#59 Make sure that objects don't get changed between the display of a form and the actual POST that updates the object
Originally created by: sf-overlords
Created by: rcopeland
Created date: 2010-03-10 23:09:34.183000
Assigned to:rcopeland
The problem is that we have a race condition on all our forms....
- User 1 displays an edit form for object 1
- User 2 displays an edit form for object 1
- User 2 submits the form, updating object 1
- User 1 submits the form, updating object 1 and silently overwriting User 2's changes with
In order to fix this, we need to
- Add a nonce field to every document in the DB
- Include the value of the nonce as a hidden field on every form that modifies the document
- Include logic that verifies that the nonce is unchanged when actually processing the update
Alternatively, we can do nothing about the problem (which is probably what most websites do)
Originally by: sf-overlords
Post by mramm:
I think we can handle this by saving revisions, and doing things a little bit more ajaxy. If fields are updated individually, and there are versions, I think we won't have any problems.
And even with full form submissions, I think that this is an inevitable part of web apps, and we should not struggle too hard to avoid it.