From 75aa84641b2dd7efb4cf825a4bb6ddf39046cccd Mon Sep 17 00:00:00 2001 From: Simon Li Date: Mon, 24 Jun 2019 16:15:07 +0100 Subject: [PATCH] Add uuid to prevent form resubmission --- omero_signup/templates/signup/index.html | 2 ++ omero_signup/views.py | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/omero_signup/templates/signup/index.html b/omero_signup/templates/signup/index.html index 06a4ac1..3fa3112 100644 --- a/omero_signup/templates/signup/index.html +++ b/omero_signup/templates/signup/index.html @@ -115,6 +115,8 @@ {% endif %} + +
diff --git a/omero_signup/views.py b/omero_signup/views.py index 51735af..1bf98c0 100644 --- a/omero_signup/views.py +++ b/omero_signup/views.py @@ -5,6 +5,7 @@ import random import string from datetime import datetime +from uuid import uuid4 from django.conf import settings from django.http import HttpResponse, HttpResponseRedirect @@ -77,13 +78,19 @@ def handle_not_logged_in(self, request, error=None, form=None): """ Signup form """ + + # Store id in session to prevent forum resubmission + requestid = str(uuid4()) + request.session['requestid'] = requestid + if form is None: form = self.form_class() context = { 'version': omero_version, 'build_year': build_year, 'error': error, - 'form': form + 'form': form, + 'requestid': requestid, } if hasattr(settings, 'LOGIN_LOGO'): context['LOGIN_LOGO'] = settings.LOGIN_LOGO @@ -100,7 +107,12 @@ def post(self, request): error = None form = self.form_class(request.POST.copy()) - if form.is_valid(): + session_requestid = request.session.pop('requestid', None) + post_requestid = request.POST.get('requestid') + if not session_requestid or session_requestid != post_requestid: + error = 'Invalid requestid: %s' % post_requestid + + if not error and form.is_valid(): user = dict( firstname=form.cleaned_data['firstname'], lastname=form.cleaned_data['lastname'],