possible fix to issue 1688, support for multiple forms with same formname in different browser pages

2013-09-26 11:26:08 -05:00
parent a8cbb1590d
commit 09ba525f2e
2 changed files with 10 additions and 4 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-Version 2.6.4-stable+timestamp.2013.09.26.07.55.44
+Version 2.6.4-stable+timestamp.2013.09.26.11.24.52
--- a/gluon/html.py
+++ b/gluon/html.py
@@ -2017,10 +2017,14 @@ class FORM(DIV):
        changed = False
        request_vars = self.request_vars
        if session is not None:
-            formkey = session.get('_formkey[%s]' % formname, None)
+            formkey = request_vars._formkey
+            keyname = '_formkey[%s]' % formname
+            formkeys = session.get(keyname, [])
            # check if user tampering with form and void CSRF
-            if not formkey or formkey != request_vars._formkey:
+            if not formkeys or formkey not in formkeys:
                status = False
+            else:
+                session[keyname].remove(formkey)
        if formname != request_vars._formname:
            status = False
        if status and session:
@@ -2056,7 +2060,9 @@ class FORM(DIV):
                formkey = self.record_hash
            else:
                formkey = web2py_uuid()
-            self.formkey = session['_formkey[%s]' % formname] = formkey
+            self.formkey = formkey
+            keyname = '_formkey[%s]' % formname
+            session[keyname] = session.get(keyname,[])[-9:] + [formkey]
        if status and not keepvalues:
            self._traverse(False, hideerror)
        self.accepted = status