Using CMFFormController¶
Description
How to create and validate forms in Plone using its CMFFormController. Be sure to also read the CMFFormController tutorial in the Products/CMFFormController/documentation directory, included with your copy of Plone. This how-to is also available in Products/CMFFormController/www/ as the file docs.stx, included with Plone.
The CMFFormController package helps developers by simplifying the process of validating forms. It also makes it easier for site administrators to override some of the behavior of packages without modifying code, making it easier to upgrade packages without disturbing the modifications.
How it works:
- Developers associate a set of default variables for their Page Templates. These variables control the validation that takes place after the form is submitted and the actions that occur after validation. The variables are stored on the filesystem in the .metadata properties file.
- Site administrators can override the default validations and actions using the ZMI. Once a set of validations or actions has been specified in the ZMI, the default validations and actions will be ignored.
Forms¶
To take advantage of CMFFormController, you need to use Controller Page Templates rather than ordinary Page Templates. Controller Page Templates act just like ordinary Page Templates, but they do some extra work when they are viewed.
Here is a basic form that uses CMFFormController:
<form tal:define="errors options/state/getErrors"
tal:attributes="action string:${here/absolute_url}/${template/id};"
method="post">
<input type="hidden" name="form.submitted" value="1" />
<p tal:define="err errors/foo|nothing" tal:condition="err" tal:content="err" />
<input type="text"
name="foo"
tal:define="val request/foo|nothing"
tal:attributes="value val" />
<input type="submit" name="submit" value="submit" />
</form>
Let's take a look.
- First, we note that the form is set up to submit to itself. Forms must submit to themselves.
- Second, we see the special hidden variable
form.submitted. The controlled page template checks the REQUEST for form.submitted to see if the form has been submitted or if, instead, it has just been accessed, e.g. via a link. Forms must contain the hidden variable ``form.submitted`` - At the beginning of the form we set the variable errors. The errors
dictionary comes from the state object which is passed in the
template options. The state object lets validators and scripts pass
information to each other and to forms. For our purposes, the most
important information is the errors dictionary, which has entries of
the form
{field_name:error_message}.
Before we can use this form we need to specify the validators that will be used to check the form values, and we need to specify the action that will occur after validation.
Specifying Validators¶
There are two basic ways to specify a form's validators.¶
- You can specify the validators in the .metadata properties for filesystem-based Controller Page Templates.
- You can specify the validators via the ZMI (or programmatically).
These values will be stored in the ZODB as attributes of the
portal_form_controllerobject.
If you specify validators in both places, the validators specified in the ZMI will take precedence over those specified in the .metadata file.
Specifying Validators on the Filesystem¶
You can specify validators on the filesystem using an objects .metadata properties file.
To create a .metadata file, simply create a file with the same name as
your page template, and then append .metadata to the end of the name of
the file. For instance, you might have a Controller Page Template called
document_edit_form.cpt. The properties for that file would be stored
in a file called document_edit_form.cpt.metadata
The .metadata file uses the standard python ConfigParser syntax. The validator section of the .metadata file would look like:
[validators]
validators = validate_script1, validate_script2
The validation scripts validate_script1 and validate_script2
will be called in order.
Type-Specific Validators¶
Suppose you want different validators to be called, depending on the type of context the form has.
You can do so as follows:
[validators]
validators = validate_script1
validators.Document = validate_script2
In the above example, if the context is a Document object,
validate_script2 will be called for validation; for everything else,
only validate_script1 will be called.
Note that the order in which the variables are specified does not matter; the type-specific validators override non-specific validators if both are applicable.
Button-Specific Validators¶
Suppose instead that you have two different buttons on your form, and you want different validation sequences to occur depending on which button is pressed. You can accomplish this as follows:
First, name your buttons button1 and button2:
<input type="submit"
name="form.button.button1"
value="First Button" />
<input type="submit"
name="form.button.button2"
value="Second Button" />
Next, specify validators in the .metadata file for button1 and for button2:
[validators]
validators..button1 = validate_script1, validate_script3
validators..button2 = validate_script2, validate_script4
Note the presence of the ... This is a placeholder for a type
specifier. You could further specify that validate_script5 is called
if button2 is pressed and the context is a Document by adding:
[validators]
validators.Document.button2 = validate_script5
Remember that button specific validators take precedence over non-specific validators.
Specifying Validators in the ZMI¶
If you look at a Controller Page Template in the ZMI, you will see that it looks just like an ordinary Page Template with two extra tabs, Validation and Actions. Click on the Validation tab.
The Validation tab shows all the validators for the page template in question. You can specify validators with the same kind of specialization options as above via a web form.
The validator information for all forms is stored in the
portal_form_controller tool in your portal. This means that you can
specify validators for filesystem objects with no problems, since the
information is persisted in the ZODB. Note that the validator
information is bound to the form's Id, so all forms with the same Id use
the same validators. This keeps things simple when you have multiple
skins:
Forms with the same Id use the same validators, no matter what skin they are in.
When a form is submitted, it first checks to see if there are any applicable validators that have been specified via the ZMI. If it finds one, it uses it. If it does not find a validator via the ZMI, it then checks the REQUEST object to see if validators have been specified in hidden variables. As a result, validators specified in the ZMI take precedence over those specified in forms.
Specifying Validators Programmatically¶
The portal's portal_form_controller tool has methods you can use to
specify the validators for a given ControllerPageTemplate. The API is as
follows:
portal_form_controller.addFormValidators(id,
context_type,
button,
validators)
Here id is the Id of the ControllerPageTemplate, context_type is
the class name for the class of the context object, button is the
name of the button pressed, and validators is a comma-delimited string
or a list of strings. If you want a validator to act for any class, set
context_type to None. Similarly, you want a validator to act for any
button, set button to None.
Specifying Actions¶
The sequence of validators that is executed returns a status in the
state object. The default status is success, i.e. if no validators
are executed, the status will be success. If a validator encounters
an error, it will typically set the status to failure. The next
thing we need to do in your form is to specify what happens when a given
status is returned.
As with validators, there are two basic ways to specify a form's actions.
- You can specify the actions in the .metadata properties for filesystem-based Controller Page Templates and Controller Python Scripts.
- You can specify the actions via the ZMI (or programmatically). These
values will be stored in the ZODB as attributes of the
portal_form_controllerobject.
If you specify actions in both places, the actions specified in the ZMI will take precedence over those specified in the form.
Specifying Actions on the Filesystem¶
You can specify actions on the filesystem using an objects .metadata properties file.
Actions are stored in the same .metadata file as the validators. The syntax for the actions section of your file would look like:
[actions]
action.success = traverse_to:string:script1
In the above example, when the form is submitted and the validation
scripts return a status of success, the traverse_to action is
called with the argument string:script1, i.e. if the form data is
valid, we run the script script1. Alternatively, we could specify
action.success = redirect_to:string:http://my_url_here, which would
cause the browser to be redirected to http://my_url_here.
The default action for the failure status is to reload the current
form. The form will have access to all the error messages, via the state
object in its options.
Type-Specific Actions¶
Suppose you want different actions to occur depending on the type of context the form has.
You can do so as follows:
[actions]
action.success = traverse_to:string:script1
action.success.Document = traverse_to:string:document_script
In the above example, if the context is a Document object, document_script will be executed upon successful validation; for everything else, script1 will be executed. Note that the order in which the variables are specified does not matter; the type-specific actions will override non-specific actions if both are applicable.
Button-Specific Actions¶
Suppose instead that you have two different buttons on your form, and you want different actions to occur depending on which button is pressed. You can accomplish this as follows:
First, name your buttons button1 and button2:
<input type="submit"
name="form.button.button1"
value="First Button" />
<input type="submit"
name="form.button.button2"
value="Second Button" />
Next, specify actionss for button1 and for button2:
[actions]
action.success..button1 = traverse_to:string:script1
action.success..button2 = traverse_to:string:script2
Note the presence of the ... This is a placeholder for a type
specifier. You could further specify that document_script2 is called
if button2 is pressed and the context is a Document by adding:
[actions]
action.success.Documnet.button2 = traverse_to:string:document_script2
Specifying Actions in the ZMI¶
If you look at a Controller Page Template in the ZMI, you will see that it looks just like an ordinary Page Template with two extra tabs, Validation and Actions. Click on the Actions tab.
The Actions tab shows all the actions for the page template in question. You can specify actions with the same kind of specialization options as above via a web form.
The action information for all forms is stored in the
portal_form_controller tool in your portal. This means that you can
specify actions for filesystem objects with no problems, since the
information is persisted in the ZODB. Note that the action information
is bound to the form's Id, so all forms with the same Id use the same
actions. This keeps things simple when you have multiple skins: forms
with the same Id use the same actions, no matter what skin they are in.
When a form is submitted, it first checks to see if there are any applicable actions that have been specified via the ZMI. If it finds one, it uses it. If it does not find an action via the ZMI, it then checks the REQUEST object to see if actions have been specified in hidden variables. As a result, actions specified in the ZMI take precedence over those specified in forms.
Specifying Actions Programmatically¶
The portal's portal_form_controller tool has methods you can use to
specify the actions for a given ControllerPageTemplate. The API is as
follows:
portal_form_controller.addFormAction(id,
status,
context_type,
button,
action_type,
args)
Here id is the Id of the ControllerPageTemplate, status is the
status for which the action will be executed, context_type is the
class name for the class of the context object, button is the name
of the button pressed, action_type is the type of action that will
occur, and args is a string (typically a TALES expression) that will
be passed to the action. If you want an action to be executed for any
class, set context_type to None. Similarly, you want an action to be
executed for any button, set button to None.
Validation Scripts¶
When writing validation scripts, use Controller Validators instead of Python Scripts. Controller Validators are just like ordinary Scripts with the addition of a ZMI Actions tab. On the file system, Controller Validators use the extension .vpy rather than .py.
Let's take a look at a basic validation script that tests the REQUEST
value n to see if it is an integer:
n = context.REQUEST.get('n', None)
if not n:
state.setError('n', 'Please enter a value', new_status='failure')
else:
try:
int(n)
except ValueError:
state.setError('n', 'Please enter an integer',
new_status='failure')
if state.getErrors():
state.set(portal_status_message='Please correct the errors shown.')
return state
The first thing to note is that Controller Validators have a built-in
state object called state. This state object (of class
ControllerState) contains basic information about what has happened
during the validation chain.
The state object has a status attribute which contains the current
validation status. The initial status is success. If errors are
detected by validators, they set the status to something else, typically
failure.
The state object also stores errors that have been detected. The
setError method is used to set an error message for a particular
variable. The setError method has the optional new_status argument
that can be used to both set an error message as well as to update the
status. You can see if an error message has already been stored for a
particular variable by calling state.getError(variable_name).
The set method lets you set multiple attributes of the state object all at once, e.g.:
state.set(status='my_new_status')
You can also pass keyword arguments to the state object via the set
method. These arguments will get passed along by the action. The
traverse_to action places these keyword arguments in the REQUEST.
The redirect_to action adds them to the query string of the URL to
which it is redirecting.
Finally, we return the state object.
Another interesting example is email validation:
from Products.CMFDefault.utils import checkEmailAddress
from Products.CMFDefault.exceptions import EmailAddressInvalid
email = context.REQUEST.get('email', None)
if not email:
state.setError('email', 'No e-mail address')
else:
# Do try-catch here because checkEmailAddress will throw an exception
# instead of saying "no, not valid".
try:
checkEmailAddress(email)
email_ok = True
except EmailAddressInvalid:
email_ok = False
if not email_ok:
state.setError('email', 'Invalid e-mail address.')
Scripts¶
When writing scripts that do some processing after a validated form, you can use Controller Python Scripts instead of ordinary Python Scripts to let site managers override their actions via the ZMI. On the file system, Controller Python Scripts use the extension .cpy rather than .py. Note that Controller Validators and Controller Python Scripts differ in signficant ways. Be sure to use the appropriate script type (Controller Validator or Controller Python Script) and/or the appropriate file extension (.cpy or .vpy).
Let's take a look at a basic script that sets a context attribute to the
value n that is passed in via the 'REQUEST':
context.n = context.REQUEST.get('n')
# Optionally set the default next action (this can be overridden
# in the ZMI)
state.setNextAction('redirect_to:string:view')
# Optionally pass a message to display to the user
state.setKwargs({'portal_status_message':'You set context.n to %s.' % str(context.n)})
return state
Note that you will usually want to use the traverse_to action to
call your script. This will ensure that form variables set in the
REQUEST object are available to your script.
This script sets its action to redirect to the relative url view for
the current context object. The status has not been set, so it is the
default status, success.
The state.setNextAction directive above is analogous to having the
following line in your .metadata file:
[actions]
action.success = redirect_to:string:view
As with the .metadata file, the default action specified in the script can be overridden via the ZMI. This allows site managers to override post-script actions without having to customize your code.
Finally, we return the state object.
Validation for Scripts¶
Having separate validation scripts typically means that validation is moved out of scripts. This simplifies scripts, but means that it is possible to call them directly with invalid data. We can prevent this problem by adding validators to scripts. Controller Python Scripts use the same ZMI and/or .metadata file mechanisms for adding validators as do Controller Page Templates.
Each time a validator is called, it logs the call in the state object. Validation is smart enough that if a validator is called by a form, it will not be called again by the script.
Note that if you associate validators with a script, you will need to
set a sensible failure status action, since scripts do not set such
an action by default. You may wish to define a different failure status
for failures that occur within your script, e.g. script_failure.
Then you can specify a behavior for failures that occur as a result of
invalid parameters coming in and for failures that occur within the
script.