Not working for versions >2.2.1

[carlo]

Hi, a strange problem with the latest version and Python 2.5

This action works fine in version 2.2.1 and before.

Now hitting Submit there is no redirection, the page just reloads, no errors.

What is the problem? Thank you.




def creanuovo_1():
    import datetime
    session.clear()

    now=datetime.date.today()
    now=now.strftime("%d-%m-%Y")

    form = SQLFORM(db.preventivi,fields = ['id_clienti','id_agente','compil','data_prev','id_tipo','descriz_est','descriz_br','copie_nom','note'],\
                   col3 = {'id_clienti':SPAN("a chi andrà intestata l'offerta",_style='color:grey'),'compil':SPAN('nome di chi compila',_style='color:grey'),'id_tipo':SPAN('descrizione generica del prodotto',_style='color:gray'),'descriz_est':SPAN('descrizione per il cliente',_style='color:gray'),'note':SPAN('eventuali note aggiuntive',_style='color:gray'),'descriz_br':SPAN('descrizione per i reparti',_style='color:grey')},submit_button='Avanti')
   
    if form.accepts(request.vars, session, dbio=False):
        session.anagrafica=dict(form.vars)
        cliente=db(db.clienti.id==session.anagrafica['id_clienti']).select(db.clienti.ragsoc)[0]['ragsoc']
        tipo=db(db.tipo_prodotto.id==session.anagrafica['id_tipo']).select(db.tipo_prodotto.descriz)[0]['descriz']
        session['anagrafica']['cliente']=cliente
        session['anagrafica']['tipo']=tipo
        session.no_copie_alt=True
        redirect(URL('creanuovo_2'))
  

    return dict(form=form)

[Anthony]

At the beginning of the function you clear the session, yet the form's _formkey is stored in the session. If you pass the session to form.accepts(), it checks for the _formkey and will not accept the form if it is not found. This code would not have worked in any prior version of web2py. Note, you need the session and _formkey to protect against CSRF attacks (and double submission).

Anthony

[Carlo Bazzo]

Thank you Anthony,

never spotted that error because as I said until version 2.2.1 it was working anyway, maybe session.clear() did not behave as expected?

Carlo

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/7Qgl-bUBXx4/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Anthony]

Actually, it only appeared to be working prior to 2.2.1. What happened with prior versions is that you inadvertently turned off your CSRF protection. In earlier versions, session.clear() would completely clear the session, so you ended up passing an empty session to form.accepts(). Because the session was empty, it skipped the _formkey check altogether (just as if you hadn't passed the session in at all).

More recently, the session object was changed so it always includes a _session_hash, even after you call session.clear(). So, now if you do session.clear() right before calling form.accepts(), it will no longer skip the _formkey check, and instead you'll get a failure to pass the check (because the _formkey has been removed from the session).

Anthony

[Carlo Bazzo]

thank you Antony, now everything makes sense.

carlo