From bc8eee210325c38d66bef5640deb933c0f680d4d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Paul=20H=C3=A4nsch?= Date: Tue, 20 Nov 2018 15:26:44 +0100 Subject: [PATCH] use transaction id for all updates --- cgilite | 2 +- clients.sh | 13 ++++++++----- invoices.cgi | 18 ++++++++++++------ senders.sh | 10 +++++++--- 4 files changed, 28 insertions(+), 15 deletions(-) diff --git a/cgilite b/cgilite index 3fe2a9c..441856d 160000 --- a/cgilite +++ b/cgilite @@ -1 +1 @@ -Subproject commit 3fe2a9ceb477adf245f6cc8f72fb61282e42c904 +Subproject commit 441856d88c45de3a8a12a8e3ac74f23f3d9b273b diff --git a/clients.sh b/clients.sh index fc047a2..474f625 100755 --- a/clients.sh +++ b/clients.sh @@ -14,11 +14,12 @@ edit_client(){ %s [label for=hourly Hourly Rate:] [input #hourly type=number name=hourly value="%s"] - [submit "update" "update" Update] + [submit "update" "%s" Update] ]' \ "$(HTML $id)" \ "$(UNSTRING "${address#address=}" |HTML)" \ - "$(UNSTRING "${hourly#hourly=}" |grep -xE '[0-9]+')" + "$(UNSTRING "${hourly#hourly=}" |grep -xE '[0-9]+')" \ + "$(tid "clients/$id")" } list_clients(){ @@ -38,13 +39,15 @@ list_clients(){ } update_client(){ - id="$(POST id |checkid)" - if [ "$(POST update)" = update -a "$id" ]; then + local id="$(POST id |checkid)" + if [ "$(POST update)" = "$(tid "clients/$id")" ]; then mkdir -p clients printf 'address=%s hourly=%s' \ "$(POST address |STRING)" "$(POST hourly |STRING)" \ >"clients/$id" + REDIRECT "/clients/" else - echo Invalid Data "$(POST id)" "$(POST update)" >&2 + error Invalid Data "$id" "$(POST update)" + REDIRECT "/clients/$1" fi } diff --git a/invoices.cgi b/invoices.cgi index 7e2f351..10aa8fc 100755 --- a/invoices.cgi +++ b/invoices.cgi @@ -24,6 +24,15 @@ printf 'Content-Type: text/html; charset=utf-8\r\n\r\n' EOF } +tid(){ + # transaction ID to modify a given file + local file="$1" + { stat -c %F%i%n%N%s%Y "$file" 2>&- + printf %s "$SESSION_ID" + server_key + } | sha256sum | cut -d\ -f1 +} + info="$(PATH "${PATH_INFO}")" case $info in @@ -44,7 +53,6 @@ case $info in /update_client) . "$_EXEC/clients.sh" update_client - REDIRECT /clients/ ;; /senders) . "$_EXEC/senders.sh" @@ -59,22 +67,20 @@ case $info in /update_sender) . "$_EXEC/senders.sh" update_sender - REDIRECT /senders/ ;; /invoices) . "$_EXEC/invoices.sh" { list_invoices - printf '[a .new href="/invoice/%s" New]' "$(timeid)" + printf '[a .new href="/invoices/%s" New]' "$(timeid)" } | yield_page invoices ;; - /invoice/*) + /invoices/*) . "$_EXEC/invoices.sh" - edit_invoice "${info#/invoice/}" |yield_page invoice + edit_invoice "${info#/invoices/}" |yield_page invoice ;; /update_invoice) . "$_EXEC/invoices.sh" update_invoice - REDIRECT "/invoice/$id" ;; *) REDIRECT /invoices ;; diff --git a/senders.sh b/senders.sh index 90c3d38..4d1f612 100755 --- a/senders.sh +++ b/senders.sh @@ -19,10 +19,11 @@ xxx / 000 / ### [form method="POST" action="/update_sender" [hidden "id" "%s"] - [submit "update" "update" Update] + [submit "update" "%s" Update] ]' \ "$(HTML $id)" \ - "$(HTML "${address}")" + "$(HTML "${address}")" \ + "$(tid "senders/$id")" } list_senders(){ @@ -37,8 +38,11 @@ list_senders(){ update_sender(){ id="$(POST id |checkid)" - if [ "$(POST update)" = update -a "$id" ]; then + if [ "$(POST update)" = "$(tid "senders/$id")" ]; then mkdir -p senders POST address >"senders/$id" + REDIRECT "/senders/" + else + REDIRECT "/senders/$id" fi } -- 2.39.2