How to fix bug where Search code allows creating duplicate names

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

How to fix bug where Search code allows creating duplicate names

John P. Rouillard
Hi all:

Came across a bug in the SearchAction code. A user can create two
searches with the same name, but there is an implicit assumption that
there is only one search with a given name for a specific user.

So user A and B can have searches namesd the same, but user X can only
have one search with a given name.

 I think this is how the problem came about.  Way back when, search
names were globally unique. So no two searches (even for different
users) could have the same name. This was because the name was used as
a unique id for searches and was enforced by making the query name the

Then the code was rewritten to allow duplicate names. Queries with the
same name but different creators/owners were considered different.

However a code path was missed. You can create queries with the same
name for the same creator. When this happens changing any query owned
by user Y with the name X changes all queries named X to the new

Adding this patch:

diff -r fe52cab8f5b5 roundup/cgi/actions.py
--- a/roundup/cgi/actions.py    Sat Feb 25 22:21:15 2017 -0500
+++ b/roundup/cgi/actions.py    Tue Mar 07 09:12:35 2017 -0500
@@ -335,10 +335,16 @@
                         self.db.query.set(qid, klass=self.classname,
                             url=url, name=queryname)
-                    # create a query
+                    # create a query if the name is unique for the user
                     if not self.hasPermission('Create', 'query'):
                         raise exceptions.Unauthorised(self._(
                             "You do not have permission to store queries"))
+                    qids = self.db.query.filter(None, {'name': queryname,
+                        'creator': uid})
+                    for qid in qids:
+                        if queryname != self.db.query.get(qid, 'name'):
+                            continue
+                        raise ValueError, "query '%s' already exists please rename this query"%(queryname)
                     qid = self.db.query.create(name=queryname,
                         klass=self.classname, url=url, private_for=uid)

fixes the problem somewhat. The problem is that after the SearchAction
is submitted, the user is redirected to the index template with an
error at the top.

Once you get to the index template there is no way back to the search
template to rename/edit the query. Even if you add code to the index
template so you can go back to the search/edit page it's a workaround
at best.

To try to get past this, I tried adding: @template=search to the
client url before raising the ValueError but the implementations I
tried didn't work.

I feel I am missing something simple here. Anybody got an idea on how
I can control what url is displayed when I raise a ValueError? Do I
need to create a new RedirectWithError exception?

                                -- rouilj
John Rouillard
My employers don't acknowledge my existence much less my opinions.

Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
Roundup-devel mailing list
[hidden email]