Redirect to confirmation message after POST when making report #4362
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #4362 +/- ##
==========================================
- Coverage 82.72% 80.36% -2.36%
==========================================
Files 385 374 -11
Lines 30039 30113 +74
Branches 4732 4889 +157
==========================================
- Hits 24849 24200 -649
- Misses 3756 4473 +717
- Partials 1434 1440 +6 ☔ View full report in Codecov by Sentry. |
dracos
force-pushed
the
master
branch
2 times, most recently
from
035a6aa to
02db8ea
Compare
davea
force-pushed
the
redirect-after-report-creation
branch
2 times, most recently
from
b3f80bf to
b76c875
Compare
dracos
force-pushed
the
master
branch
2 times, most recently
from
b96bd67 to
e8ccb20
Compare
davea
force-pushed
the
redirect-after-report-creation
branch
2 times, most recently
from
e25d811 to
bc6249b
Compare
davea
force-pushed
the
redirect-after-report-creation
branch
2 times, most recently
from
5c4c325 to
4f2d265
Compare
dracos
force-pushed
the
master
branch
2 times, most recently
from
604a72c to
8abd0a9
Compare
dracos
force-pushed
the
master
branch
3 times, most recently
from
11e15b2 to
8becd5f
Compare
davea
force-pushed
the
redirect-after-report-creation
branch
5 times, most recently
from
096193e to
750133c
Compare
davea
changed the title
There was a problem hiding this comment.
Good start, and I can see you've tried to deal with the non_public/unconfirmed issues, but I don't think this is going to work like this due to the leakage (actual and potential) of information. How about this, would this work - redirect to a /report/new/confirmation?token=[token] or /report/new/confirmation/[token] or whatever endpoint where token is generated as, I dunno, hmac_sha1_hex("$time-$id", secret); Then that endpoint will validate that hash and allow fetching of that report ID alone for 1 minute/30s since $time (similar to how Auth.pm does this for the CSRF token). And that can then show either template, wouldn't need to worry about state/non_public/etc, as it knows it's the report just created.
davea
force-pushed
the
redirect-after-report-creation
branch
from
750133c to
3816a3f
Compare
|
Thanks for the suggestion of the token - that's made it much neater! I don't think any/all of the template changes are needed any more but the tests aren't happy if I just back them all out, so once I've got that sorted it'll be ready for another review. |
davea
force-pushed
the
redirect-after-report-creation
branch
from
3816a3f to
e27b7d2
Compare
davea
force-pushed
the
redirect-after-report-creation
branch
from
e27b7d2 to
c66aa3a
Compare
dracos
force-pushed
the
redirect-after-report-creation
branch
from
35c0a41 to
b97f12e
Compare
There was a problem hiding this comment.
Sadly the same tests are still failing (only on coverage, so I still think it must be this part somehow? but your fix looks good. And in e.g. report_new.t surely it can't be taking a minute to create the report? But what else could it be) :-/ Guess we might need more debugging into if it's reaching that if statement, what URL it's constructed at that point, might have to push a yucky print STDERR "$cutoff $timestamp\n"; and things like that, I can't get it to happen locally at all.
|
Looks like it was indeed just taking a long time...! I increased the token cutoff to 3 minutes and the coverage tests all passed that time. |
davea
force-pushed
the
redirect-after-report-creation
branch
from
fefada8 to
f104a16
Compare
|
Phew, OK, think we're there now... |
Fixes https://github.com/mysociety/societyworks/issues/2229