From b6390664f99a5d9aa2cbe593490110fb51699e9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Mon, 18 Jan 2016 22:20:06 +0100 Subject: [PATCH 2/4] forms: don't let autosave() with errors modify user session (#9701) --- wcs/forms/root.py | 1 + wcs/qommon/http_request.py | 1 + wcs/qommon/publisher.py | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/wcs/forms/root.py b/wcs/forms/root.py index 3b4042d..d9b405e 100644 --- a/wcs/forms/root.py +++ b/wcs/forms/root.py @@ -821,6 +821,7 @@ class FormPage(Directory): def autosave(self): get_response().set_content_type('application/json') def result_error(reason): + get_request().ignore_session = True return json.dumps({'result': 'error', 'reason': reason}) if not get_session().has_form_token(get_request().form.get('_ajax_form_token')): diff --git a/wcs/qommon/http_request.py b/wcs/qommon/http_request.py index d4dc578..3646751 100644 --- a/wcs/qommon/http_request.py +++ b/wcs/qommon/http_request.py @@ -30,6 +30,7 @@ class HTTPRequest(quixote.http_request.HTTPRequest): self.response = HTTPResponse() self.charset = get_publisher().site_charset self.is_json_marker = None + self.ignore_session = False _user = () # use empty tuple instead of None as None is a "valid" user value def get_user(self): diff --git a/wcs/qommon/publisher.py b/wcs/qommon/publisher.py index ec61871..32150b3 100644 --- a/wcs/qommon/publisher.py +++ b/wcs/qommon/publisher.py @@ -279,7 +279,8 @@ class QommonPublisher(Publisher): client.captureException(exc_tuple, extra=extra, tags=tags) def finish_successful_request(self): - Publisher.finish_successful_request(self) + if not self.get_request().ignore_session: + self.session_manager.finish_successful_request() self.statsd.increment('successful-request') def finish_failed_request(self): -- 2.7.0.rc3