Projet

Général

Profil

0001-forms-don-t-let-autosave-replace-values-that-were-su.patch

Frédéric Péters, 20 janvier 2016 14:31

Télécharger (4,25 ko)

Voir les différences: 

Subject: [PATCH 1/4] forms: don't let autosave() replace values that were
 submitted later on (#9701)


 tests/test_form_pages.py | 15 +++++++++++++++
 wcs/forms/root.py        | 26 +++++++++++++++++++++++++-
 2 files changed, 40 insertions(+), 1 deletion(-)
tests/test_form_pages.py
2089 2089 
    assert formdef.data_class().select()[0].data['1'] == 'foobar3'
2090 2090 
    assert formdef.data_class().select()[0].data['3'] == 'xxx3'
2091 2091 

  		




  
  2092
  
    
    # make sure autosave() doesn't destroy data that would have been submitted

  		




  
  2093
  
    
    # in the meantime

  		




  
  2094
  
    
    formdef.data_class().wipe()

  		




  
  2095
  
    
    app = get_app(pub)

  		




  
  2096
  
    
    resp = app.get('/test/')

  		




  
  2097
  
    
    resp.form['f1'] = 'foobar'

  		




  
  2098
  
    
    autosave_fields = resp.form.submit_fields()

  		




  
  2099
  
    
    resp.form['f1'] = 'foobar3'

  		




  
  2100
  
    
    resp = resp.forms[0].submit('submit')

  		




  
  2101
  
    
    assert formdef.data_class().select()[0].data['1'] == 'foobar3'

  		




  
  2102
  
    

  		




  
  2103
  
    
    # post content with 'foobar' as value, it should not be saved

  		




  
  2104
  
    
    ajax_resp = app.post('/test/autosave', params=autosave_fields)

  		




  
  2105
  
    
    assert json.loads(ajax_resp.body)['result'] == 'error'

  		




  
  2106
  
    
    assert formdef.data_class().select()[0].data['1'] == 'foobar3'

  		




  2092
  2107
  
    

  		




  2093
  2108
  
    
def test_file_field_validation(pub, fargo_url):

  		




  2094
  2109
  
    
    user = create_user(pub)

  		












  

    
      wcs/forms/root.py
    
  





  30
  30
  
    
except ImportError:

  		




  31
  31
  
    
    qrcode = None

  		




  32
  32
  
    

  		




  33
  
  
    
from quixote import get_publisher, get_request, get_response, get_session, redirect

  		




  
  33
  
    
from quixote import (get_publisher, get_request, get_response, get_session,

  		




  
  34
  
    
        get_session_manager, redirect)

  		




  34
  35
  
    
from quixote.directory import Directory, AccessControlled

  		




  35
  36
  
    
from quixote.util import randbytes

  		




  36
  37
  
    
from quixote.form.widget import *

  		




  ......




  344
  345
  
    
            self.feed_current_data(magictoken)

  		




  345
  346
  
    

  		




  346
  347
  
    
        form = self.formdef.create_form(page_no, displayed_fields)

  		




  
  348
  
    
        if getattr(session, 'ajax_form_token', None):

  		




  
  349
  
    
            form.add_hidden('_ajax_form_token', session.ajax_form_token)

  		




  347
  350
  
    
        if get_request().is_in_backoffice():

  		




  348
  351
  
    
            form.attrs['data-is-backoffice'] = 'true'

  		




  349
  352
  
    
        form.action = self.action_url

  		




  ......




  512
  515
  
    
            return redirect(self.check_disabled())

  		




  513
  516
  
    

  		




  514
  517
  
    
        session = get_session()

  		




  
  518
  
    
        if self.formdef.enable_tracking_codes:

  		




  
  519
  
    
            if get_request().form.get('_ajax_form_token'):

  		




  
  520
  
    
                # _ajax_form_token is immediately removed, this prevents

  		




  
  521
  
    
                # late autosave() to overwrite data after the user went to a

  		




  
  522
  
    
                # different page.

  		




  
  523
  
    
                try:

  		




  
  524
  
    
                    session.remove_form_token(get_request().form.get('_ajax_form_token'))

  		




  
  525
  
    
                except ValueError:

  		




  
  526
  
    
                    # already got removed, this may be because the form got

  		




  
  527
  
    
                    # submitted twice.

  		




  
  528
  
    
                    pass

  		




  
  529
  
    
            session.ajax_form_token = session.create_form_token()

  		




  515
  530
  
    

  		




  516
  531
  
    
        if get_request().form.get('magictoken'):

  		




  517
  532
  
    
            no_magic = object()

  		




  ......




  808
  823
  
    
        def result_error(reason):

  		




  809
  824
  
    
            return json.dumps({'result': 'error', 'reason': reason})

  		




  810
  825
  
    

  		




  
  826
  
    
        if not get_session().has_form_token(get_request().form.get('_ajax_form_token')):

  		




  
  827
  
    
            return result_error('obsolete ajax form token')

  		




  
  828
  
    

  		




  811
  829
  
    
        try:

  		




  812
  830
  
    
            page_no = int(get_request().form.get('page'))

  		




  813
  831
  
    
        except TypeError:

  		




  ......




  831
  849
  
    
            return result_error('nothing to save')

  		




  832
  850
  
    

  		




  833
  851
  
    
        form_data.update(data)

  		




  
  852
  
    

  		




  
  853
  
    
        # reload session to make sure _ajax_form_token is still valid

  		




  
  854
  
    
        session = get_session_manager().get(get_session().id)

  		




  
  855
  
    
        if not session.has_form_token(get_request().form.get('_ajax_form_token')):

  		




  
  856
  
    
            return result_error('obsolete ajax form token (late check)')

  		




  
  857
  
    

  		




  834
  858
  
    
        draft_formdata = self.save_draft(form_data, page_no)

  		




  835
  859
  
    

  		




  836
  860
  
    
        return json.dumps({'result': 'success'})

  		




  837
  
  
    
-