Project

General

Profile

Feature #10763

form accessed and submitted despite logout?

Added by Nicola Chiapolini about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
Start date:
16.06.2020
Due date:
% Done:

0%

Estimated time:
Discuss:

Description

Wir hatten ein Problem in der DB, das ich auf folgende (annonymisierte) Log-Zeilen zurückführen konnte:


[2020.06.15 17:58:16 +0200][89.206.112.13][FE:aaaaaa,Page:8,tt:43,form:phd_reg-graduation][INSERT INTO `phd_graduation` ( `shortname`, `student_id`, `name`, `firstname`, `salutation`, `birthday`, `mail_uzh`, `mail_private`, `nationality`, `subject_of_study`, `title_of_thesis`, `colloquium_start`, `disputation_start` ) VALUES ( 'aaaaaa', '12-345-678', 'Muster', 'Pauline', 'Frau', '1991-02-02', 'pauline.muster@uzh.ch', 'muster@example.com', 'FR', '50646022', 'A Thesis Title', '2020-08-04 13:00', '2020-08-04 13:00' )]
[2020.06.15 17:58:16 +0200][89.206.112.13][FE:aaaaaa,Page:8,tt:43,form:phd_reg-graduation][ID: 492 - affected rows: 1]
[2020.06.15 17:58:16 +0200][89.206.112.13][FE:aaaaaa,Page:8,tt:43,form:phd_reg-graduation][UPDATE `phd_graduation` SET `pdf_of_thesis` = 'studentadmin/phd/thesis/aaaaaa-thesis.pdf' WHERE id = '492']
[2020.06.15 17:58:16 +0200][89.206.112.13][FE:aaaaaa,Page:8,tt:43,form:phd_reg-graduation][Affected rows: 1]
[2020.06.15 17:58:16 +0200][89.206.112.13][FE:aaaaaa,Page:8,tt:43,form:phd_reg-graduation][UPDATE phd_graduation SET title_hash=MD5(title_of_thesis) WHERE shortname='aaaaaa']
[2020.06.15 17:58:16 +0200][89.206.112.13][FE:aaaaaa,Page:8,tt:43,form:phd_reg-graduation][Affected rows: 1]
[2020.06.15 17:58:16 +0200][89.206.112.13][FE:aaaaaa,Page:8,tt:43,form:phd_reg-graduation][UPDATE phd_graduation SET reg_done=NULL WHERE reg_done="0000-00-00 00:00:00"]
[2020.06.15 17:58:16 +0200][89.206.112.13][FE:aaaaaa,Page:8,tt:43,form:phd_reg-graduation][Affected rows: 0]
[2020.06.15 17:59:04 +0200][89.206.112.13][form:phd_reg-graduation][INSERT INTO `Dirty` (`sip`, `tableName`, `recordId`, `expire`, `recordHashMd5`, `tabUniqId`, `feUser`, `qfqUserSessionCookie`, `dirtyMode`, `remoteAddress`, `created`) VALUES ( '5ee79a9c90289','phd_graduation','492','2020-06-15 18:14:03','dfb854d090d8febd3b6d2e976c1c5f88','1593618907666','','6ba6k9hj4je4lgf2puhnmrsddh','exclusive','89.206.112.13','20200615175904' )]
[2020.06.15 17:59:04 +0200][89.206.112.13][form:phd_reg-graduation][ID: 20386 - affected rows: 1]
[2020.06.15 17:59:12 +0200][89.206.112.13][Page:8,tt:43,form:phd_reg-graduation][DELETE FROM `Dirty` WHERE `id`='20386' LIMIT 1]
[2020.06.15 17:59:12 +0200][89.206.112.13][Page:8,tt:43,form:phd_reg-graduation][Affected rows: 1]
[2020.06.15 17:59:12 +0200][89.206.112.13][Page:8,tt:43,form:phd_reg-graduation][INSERT INTO `FormSubmitLog` (`formData`, `sipData`, `clientIp`, `feUser`, `userAgent`, `formId`, `recordId`, `pageId`, `sessionId`, `created`)VALUES ('{"email":"","username":"","password":"","recordHashMd5":"dfb854d090d8febd3b6d2e976c1c5f88","reg_done-492":"2020-06-15 17:58:20","mail_private-492":"muster@example.com","title_of_thesis-492":"<p>A Thesis Title<\/p>","pdf_of_thesis-492":"5ee79a9c8ebcf","colloquium_start-492":"2020-08-04 13:00","disputation_start-492":"2020-08-04 13:00","_sipForTypo3Vars":"5ee79a9c90172"}', '{"birthday":"1991-02-02","firstname":"Pauline","form":"phd_reg-graduation","mail_uzh":"pauline.muster@uzh.ch","name":"Muster","nationality":"FR","r":"492","salutation":"Frau","shortname":"aaaaaa","student_id":"12-345-678","subject_of_study":"50646067","s":"5ee79a9c90289","urlparam":"birthday=1991-02-02&firstname=Pauline&form=phd_reg-graduation&mail_uzh=pauline.muster@uzh.ch&name=Muster&nationality=FR&r=492&salutation=Frau&shortname=aaaaaa&student_id=12-345-678&subject_of_study=50646067"}', '89.206.112.13', '', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36', '1000', '492', '8', '6ba6k9hj4je4lgf2puhnmrsddh', NOW())]
[2020.06.15 17:59:12 +0200][89.206.112.13][Page:8,tt:43,form:phd_reg-graduation][ID: 42051 - affected rows: 1]
[2020.06.15 17:59:12 +0200][89.206.112.13][Page:8,tt:43,form:phd_reg-graduation][UPDATE `phd_graduation` SET `shortname` = 'aaaaaa', `student_id` = '12-345-678', `name` = 'Muster', `firstname` = 'Pauline', `salutation` = 'Frau', `birthday` = '1991-02-02', `mail_uzh` = 'pauline.muster@uzh.ch', `mail_private` = 'muster@example.com', `nationality` = 'FR', `subject_of_study` = '50646067', `title_of_thesis` = 'A Thesis Title', `reg_done` = '2020-06-15 17:58:20', `colloquium_start` = '2020-08-04 13:00', `disputation_start` = '2020-08-04 13:00' WHERE id = '492']

Für die zweite Hälfte des Logs fehlt der feUser - es scheint der User hat/wurde ausgeloggt. Das Problem damit ist, dass die SIP-Links für die Formulare nur mit Login sichtbar sind und das Formular deshalb davon ausgeht, dass der FE-User definiert ist. Natürlich ist es unser Fehler, dass wir das im Formular nicht abfangen. Allerdings bricht QFQ sowohl hier wie auch bei #9898 das intuitive Verständnis von Login/Logout. Sicherer und User-freundlicher wäre es, wenn ein Logout sich sofort auf alle SIP und Formulare auswirkt. Konkret also.

Aufgefallen ist uns das ganze, weil in der letzten Zeile `subject_of_study` falsch ist (da das in einem Extra-Feld mit einem Query ... WHERE shortname='{{ feUser:TE }}' gefüllt wird)

Also available in: Atom PDF