fixed guessable CSRF token when detect_record_change, thanks Stephen Röttger
This commit is contained in:
@@ -1 +1 @@
|
||||
Version 2.9.5-trunk+timestamp.2014.07.02.07.25.19
|
||||
Version 2.9.5-trunk+timestamp.2014.07.02.08.25.23
|
||||
|
||||
@@ -222,7 +222,7 @@ class Collection(object):
|
||||
'href':URL(args=request.args,vars=vars,scheme=True)}
|
||||
if self.extensions and limitby[0]>0:
|
||||
vars = dict(request.get_vars)
|
||||
vars['_offset'] = max(0,limitby[0]-1-delta)
|
||||
vars['_offset'] = max(0,limitby[0]-delta)
|
||||
vars['_limit'] = limitby[0]
|
||||
r['previous'] = {'rel':'previous',
|
||||
'href':URL(args=request.args,vars=vars,scheme=True)}
|
||||
|
||||
@@ -133,6 +133,8 @@ def populate_generator(table, default=True, compute=False, contents={}):
|
||||
continue
|
||||
elif field.type == 'id':
|
||||
continue
|
||||
elif field.type == 'upload':
|
||||
continue
|
||||
elif default and not field.default in (None, ''):
|
||||
record[fieldname] = field.default
|
||||
elif compute and field.compute:
|
||||
@@ -153,8 +155,6 @@ def populate_generator(table, default=True, compute=False, contents={}):
|
||||
record[fieldname] = datetime.time(h, m, 0)
|
||||
elif field.type == 'password':
|
||||
record[fieldname] = ''
|
||||
elif field.type == 'upload':
|
||||
record[fieldname] = None
|
||||
elif field.type == 'integer' and \
|
||||
hasattr(field.requires, 'options'):
|
||||
options = field.requires.options(zero=False)
|
||||
|
||||
+2
-2
@@ -2101,7 +2101,7 @@ class FORM(DIV):
|
||||
status = False
|
||||
if status and session:
|
||||
# check if editing a record that has been modified by the server
|
||||
if hasattr(self, 'record_hash') and self.record_hash != formkey:
|
||||
if hasattr(self, 'record_hash') and self.record_hash != formkey.split(':')[0]:
|
||||
status = False
|
||||
self.record_changed = changed = True
|
||||
status = self._traverse(status, hideerror)
|
||||
@@ -2129,7 +2129,7 @@ class FORM(DIV):
|
||||
status = False
|
||||
if not session is None:
|
||||
if hasattr(self, 'record_hash'):
|
||||
formkey = self.record_hash
|
||||
formkey = self.record_hash+':'+web2py_uuid()
|
||||
else:
|
||||
formkey = web2py_uuid()
|
||||
self.formkey = formkey
|
||||
|
||||
Reference in New Issue
Block a user