Skip to content

Commit

Permalink
Add uuid to prevent form resubmission
Browse files Browse the repository at this point in the history
  • Loading branch information
@manics
manics committed Jun 24, 2019
1 parent b135890 commit 75aa846
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
2 changes: 2 additions & 0 deletions omero_signup/templates/signup/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@
{% endif %}
</div>

<input name="requestid" type="hidden" value="{{ requestid }}" />

<div>
<input type="submit" value="Create account"/>
</div>
Expand Down
16 changes: 14 additions & 2 deletions omero_signup/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import random
import string
from datetime import datetime
from uuid import uuid4

from django.conf import settings
from django.http import HttpResponse, HttpResponseRedirect
Expand Down Expand Up @@ -77,13 +78,19 @@ def handle_not_logged_in(self, request, error=None, form=None):
"""
Signup form
"""

# Store id in session to prevent forum resubmission
requestid = str(uuid4())
request.session['requestid'] = requestid

if form is None:
form = self.form_class()
context = {
'version': omero_version,
'build_year': build_year,
'error': error,
'form': form
'form': form,
'requestid': requestid,
}
if hasattr(settings, 'LOGIN_LOGO'):
context['LOGIN_LOGO'] = settings.LOGIN_LOGO
Expand All @@ -100,7 +107,12 @@ def post(self, request):
error = None
form = self.form_class(request.POST.copy())

if form.is_valid():
session_requestid = request.session.pop('requestid', None)
post_requestid = request.POST.get('requestid')
if not session_requestid or session_requestid != post_requestid:
error = 'Invalid requestid: %s' % post_requestid

if not error and form.is_valid():
user = dict(
firstname=form.cleaned_data['firstname'],
lastname=form.cleaned_data['lastname'],
Expand Down

0 comments on commit 75aa846

Please sign in to comment.