Actually, it only appeared to be working prior to 2.2.1. What happened with
prior versions is that you inadvertently turned off your CSRF protection.
In earlier versions, session.clear() would completely clear the session, so
you ended up passing an empty session to form.accepts(). Because the
session was empty, it skipped the _formkey check altogether (just as if you
hadn't passed the session in at all).
More recently, the session object was changed so it always includes a
_session_hash, even after you call session.clear(). So, now if you do
session.clear() right before calling form.accepts(), it will no longer skip
the _formkey check, and instead you'll get a failure to pass the check
(because the _formkey has been removed from the session).
Anthony
On Saturday, April 27, 2013 4:48:44 AM UTC-4, carlo wrote:
>
> Thank you Anthony,
>
> never spotted that error because as I said until version 2.2.1 it was
> working anyway, maybe session.clear() did not behave as expected?
>
> Carlo
>
> Il 26/04/2013 18:41, Anthony ha scritto:
>
> At the beginning of the function you clear the session, yet the form's
> _formkey is stored in the session. If you pass the session to
> form.accepts(), it checks for the _formkey and will not accept the form if
> it is not found. This code would not have worked in any prior version of
> web2py. Note, you need the session and _formkey to protect against CSRF
> attacks (and double submission).
>
> Anthony
>
> On Friday, April 26, 2013 12:26:29 PM UTC-4, carlo wrote:
>>
>> Hi, a strange problem with the latest version and Python 2.5
>>
>> This action works fine in version 2.2.1 and before.
>>
>> Now hitting Submit there is no redirection, the page just reloads, no
>> errors.
>>
>> What is the problem? Thank you.
>>
>>
>>
>>
>> def creanuovo_1():
>> import datetime
>> session.clear()
>>
>> now=datetime.date.today()
>> now=now.strftime("%d-%m-%Y")
>>
>> form = SQLFORM(db.preventivi,fields =
>> ['id_clienti','id_agente','compil','data_prev','id_tipo','descriz_est','descriz_br','copie_nom','note'],\
>> col3 = {'id_clienti':SPAN("a chi andrĂ intestata
>> l'offerta",_style='color:grey'),'compil':SPAN('nome di chi
>> compila',_style='color:grey'),'id_tipo':SPAN('descrizione generica del
>> prodotto',_style='color:gray'),'descriz_est':SPAN('descrizione per il
>> cliente',_style='color:gray'),'note':SPAN('eventuali note
>> aggiuntive',_style='color:gray'),'descriz_br':SPAN('descrizione per i
>> reparti',_style='color:grey')},submit_button='Avanti')
>>
>> if form.accepts(request.vars, session, dbio=False):
>> session.anagrafica=dict(form.vars)
>> cliente=db(db.clienti.id
>> ==session.anagrafica['id_clienti']).select(db.clienti.ragsoc)[0]['ragsoc']
>> tipo=db(db.tipo_prodotto.id
>> ==session.anagrafica['id_tipo']).select(db.tipo_prodotto.descriz)[0]['descriz']
>> session['anagrafica']['cliente']=cliente
>> session['anagrafica']['tipo']=tipo
>> session.no_copie_alt=True
>> redirect(URL('creanuovo_2'))
>>
>>
>> return dict(form=form)
>>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "web2py-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/web2py/7Qgl-bUBXx4/unsubscribe?hl=en.
> To unsubscribe from this group and all its topics, send an email to
> web2py+un...@googlegroups.com <javascript:>.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
