search

scipy / SciPyCentral

SciPy Central
http://scipy-central.org
BSD 3-Clause "New" or "Revised" License
16 stars 12 forks source link

Unable to create revisions #140

Closed ksurya closed 10 years ago

ksurya commented 11 years ago

As with the current master: The site is unable to create Revisions to existing Submissions. I tested the changes and found that, https://github.com/scipy/SciPyCentral/commit/9cec5bf1fac3cc125342eb5f7138aa84fb6cd265 is where the trouble has started.

The code seems to work fine until the page where cancel, preview, submit buttons are shown. Upon clicking submit button, its supposed to create a revision to existing submission but its creating a new submission!

Probable reasons for issue:

After clicking "submit" button which triggers new_or_edit_submission view is passing None object as submission argument to create_or_edit_submission_revision which is why a new submission is created.

ksurya commented 10 years ago

Another solution to fix the kind of attacks described in the commit https://github.com/scipy/SciPyCentral/commit/9cec5bf1fac3cc125342eb5f7138aa84fb6cd265 is to cryptographically sign the values. The API can be found at https://docs.djangoproject.com/en/1.4/topics/signing/.

This solution requires to make fewer changes in the source code and simply can be done at form validation level. Thus the very possibility of this bug is removed.

ksurya commented 10 years ago

Fixed in https://github.com/scipy/SciPyCentral/pull/168