Development issueshttps://lab.civicrm.org/groups/dev/-/issues2023-06-06T05:55:19Zhttps://lab.civicrm.org/dev/core/-/issues/4312Undefined array key and deprecated warnings on contributions overview page2023-06-06T05:55:19ZTobias KrauseUndefined array key and deprecated warnings on contributions overview pageWhen going to /civicrm/contact/view/contribution many "array undefined" warnings appear in watchdog:
```
Warning: Undefined array key "selectedChild" in include() (Zeile 11 in C:\wamp64\www\civicrm\httpdocs\sites\default\files\private\c...When going to /civicrm/contact/view/contribution many "array undefined" warnings appear in watchdog:
```
Warning: Undefined array key "selectedChild" in include() (Zeile 11 in C:\wamp64\www\civicrm\httpdocs\sites\default\files\private\civicrm\templates_c\en_US\%%6F\6FD\6FDADEDF%%TabSelected.tpl.php)
Warning: Undefined array key "type" in include() (Zeile 17 in C:\wamp64\www\civicrm\httpdocs\sites\default\files\private\civicrm\templates_c\en_US\%%3D\3D4\3D44E36C%%Selector.tpl.php)
**(I think this warning appears once for each contribution in the list)**
Warning: Undefined array key "softCredit" in include() (Zeile 93 in C:\wamp64\www\civicrm\httpdocs\sites\default\files\private\civicrm\templates_c\en_US\%%84\843\843D5262%%Tab.tpl.php)
Warning: Undefined array key "payment_processor" in include() (Zeile 12 in C:\wamp64\www\civicrm\httpdocs\sites\default\files\private\civicrm\templates_c\en_US\%%1B\1B6\1B6ACE3B%%ContributionRecurSelector.tpl.php)
Warning: Undefined array key "recurId" in include() (Zeile 12 in C:\wamp64\www\civicrm\httpdocs\sites\default\files\private\civicrm\templates_c\en_US\%%1B\1B6\1B6ACE3B%%ContributionRecurSelector.tpl.php)
Deprecated function: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in smarty_modifier_replace() (Zeile 25 in C:\wamp64\www\civicrm\vendor\civicrm\civicrm-packages\Smarty\plugins\modifier.replace.php)
```https://lab.civicrm.org/dev/core/-/issues/4311Undefined array key warnings when entering a report page2023-06-06T05:54:40ZTobias KrauseUndefined array key warnings when entering a report pageWhen a report page is accessed several warnings appear in watchdog. For example the path of one of the reports is /civicrm/report/instance/3, the warnings are:
```
Warning: Undefined array key "batch_id_op" in include() (Zeile 42 in sit...When a report page is accessed several warnings appear in watchdog. For example the path of one of the reports is /civicrm/report/instance/3, the warnings are:
```
Warning: Undefined array key "batch_id_op" in include() (Zeile 42 in sites\default\files\private\civicrm\templates_c\en_US\%%E0\E0C\E0C36992%%Filters.tpl.php)
Warning: Trying to access array offset on value of type null in include() (Zeile 42 in sites\default\files\private\civicrm\templates_c\en_US\%%E0\E0C\E0C36992%%Filters.tpl.php)
Warning: Undefined array key "type" in include() (Zeile 48 in sites\default\files\private\civicrm\templates_c\en_US\%%1B\1BD\1BD7DE8F%%Statistics.tpl.php)
Warning: Undefined array key "type" in include() (Zeile 51 in sites\default\files\private\civicrm\templates_c\en_US\%%1B\1BD\1BD7DE8F%%Statistics.tpl.php)
```https://lab.civicrm.org/dev/core/-/issues/4308CryptoKeys - Converting CryptoException into status messages2023-06-05T14:10:29ZVangelisPCryptoKeys - Converting CryptoException into status messages### Overview
From time to time, we clone/replicate our live sites into our development servers to do some reviews/coding enhancements etc. Since the live sites are having a different key from the development site(s), whenever we try to ...### Overview
From time to time, we clone/replicate our live sites into our development servers to do some reviews/coding enhancements etc. Since the live sites are having a different key from the development site(s), whenever we try to access the path `/civicrm/admin/setting/smtp?reset=1` (and assuming that we had set the configuration to SMTP with a username & password in live), we end up with an exception error: "Failed to find key by ID or tag", leaving us unable to access the page so that we can modify or re-enter the SMTP password.
### Reproduction steps
* Configure `CIVICRM_CRED_KEYS`
* Go to `/civicrm/admin/setting/smtp?reset=1`
* Set up the mailer as SMTP and store a password
* Clone the site's database and filebase (except the `civicrm.settings.php`) into another site OR change the `CIVICRM_CRED_KEYS`
* Try to access the page `/civicrm/admin/setting/smtp?reset=1`. You will get an exception error and the page won't load.
### Expected behaviour
* Manage to get to the page `/civicrm/admin/setting/smtp?reset=1` but throw a status message that there's something wrong with the stored password.
### Proposed solution
* On `/Civi/Crypto/CryptoRegistry.php` convert the `CryptoException`s into Status messages
* On `/Civi/Crypto/CryptoToken.php` check if the variable `$key` is null or set and if not, return the `$plaintext`
This way, even if the system cannot decode/decrypt properly the key, we will still be able to return to the password page but also throw the notices to the visitor.
I'm assuming that this exact behaviour/effect fires up wherever we use the crypto functionality.
I am also aware that in order to fix this, one needs to also configure the *same* `CIVICRM_CRED_KEY` as seen in the live site.
If this makes any sense, I can provide a patch/PR.
### Environment information
* CiviCRM: 5.57
* PHP: 7.4.33
* CMS: Drupal 9.4.15https://lab.civicrm.org/dev/core/-/issues/4304getUFLocale() is not setting the proper locale2023-05-24T06:37:15ZshaneonabikegetUFLocale() is not setting the proper locale## Overview
Presently, the function ```getUFLocale()``` obtains the interface language for Wordpress with integration with WPML. The present formula is using incorrect ```apply_filters``` to generate the wrong locale for front-endusers....## Overview
Presently, the function ```getUFLocale()``` obtains the interface language for Wordpress with integration with WPML. The present formula is using incorrect ```apply_filters``` to generate the wrong locale for front-endusers.
This was discovered while working validating the pull request [#289](https://github.com/civicrm/civicrm-wordpress/pull/289) for better WPML integration for front-end users.
## What should happen
The link should be generated in the language that the current user has set.
## What is the problem
```php
// Maybe override with the locale that WPML reports.
elseif (defined('ICL_LANGUAGE_CODE')) {
$languages = apply_filters('wpml_active_languages', NULL);
foreach ($languages as $language) {
if ($language['active']) {
$locale = $language['default_locale'];
break;
}
}
}
```
According to the docs, ```apply_filters('wpml_active_languages', NULL)``` only retrieves a list of languages, but this has no bearing on the user's current language. The value ```$language['active']``` refers to whether the language is active or not. In my case, I have seen this reported as _false_ in some cases where languages are active - go figure :shrug: .
So we need to use ```apply_filters('wpml_current_language')``` [to obtain](https://wpml.org/wpml-hook/wpml_current_language/) the users front-end language.
I'll post a patch for this and link it to this one.
cc @kcristianohttps://lab.civicrm.org/dev/core/-/issues/4301FormBuilder: Allow placeholder text to be configured2023-05-24T06:34:31Zaydunsaidan.saunders@squiffle.ukFormBuilder: Allow placeholder text to be configuredIt would be nice to be able to specify placeholder text on form fields such as filters.It would be nice to be able to specify placeholder text on form fields such as filters.https://lab.civicrm.org/dev/core/-/issues/4299Send contribution receipt when contribution completed by recording payment on...2023-08-01T14:42:08ZlarsssandergreenSend contribution receipt when contribution completed by recording payment on the backendThrough discussion in this [PR](https://github.com/civicrm/civicrm-core/pull/26247), it has become clear that there is an inconsistency in which message templates are sent when completing a pending contribution with a payment, depending ...Through discussion in this [PR](https://github.com/civicrm/civicrm-core/pull/26247), it has become clear that there is an inconsistency in which message templates are sent when completing a pending contribution with a payment, depending on where the payment is recorded.
If the payment is recorded via API and the receipt has not yet been set, a contribution receipt template is sent.
If the payment is recorded via a Search Action and the receipt has not been sent, a contribution receipt template is sent.
If the payment is recorded via Record Payment in the UI, there is an option to send to send a receipt, but if selected a "Additional Payment Receipt or Refund Notification" template is sent.
I think that in the third case, for consistency, we should send a contribution receipt template as long as the contribution is now completed. The same logic works with membership receipt templates.https://lab.civicrm.org/dev/core/-/issues/4297Do help links go after the label or after the field?2023-06-20T20:38:21ZlarsssandergreenDo help links go after the label or after the field?It seems like on some backend forms, the little help links are after the label, while in other places they are after the field itself. If we can agree on one or the other, I will adjust the templates so forms are consistent. My unscienti...It seems like on some backend forms, the little help links are after the label, while in other places they are after the field itself. If we can agree on one or the other, I will adjust the templates so forms are consistent. My unscientific survey indicates that we have about 2/3 after the label and 1/3 after the field right now.
Here's an example with both:
![image](/uploads/28270ce52cc725f384c3e4bcb368442a/image.png)
Additional consideration: When there is both a setting and a help, probably having one after the other would be not great.
![image](/uploads/2966630753c68c090d2a80269a488c34/image.png)
Also, there are a few with help at the end of the description
![image](/uploads/964d812410ed131320947dc6d7b0b7c5/image.png)
Some fields it has to be after the field because there is no label
![image](/uploads/d2f943517edf44b307599502855c4346/image.png)
Checkboxes are always after the label, but that's at the end of the line.
![image](/uploads/f7d02999614ef14009d158d8236b9951/image.png)
With multiple checkboxes, it has to be after the label, there isn't really any other option.
![image](/uploads/155a387d37d5452b9e4f7373cb7a447a/image.png)
Another different layout, I think it only makes sense after the label here
![image](/uploads/d13c5bd26e5bb9aff8f72adf5dc2f109/image.png)https://lab.civicrm.org/dev/core/-/issues/4296FormBuilder filters suggestion: text filter as select2023-06-08T18:02:44Zaydunsaidan.saunders@squiffle.ukFormBuilder filters suggestion: text filter as selectOverview
----------------------------------------
For FormBuilder filters, it would be useful to have the option to turn `Text` into `Select`.
Example use-case
----------------------------------------
For a search return results like:
...Overview
----------------------------------------
For FormBuilder filters, it would be useful to have the option to turn `Text` into `Select`.
Example use-case
----------------------------------------
For a search return results like:
```
Org, Contact
------------
Org1, ContactA
Org1, ContactB
Org1, ContactC
Org2, ContactD
Org2, ContactE
```
you can add a filter on Org Display Name which is displayed as a text box.
It would be nice to be able to present this as a `Select` dropdown of 'Org1', 'Org2' etc (or even multi-select). The configuration for the filter provides a `Type` box with several options, so add a `Select` one to that (in addition to the existing `Text`).
The current text filter is a substring match which means that if one display name is a substring of another, you can't filter to just the shorter name. So eg 'Org1', 'Org1 - committee A', 'Org1 - committee B' you can't just show 'Org1'. Turning this into a `Select` should either exact match on the text string or convert to filtering by `id`.https://lab.civicrm.org/dev/core/-/issues/4294Fix mailto links that get converted to traceable urls2023-06-19T23:31:10ZyashodhaFix mailto links that get converted to traceable urlsmailto links also get converted to trackable urls causing issues. Let's avoid doing that.mailto links also get converted to trackable urls causing issues. Let's avoid doing that.yashodhayashodhahttps://lab.civicrm.org/dev/core/-/issues/4293Uncaught SyntaxError: '#' not followed by identifier2023-11-23T07:47:01ZBastien HoUncaught SyntaxError: '#' not followed by identifierIn a contribution page, I get an `Uncaught SyntaxError: '#' not followed by identifier` error in the console.
Reproduction steps
----------------------------------------
1. Create a contribution page.
1. Insert it in a WordPress page.
1...In a contribution page, I get an `Uncaught SyntaxError: '#' not followed by identifier` error in the console.
Reproduction steps
----------------------------------------
1. Create a contribution page.
1. Insert it in a WordPress page.
1. Display the page.
1. Open the console of the navigator
In _templates/CRM/Contribute/Form/Contribution/Main.tpl_, the following lines are misinterpreted before being output:
```js
function useAmountOther() {
var priceset = {/literal}
{if $contriPriceset}'{$contriPriceset}'
{else}0
{/if}
{literal};
for (i = 0; i < document.Main.elements.length; i++) {
element = document.Main.elements[i];
if (element.type == 'radio' && element.name == priceset) {
if (element.value == '0') {
element.click();
} else {
element.checked = false;
}
}
}
}
```
In the source of the generated page:
```js
function useAmountOther() {
var priceset =
0
;
for (i = 0; i < document.Main.elements.length; i++) {
element = document.Main.elements[i];
if (element.type == 'radio' && element.name == priceset) {
if (element.value == '0') {
element.click();
} else {
element.checked = false;
}
}
}
}
```
Environment information
----------------------------------------
<!-- Some of the items below may not be relevant for every bug - if in doubt please include more information than you think is neccessary. -->
* __Browser:__ _Firefox 112_
* __CiviCRM:__ _5.61.2_
* __PHP:__ _8.0_
* __CMS:__ _WordPress 6.2_
* __Database:__ _MariaDB 10.5_
* __Web Server:__ _Apache 2.4_https://lab.civicrm.org/dev/core/-/issues/4292Add validation to verify html body content for empty text/ only image in mailing2023-05-24T06:23:56ZyashodhaAdd validation to verify html body content for empty text/ only image in mailingAdd validation to verify html body content for empty text (if img are used) and show the error accordingly.Add validation to verify html body content for empty text (if img are used) and show the error accordingly.yashodhayashodhahttps://lab.civicrm.org/dev/core/-/issues/4291Smarty variable tokens not correctly processed in message subject2023-09-24T22:40:26Zmagnolia61Smarty variable tokens not correctly processed in message subjectOverview
----------------------------------------
Smarty variable tokens are not processed in message subject
Reproduction steps
----------------------------------------
1. In a message template body html we have for instance {capture a...Overview
----------------------------------------
Smarty variable tokens are not processed in message subject
Reproduction steps
----------------------------------------
1. In a message template body html we have for instance {capture assign="firstname"}{contact.first_name}{/capture}
2. We use {$firstname} in the body.
3. We use {$firstname} in the subject.
4. When sending a email manually the subject token gets replaced.
5. When sending via scheduled reminders or civirules the subject token does not get replaced.
6. Worse: our automatic birthday mail batch (civirules) got firstnames of the previous contact (only in the subject)
Current behaviour
----------------------------------------
smart variables are sometimes not correctly replaced as a token in the message subject
Expected behaviour
----------------------------------------
smart variables are sometimes always correctly replaced as a token in the message subject
Environment information
----------------------------------------
- CiviCRM: 5.61.2
- CMS: Drupal 7.97
- PHP: 7.4.33 (fpm-fcgi)
- Database: 10.5.19-MariaDB-0+deb11u2-log engine: InnoDB 10 row format: Dynamic
- Webserver: Apache/2.4.56 (Debian)
- OS: Linux
Comments
----------------------------------------
I will doublecheck if this is only the case with civirules or also with the scheduled remindershttps://lab.civicrm.org/dev/core/-/issues/4290SearchKit: Return results faster by optimizing access check2023-05-15T08:14:11ZlarsssandergreenSearchKit: Return results faster by optimizing access checkThrough some testing, it looks like quite a bit of the execution time for SearchKit results on Compose Search, at least for relatively simple queries, is being spent checking the current user's access to edit or delete the specific entit...Through some testing, it looks like quite a bit of the execution time for SearchKit results on Compose Search, at least for relatively simple queries, is being spent checking the current user's access to edit or delete the specific entity for the View / Edit / Delete menu in the last column. It's not too bad with just 50 rows, but if you increase the page size to 100 or more, there's a pretty perceptible difference between checking the access and skipping that access check. I had a few thoughts about how we could improve this:
1. Since we aren't actually showing the links until the user clicks on the hamburger menu, we could just add the links as usual, but then check access in JS and only unhide those that the user has access to. This way we aren't doing 100 checkAccess API calls per page of 50 entities (one for update, one for delete). This would make the Compose Search page faster as well as any Displays that contain the same menu, but wouldn't help if there are links or buttons in a Display.
2. I think quite a few of the users accessing Compose Search probably have superadmin, so we could check that at the start of the process and then skip the access checks for each row.
3. Maybe it would make sense to make it possible to pass an array of ids to the checkAccess API. I don't know the details of how this works, but imagine that would speed up the process. At least for Contacts, there already is `allowList()`, so maybe this could be implemented just for Contacts without too much trouble.https://lab.civicrm.org/dev/core/-/issues/4288Price set option limit = 0 should mean no spaces, rather than no limit2023-05-15T08:16:42ZlarsssandergreenPrice set option limit = 0 should mean no spaces, rather than no limitIf you set a price set option limit to 0, this is the same as not specifying a limit. I would expect that a limit of 0 would mean there are no spaces. Setting the limit to 0 is different than disabling the price set option, as disabling ...If you set a price set option limit to 0, this is the same as not specifying a limit. I would expect that a limit of 0 would mean there are no spaces. Setting the limit to 0 is different than disabling the price set option, as disabling makes it so the option does not appear on public forms, while I expect setting the limit to 0 would just make it sold out, but still appear. I can't think of a good reason you would want 0 to be the same as no limit, but maybe others can?
Will submit PR unless there are objections. Otherwise, will add help text.https://lab.civicrm.org/dev/core/-/issues/4287PHP 8 - Undefined variable warnings from Smarty appear in email notifications2023-11-14T01:40:49ZjasonhildebrandPHP 8 - Undefined variable warnings from Smarty appear in email notificationsOverview
----------------------------------------
We recently upgraded Civi to 5.60 and PHP 8 (was previously PHP 7.x). Our site uses Drupal 7.
Since the upgrade, we are seeing errors such as ```Undefined array key "phone_type"``` appe...Overview
----------------------------------------
We recently upgraded Civi to 5.60 and PHP 8 (was previously PHP 7.x). Our site uses Drupal 7.
Since the upgrade, we are seeing errors such as ```Undefined array key "phone_type"``` appearing in our email notifications to event participants.
![screenshot](/uploads/4cee73442124f9c2a3b1158e8925c1e7/screenshot.png)
We have taken action to suppress errors and warnings in Drupal, but this does not appear to help when smarty is used to render email notifications.
Expected behaviour
----------------------------------------
I would expect these warnings not to appear, or to be suppressible with setting, so that they can be turned off in production.
Workaround
-----------
As a workaround, I added the 3 lines marked below to civicrm/CRM/Core/TokenSmarty.php in order to suppress the warnings before rendering, then restore the error_reporting to the original setting after rendering.
Perhaps this kind of approach could be added to Civi with a configuration setting to turn these messages on/off.
```
// Evaluate/render templates
try {
if ($useSmarty) {
$orig_reporting = error_reporting(); // ADDED
error_reporting(0); // ADDED
CRM_Core_Smarty::singleton()->pushScope($smartyAssigns);
}
$tokenProcessor->evaluate();
foreach ($messages as $messageId => $ign) {
foreach ($tokenProcessor->getRows() as $row) {
$result[$messageId] = $row->render($messageId);
}
}
}
finally {
if ($useSmarty) {
CRM_Core_Smarty::singleton()->popScope();
error_reporting($orig_reporting); // ADDED
}
}
```https://lab.civicrm.org/dev/drupal/-/issues/187Installing drupal/fontawesome causes CiviCRM to freeze the browser.2023-05-24T06:53:44Zdarren.woodsInstalling drupal/fontawesome causes CiviCRM to freeze the browser.Install vanilla Drupal 9 via composer.
Installed CiviCRM via composer according to docs.
Installed the Fontawesome module: composer require 'drupal/fontawesome:^2.25'
Loading any CiviCRM paths /civicrm/admin causes the browser to enter...Install vanilla Drupal 9 via composer.
Installed CiviCRM via composer according to docs.
Installed the Fontawesome module: composer require 'drupal/fontawesome:^2.25'
Loading any CiviCRM paths /civicrm/admin causes the browser to enter an infinite loop once the DOM is loaded.
Tracked it down to all.js from Fontawesome.
Removing Fontawesome module resolves it: composer remove 'drupal/fontawesome'
Could this be related to the civicrm asset plugin?
Before the browser freezes, I can see there are two icons for each admin menu option.
We would dearly love to use fa icons in our Drupal theme :pray:https://lab.civicrm.org/dev/core/-/issues/4286Fatal error with managed custom groups containing duplicate field names2023-05-17T10:45:16ZAndrew WestFatal error with managed custom groups containing duplicate field namesOverview
----------------------------------------
I have two custom groups. Each contains a field titled 'Status'. In the database they have the same 'name': 'status'.
I want these groups to be managed entities. So I export both groups ...Overview
----------------------------------------
I have two custom groups. Each contains a field titled 'Status'. In the database they have the same 'name': 'status'.
I want these groups to be managed entities. So I export both groups using the 'export' command on the 'CustomGroup' entity. I set the export to match on 'name' - this seems the sensible field as users can't change it.
This helpfully exports everything I need: I get a .mdg.php file with each custom groups, their fields, and the fields' option values.
But when I enable the extension on a test machine I get a fatal error because of the duplicate 'name'.
The first field gets created fine, but when creating the second field it erroneously matches on the first one so thinks it exists already, and things go wrong from there.
The fix is to set the 'match' parameter on the managed entity to include the custom group name too:
```
'match' => [
'name','custom_group_id.name',
],
```
But you can't do this through the UI. The 'match' option on the CustomGroup Export action doesn't include fields from the CustomField entity (let alone the name).
Reproduction steps
----------------------------------------
1. Create a new extension with the two managed entities from [this gist](https://gist.github.com/awestuk/a9956427ce1937fcbd8fddeed675cef5)
2. Try to enable it
Environment information
----------------------------------------
* __CiviCRM:__ _5.60_ <!-- If this problem relates to an upgrade, then specify both old and new versions -->
* __PHP:__ _7.4_
Comments
----------------------------------------
I can fix it manually by changing the field names, or by manually adding the custom_group_id.name to the .mgd.php files. But I figure duplicate names are common enough to trip people up, and it was a tough one to debug, so I thought it was worth reporting.https://lab.civicrm.org/dev/core/-/issues/4285Changing participant status should not add an Event Registration activity2023-05-24T06:53:21ZlarsssandergreenChanging participant status should not add an Event Registration activityIf you change a participant status, for example from Registered to Attended, an activity of type Event Registration is added with subject Event Name - Role - Status. It isn't an event registration, so the activity type should probably be...If you change a participant status, for example from Registered to Attended, an activity of type Event Registration is added with subject Event Name - Role - Status. It isn't an event registration, so the activity type should probably be Change Registration, but I'm not sure we want an activity recorded at all. Is this useful or does it just make the Activities tab less useful by filling it up with unimportant details?
For comparison, we don't record an activity for a change in contribution status, but we do record an activity for a change in membership status. This seems reasonable and the change in participant status seems more like a change in contribution status.
If someone cancels through the self service / Transfer or Cancel mechanism, a separate cancellation activity is recorded (so you end up with two activities for the cancellation).
My proposal is to not record an activity on participant status change, except through the self service mechanism.
If people feel like some of those activities are useful, maybe we could only record activities for changes to or to and from cancelled and transferred status. These should be Change Registration type activities and the separate activity from the self service mechanism would have to be removed so there is no duplication.https://lab.civicrm.org/dev/core/-/issues/4280FormBuilder: Form with required "Existing Contact" can't be submitted2023-05-08T07:53:11ZJonGoldFormBuilder: Form with required "Existing Contact" can't be submittedOverview
----------------------------------------
If you put an "Existing Contact" field on a FormBuilder form, and make it required, you can't submit the form.
Reproduction steps
----------------------------------------
1. See above. ...Overview
----------------------------------------
If you put an "Existing Contact" field on a FormBuilder form, and make it required, you can't submit the form.
Reproduction steps
----------------------------------------
1. See above. Here is sample HTML/JSON for a simple case:
```json
{
"type": "form",
"title": "EntityRef required test",
"icon": "fa-list-alt",
"server_route": "civicrm/entityref-req",
"permission": "access CiviCRM",
"create_submission": true,
"requires": [],
"description": "",
"is_dashlet": false,
"is_public": false,
"is_token": false,
"entity_type": null,
"join_entity": null,
"contact_summary": null,
"summary_contact_type": null,
"redirect": null,
"navigation": null
}
```
```html
<af-form ctrl="afform">
<af-entity data="{contact_type: 'Organization', source: 'EntityRef required test'}" type="Contact" name="Organization1" label="Organization 1" actions="{create: true, update: true}" security="RBAC" />
<fieldset af-fieldset="Organization1" class="af-container" af-title="Organization 1">
<div class="af-container">
<af-field name="id" defn="{required: true, input_attrs: {}}" />
</div>
</fieldset>
<button class="af-button btn btn-primary" crm-icon="fa-check" ng-click="afform.submit()">Submit</button>
</af-form>
```
Current behaviour
----------------------------------------
```
Form Error
Please fill all required fields.
```
Expected behaviour
----------------------------------------
Form is submitted if the field is populated.https://lab.civicrm.org/dev/core/-/issues/4276Using profile in create mode with dedupe rule allows for leaking of private i...2023-05-24T06:51:10ZlarsssandergreenUsing profile in create mode with dedupe rule allows for leaking of private informationOverview
----------------------------------------
An anonymous user filling in a profile who leaves fields blank in create mode with deduping enabled will be shown the existing values for those fields if a duplicate is found. So if you h...Overview
----------------------------------------
An anonymous user filling in a profile who leaves fields blank in create mode with deduping enabled will be shown the existing values for those fields if a duplicate is found. So if you have an unsupervised dedupe rule of email only, then anyone can enter a contact's email and leave the remaining fields blank. They will shown existing data for that contact for fields that appear on the profile. This creates the potential to leak private information to anyone who knows minimal information about a contact and potentially could be used maliciously to expose data.
Reproduction steps
----------------------------------------
1. Create a profile that includes the fields in the your unsupervised dedupe rule, plus any other fields desired.
1. Use the profile in create mode anonymously, filling in only the fields required to match to an existing contact and leaving the other fields empty.
1. After submitting the profile, you are shown all the data for the fields left blank for that existing contact.
Current behaviour
----------------------------------------
Profile fields that are submitted blank are shown with existing data on the profile confirmation screen.
Additionally, the confirmation page URL contains both the contact id and checksum for the matched contact, which could be used to access other profiles or forms, exposing additional data.
Expected behaviour
----------------------------------------
All profile fields should be shown exactly as submitted on the profile confirmation screen.
The confirmation page URL should not show the contact id and checksum for the matched contact.
Comments
----------------------------------------
Have marked this confidential, since there is a potential for malicious use.