @param $input * The incoming input to populate the form element. If this is FALSE, * the element's default value should be returned. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_textfield_value($element, $input = FALSE) { if ($input !== FALSE && $input !== NULL) { // This should be a string, but allow other scalars since they might be // valid input in programmatic form submissions. if (!is_scalar($input)) { $input = ''; } return str_replace(array("\r", "\n"), '', (string) $input); } } /** * Determines the value for form's token value. * * @param $element * The form element whose value is being populated. * @param $input * The incoming input to populate the form element. If this is FALSE, * the element's default value should be returned. * * @return * The data that will appear in $form_state['values'] for this element, or * nothing to use the default. */ function form_type_token_value($element, $input = FALSE) { if ($input !== FALSE) { return (string) $input; } } /** * Changes submitted form values during form validation. * * Use this function to change the submitted value of a form element in a form * validation function, so that the changed value persists in $form_state * through the remaining validation and submission handlers. It does not change * the value in $element['#value'], only in $form_state['values'], which is * where submitted values are always stored. * * Note that form validation functions are specified in the '#validate' * component of the form array (the value of $form['#validate'] is an array of * validation function names). If the form does not originate in your module, * you can implement hook_form_FORM_ID_alter() to add a validation function * to $form['#validate']. * * @param $element * The form element that should have its value updated; in most cases you can * just pass in the element from the $form array, although the only component * that is actually used is '#parents'. If constructing yourself, set * $element['#parents'] to be an array giving the path through the form * array's keys to the element whose value you want to update. For instance, * if you want to update the value of $form['elem1']['elem2'], which should be * stored in $form_state['values']['elem1']['elem2'], you would set * $element['#parents'] = array('elem1','elem2'). * @param $value * The new value for the form element. * @param $form_state * Form state array where the value change should be recorded. */ function form_set_value($element, $value, &$form_state) { drupal_array_set_nested_value($form_state['values'], $element['#parents'], $value, TRUE); } /** * Allows PHP array processing of multiple select options with the same value. * * Used for form select elements which need to validate HTML option groups * and multiple options which may return the same value. Associative PHP arrays * cannot handle these structures, since they share a common key. * * @param $array * The form options array to process. * * @return * An array with all hierarchical elements flattened to a single array. */ function form_options_flatten($array) { // Always reset static var when first entering the recursion. drupal_static_reset('_form_options_flatten'); return _form_options_flatten($array); } /** * Iterates over an array and returns a flat array with duplicate keys removed. * * This function also handles cases where objects are passed as array values. */ function _form_options_flatten($array) { $return = &drupal_static(__FUNCTION__); foreach ($array as $key => $value) { if (is_object($value)) { _form_options_flatten($value->option); } elseif (is_array($value)) { _form_options_flatten($value); } else { $return[$key] = 1; } } return $return; } /** * Processes a select list form element. * * This process callback is mandatory for select fields, since all user agents * automatically preselect the first available option of single (non-multiple) * select lists. * * @param $element * The form element to process. Properties used: * - #multiple: (optional) Indicates whether one or more options can be * selected. Defaults to FALSE. * - #default_value: Must be NULL or not set in case there is no value for the * element yet, in which case a first default option is inserted by default. * Whether this first option is a valid option depends on whether the field * is #required or not. * - #required: (optional) Whether the user needs to select an option (TRUE) * or not (FALSE). Defaults to FALSE. * - #empty_option: (optional) The label to show for the first default option. * By default, the label is automatically set to "- Select -" for a required * field and "- None -" for an optional field. * - #empty_value: (optional) The value for the first default option, which is * used to determine whether the user submitted a value or not. * - If #required is TRUE, this defaults to '' (an empty string). * - If #required is not TRUE and this value isn't set, then no extra option * is added to the select control, leaving the control in a slightly * illogical state, because there's no way for the user to select nothing, * since all user agents automatically preselect the first available * option. But people are used to this being the behavior of select * controls. * @todo Address the above issue in Drupal 8. * - If #required is not TRUE and this value is set (most commonly to an * empty string), then an extra option (see #empty_option above) * representing a "non-selection" is added with this as its value. * * @see _form_validate() */ function form_process_select($element) { // #multiple select fields need a special #name. if ($element['#multiple']) { $element['#attributes']['multiple'] = 'multiple'; $element['#attributes']['name'] = $element['#name'] . '[]'; } // A non-#multiple select needs special handling to prevent user agents from // preselecting the first option without intention. #multiple select lists do // not get an empty option, as it would not make sense, user interface-wise. else { $required = $element['#required']; // If the element is required and there is no #default_value, then add an // empty option that will fail validation, so that the user is required to // make a choice. Also, if there's a value for #empty_value or // #empty_option, then add an option that represents emptiness. if (($required && !isset($element['#default_value'])) || isset($element['#empty_value']) || isset($element['#empty_option'])) { $element += array( '#empty_value' => '', '#empty_option' => $required ? t('- Select -') : t('- None -'), ); // The empty option is prepended to #options and purposively not merged // to prevent another option in #options mistakenly using the same value // as #empty_value. $empty_option = array($element['#empty_value'] => $element['#empty_option']); $element['#options'] = $empty_option + $element['#options']; } } return $element; } /** * Returns HTML for a select form element. * * It is possible to group options together; to do this, change the format of * $options to an associative array in which the keys are group labels, and the * values are associative arrays in the normal $options format. * * @param $variables * An associative array containing: * - element: An associative array containing the properties of the element. * Properties used: #title, #value, #options, #description, #extra, * #multiple, #required, #name, #attributes, #size. * * @ingroup themeable */ function theme_select($variables) { $element = $variables['element']; element_set_attributes($element, array('id', 'name', 'size')); _form_set_class($element, array('form-select')); return ''; } /** * Converts an array of options into HTML, for use in select list form elements. * * This function calls itself recursively to obtain the values for each optgroup * within the list of options and when the function encounters an object with * an 'options' property inside $element['#options']. * * @param array $element * An associative array containing the following key-value pairs: * - #multiple: Optional Boolean indicating if the user may select more than * one item. * - #options: An associative array of options to render as HTML. Each array * value can be a string, an array, or an object with an 'option' property: * - A string or integer key whose value is a translated string is * interpreted as a single HTML option element. Do not use placeholders * that sanitize data: doing so will lead to double-escaping. Note that * the key will be visible in the HTML and could be modified by malicious * users, so don't put sensitive information in it. * - A translated string key whose value is an array indicates a group of * options. The translated string is used as the label attribute for the * optgroup. Do not use placeholders to sanitize data: doing so will lead * to double-escaping. The array should contain the options you wish to * group and should follow the syntax of $element['#options']. * - If the function encounters a string or integer key whose value is an * object with an 'option' property, the key is ignored, the contents of * the option property are interpreted as $element['#options'], and the * resulting HTML is added to the output. * - #value: Optional integer, string, or array representing which option(s) * to pre-select when the list is first displayed. The integer or string * must match the key of an option in the '#options' list. If '#multiple' is * TRUE, this can be an array of integers or strings. * @param array|null $choices * (optional) Either an associative array of options in the same format as * $element['#options'] above, or NULL. This parameter is only used internally * and is not intended to be passed in to the initial function call. * * @return string * An HTML string of options and optgroups for use in a select form element. */ function form_select_options($element, $choices = NULL) { if (!isset($choices)) { $choices = $element['#options']; } // array_key_exists() accommodates the rare event where $element['#value'] is NULL. // isset() fails in this situation. $value_valid = isset($element['#value']) || array_key_exists('#value', $element); $value_is_array = $value_valid && is_array($element['#value']); $options = ''; foreach ($choices as $key => $choice) { if (is_array($choice)) { $options .= ''; } elseif (is_object($choice)) { $options .= form_select_options($element, $choice->option); } else { $key = (string) $key; if ($value_valid && (!$value_is_array && (string) $element['#value'] === $key || ($value_is_array && in_array($key, $element['#value'])))) { $selected = ' selected="selected"'; } else { $selected = ''; } $options .= ''; } } return $options; } /** * Returns the indexes of a select element's options matching a given key. * * This function is useful if you need to modify the options that are * already in a form element; for example, to remove choices which are * not valid because of additional filters imposed by another module. * One example might be altering the choices in a taxonomy selector. * To correctly handle the case of a multiple hierarchy taxonomy, * #options arrays can now hold an array of objects, instead of a * direct mapping of keys to labels, so that multiple choices in the * selector can have the same key (and label). This makes it difficult * to manipulate directly, which is why this helper function exists. * * This function does not support optgroups (when the elements of the * #options array are themselves arrays), and will return FALSE if * arrays are found. The caller must either flatten/restore or * manually do their manipulations in this case, since returning the * index is not sufficient, and supporting this would make the * "helper" too complicated and cumbersome to be of any help. * * As usual with functions that can return array() or FALSE, do not * forget to use === and !== if needed. * * @param $element * The select element to search. * @param $key * The key to look for. * * @return * An array of indexes that match the given $key. Array will be * empty if no elements were found. FALSE if optgroups were found. */ function form_get_options($element, $key) { $keys = array(); foreach ($element['#options'] as $index => $choice) { if (is_array($choice)) { return FALSE; } elseif (is_object($choice)) { if (isset($choice->option[$key])) { $keys[] = $index; } } elseif ($index == $key) { $keys[] = $index; } } return $keys; } /** * Returns HTML for a fieldset form element and its children. * * @param $variables * An associative array containing: * - element: An associative array containing the properties of the element. * Properties used: #attributes, #children, #collapsed, #collapsible, * #description, #id, #title, #value. * * @ingroup themeable */ function theme_fieldset($variables) { $element = $variables['element']; element_set_attributes($element, array('id')); _form_set_class($element, array('form-wrapper')); $output = '
\n"; return $output; } /** * Returns HTML for a radio button form element. * * Note: The input "name" attribute needs to be sanitized before output, which * is currently done by passing all attributes to drupal_attributes(). * * @param $variables * An associative array containing: * - element: An associative array containing the properties of the element. * Properties used: #required, #return_value, #value, #attributes, #title, * #description * * @ingroup themeable */ function theme_radio($variables) { $element = $variables['element']; $element['#attributes']['type'] = 'radio'; element_set_attributes($element, array('id', 'name', '#return_value' => 'value')); if (isset($element['#return_value']) && $element['#value'] !== FALSE && $element['#value'] == $element['#return_value']) { $element['#attributes']['checked'] = 'checked'; } _form_set_class($element, array('form-radio')); return ''; } /** * Returns HTML for a set of radio button form elements. * * @param $variables * An associative array containing: * - element: An associative array containing the properties of the element. * Properties used: #title, #value, #options, #description, #required, * #attributes, #children. * * @ingroup themeable */ function theme_radios($variables) { $element = $variables['element']; $attributes = array(); if (isset($element['#id'])) { $attributes['id'] = $element['#id']; } $attributes['class'] = 'form-radios'; if (!empty($element['#attributes']['class'])) { $attributes['class'] .= ' ' . implode(' ', $element['#attributes']['class']); } if (isset($element['#attributes']['title'])) { $attributes['title'] = $element['#attributes']['title']; } return '