feature(edit): optimistic locking of edit forms to avoid overwrites

anthraxx · anthraxx · commit 2916e05e0fa5 · 2022-04-07T00:12:38.000+02:00
Closes #37 Signed-off-by: anthraxx <levente@leventepolyak.net>
diff --git a/test/conftest.py b/test/conftest.py
@@ -161,13 +161,15 @@ def wrapper(db, *args, **kwargs):
 
 def default_issue_dict(overrides=dict()):
     data = dict(cve=DEFAULT_ISSUE_ID, issue_type=issue_types[0], remote=Remote.unknown.name,
-                severity=Severity.unknown.name, description='', notes='', reference='')
+                severity=Severity.unknown.name, description='', notes='', reference='',
+                changed=str(datetime.utcfromtimestamp(0)))
     data.update(overrides)
     return data
 
 
 def create_issue(func=None, id=DEFAULT_ISSUE_ID, issue_type=issue_types[0], remote=Remote.unknown,
-                 severity=Severity.unknown, description='', notes='', reference='', count=1):
+                 severity=Severity.unknown, description='', notes='', reference='',
+                 changed=datetime.utcfromtimestamp(0), count=1):
     def decorator(func):
         @wraps(func)
         def wrapper(db, *args, **kwargs):
@@ -180,6 +182,7 @@ def wrapper(db, *args, **kwargs):
                 issue.description = description
                 issue.notes = notes
                 issue.reference = reference
+                issue.changed = changed
                 db.session.add(issue)
             db.session.commit()
             func(db=db, *args, **kwargs)
@@ -226,14 +229,15 @@ def wrapper(db, *args, **kwargs):
 def default_group_dict(overrides=dict()):
     data = dict(cve=DEFAULT_ISSUE_ID, pkgnames='foopkg', affected='1.0-1', fixed=None,
                 status=Affected.unknown.name, bug_ticket='', reference='', notes='',
-                advisory_qualified=True)
+                advisory_qualified=True, changed=str(datetime.utcfromtimestamp(0)))
     data.update(overrides)
     return data
 
 
 def create_group(func=None, id=None, status=None, severity=None,
                  affected='1.0-1', fixed=None, bug_ticket='', reference='', notes='',
-                 created=datetime.utcnow(), advisory_qualified=True, issues=[DEFAULT_ISSUE_ID], packages=['foo'], count=1):
+                 created=datetime.utcnow(), advisory_qualified=True, issues=[DEFAULT_ISSUE_ID], packages=['foo'],
+                 changed=datetime.utcfromtimestamp(0), count=1):
     def decorator(func):
         @wraps(func)
         def wrapper(db, *args, **kwargs):
@@ -255,6 +259,7 @@ def wrapper(db, *args, **kwargs):
                 group.notes = notes
                 group.created = created
                 group.advisory_qualified = advisory_qualified
+                group.changed = changed
 
                 db.session.add(group)
                 db.session.commit()
@@ -323,9 +328,15 @@ def create_advisory_content(id=DEFAULT_ADVISORY_ID, group=DEFAULT_GROUP_NAME, pk
 DEFAULT_ADVISORY_CONTENT = create_advisory_content()
 
 
+def default_advisory_dict(overrides=dict()):
+    data = dict(changed=str(datetime.utcfromtimestamp(0)))
+    data.update(overrides)
+    return data
+
+
 def create_advisory(func=None, id=DEFAULT_ADVISORY_ID, group_package_id=DEFAULT_GROUP_ID, advisory_type=None,
-                    publication=Publication.scheduled, workaround=None, impact=None, content=None, created=datetime.utcnow(),
-                    reference=None, count=1):
+                    publication=Publication.scheduled, workaround=None, impact=None, content=None, reference=None,
+                    created=datetime.utcnow(), changed=datetime.utcfromtimestamp(0), count=1):
     def decorator(func):
         @wraps(func)
         def wrapper(db, *args, **kwargs):
@@ -344,6 +355,7 @@ def wrapper(db, *args, **kwargs):
                 advisory.impact = impact
                 advisory.content = content
                 advisory.created = created
+                advisory.changed = changed
                 advisory.reference = reference
 
                 db.session.add(advisory)
diff --git a/test/test_advisory.py b/test/test_advisory.py
@@ -33,6 +33,7 @@
 from .conftest import create_group
 from .conftest import create_issue
 from .conftest import create_package
+from .conftest import default_advisory_dict
 from .conftest import default_group_dict
 from .conftest import default_issue_dict
 from .conftest import get_advisory
@@ -206,7 +207,7 @@ def test_edit_advisory(db, client):
     workaround = 'the cake is a lie'
     impact = 'Big shit and deep trouble!'
     resp = client.post(url_for('tracker.edit_advisory', advisory_id=DEFAULT_ADVISORY_ID), follow_redirects=True,
-                       data={'workaround': workaround, 'impact': impact})
+                       data=default_advisory_dict({'workaround': workaround, 'impact': impact}))
     assert 200 == resp.status_code
     assert 'text/html; charset=utf-8' == resp.content_type
     assert_advisory_data(DEFAULT_ADVISORY_ID, workaround=workaround, impact=impact)
@@ -216,7 +217,7 @@ def test_edit_advisory(db, client):
 @logged_in
 def test_edit_advisory_not_found(db, client):
     resp = client.post(url_for('tracker.edit_advisory', advisory_id=DEFAULT_ADVISORY_ID), follow_redirects=True,
-                       data={'workaround': 'nothing', 'impact': 'nothing'})
+                       data=default_advisory_dict({'workaround': 'nothing', 'impact': 'nothing'}))
     assert resp.status_code == NotFound.code
     assert 'text/html; charset=utf-8' == resp.content_type
 
@@ -666,7 +667,7 @@ def test_advisory_published_content_not_over_escaped(db, client, patch_get):
 def test_edit_advisory_non_relational_field_updates_changed_date(db, client):
     advisory_changed_old = Advisory.query.get(DEFAULT_ADVISORY_ID).changed
 
-    data = dict(impact='everything beyond repair', workaround='set computer on fire')
+    data = default_advisory_dict(dict(impact='everything beyond repair', workaround='set computer on fire'))
     resp = client.post(url_for('tracker.edit_advisory', advisory_id=DEFAULT_ADVISORY_ID), follow_redirects=True, data=data)
     assert 200 == resp.status_code
     assert f'Edited {DEFAULT_ADVISORY_ID}' in resp.data.decode()
@@ -682,7 +683,7 @@ def test_edit_advisory_non_relational_field_updates_changed_date(db, client):
 def test_edit_advisory_does_nothing_when_data_is_same(db, client):
     advisory_changed_old = Advisory.query.get(DEFAULT_ADVISORY_ID).changed
 
-    data = dict(impact='everything beyond repair', workaround='set computer on fire')
+    data = default_advisory_dict(dict(impact='everything beyond repair', workaround='set computer on fire'))
     resp = client.post(url_for('tracker.edit_advisory', advisory_id=DEFAULT_ADVISORY_ID), follow_redirects=True, data=data)
     assert 200 == resp.status_code
     assert f'Edited {DEFAULT_ADVISORY_ID}' not in resp.data.decode()
diff --git a/test/test_cve.py b/test/test_cve.py
@@ -1,4 +1,6 @@
 
+from datetime import datetime
+
 from flask import url_for
 from werkzeug.exceptions import Forbidden
 from werkzeug.exceptions import NotFound
@@ -44,7 +46,8 @@ def set_and_assert_cve_data(db, client, cve_id, route):
                                  severity=severity.name,
                                  description=description,
                                  notes=notes,
-                                 reference=reference))
+                                 reference=reference,
+                                 changed=str(datetime.utcfromtimestamp(0))))
     assert 200 == resp.status_code
 
     cve = CVE.query.get(cve_id)
diff --git a/tracker/form/advisory.py b/tracker/form/advisory.py
@@ -1,3 +1,5 @@
+from wtforms import BooleanField
+from wtforms import HiddenField
 from wtforms import SelectField
 from wtforms import SubmitField
 from wtforms import TextAreaField
@@ -34,6 +36,9 @@ class AdvisoryEditForm(BaseForm):
     reference = URLField(u'Reference', validators=[Optional(), URL(), Length(max=Advisory.REFERENCE_LENGTH), ValidAdvisoryReference()])
     workaround = TextAreaField(u'Workaround', validators=[Optional(), Length(max=Advisory.WORKAROUND_LENGTH)])
     impact = TextAreaField(u'Impact', validators=[Optional(), Length(max=Advisory.IMPACT_LENGTH)])
+    changed = HiddenField(u'Changed', validators=[Optional()])
+    changed_latest = HiddenField(u'Latest Changed', validators=[Optional()])
+    force_submit = BooleanField(u'Force update', default=False, validators=[Optional()])
     edit = SubmitField(u'edit')
 
     def __init__(self, advisory_id):
diff --git a/tracker/form/cve.py b/tracker/form/cve.py
@@ -1,3 +1,5 @@
+from wtforms import BooleanField
+from wtforms import HiddenField
 from wtforms import SelectField
 from wtforms import StringField
 from wtforms import SubmitField
@@ -24,6 +26,9 @@ class CVEForm(BaseForm):
     remote = SelectField(u'Remote', choices=[(e.name, e.label) for e in [*Remote]], validators=[DataRequired()])
     reference = TextAreaField(u'References', validators=[Optional(), Length(max=CVE.REFERENCES_LENGTH), ValidURLs()])
     notes = TextAreaField(u'Notes', validators=[Optional(), Length(max=CVE.NOTES_LENGTH)])
+    changed = HiddenField(u'Changed', validators=[Optional()])
+    changed_latest = HiddenField(u'Latest Changed', validators=[Optional()])
+    force_submit = BooleanField(u'Force update', default=False, validators=[Optional()])
     submit = SubmitField(u'submit')
 
     def __init__(self, edit=False):
diff --git a/tracker/form/group.py b/tracker/form/group.py
@@ -1,5 +1,6 @@
 from pyalpm import vercmp
 from wtforms import BooleanField
+from wtforms import HiddenField
 from wtforms import SelectField
 from wtforms import StringField
 from wtforms import SubmitField
@@ -30,7 +31,10 @@ class GroupForm(BaseForm):
     reference = TextAreaField(u'References', validators=[Optional(), Length(max=CVEGroup.REFERENCES_LENGTH), ValidURLs()])
     notes = TextAreaField(u'Notes', validators=[Optional(), Length(max=CVEGroup.NOTES_LENGTH)])
     advisory_qualified = BooleanField(u'Advisory qualified', default=True, validators=[Optional()])
-    force_submit = BooleanField(u'Force creation', default=False, validators=[Optional()])
+    changed = HiddenField(u'Changed', validators=[Optional()])
+    changed_latest = HiddenField(u'Latest Changed', validators=[Optional()])
+    force_update = BooleanField(u'Force update', default=False, validators=[Optional()])
+    force_creation = BooleanField(u'Force creation', default=False, validators=[Optional()])
     submit = SubmitField(u'submit')
 
     def __init__(self, packages=[]):
diff --git a/tracker/templates/_formhelpers.html b/tracker/templates/_formhelpers.html
@@ -159,7 +159,7 @@
 {%- endmacro -%}
 
 {%- macro label_from_model(model) -%}
-	{%- if model.__class__.__name__ == 'CVEGroupVersion' %}AVG-{% endif %}{{ model.id }}
+	{%- if model.__class__.__name__ in ['CVEGroupVersion', 'CVEGroup'] %}AVG-{% endif %}{{ model.id }}
 {%- endmacro -%}
 
 {%- macro link_to_model(model) -%}
diff --git a/tracker/templates/form/advisory.html b/tracker/templates/form/advisory.html
@@ -2,6 +2,9 @@
 {% block content %}
 			<h1>{{ title }}</h1>
 			<div class="wide size">
+				{%- if concurrent_modification %}
+				{%- include 'log/advisory_log_table.html' %}
+				{%- endif %}
 				<form action="" method="post" name="edit-advisory">
 					{{ form.hidden_tag() }}
 					<div class="row">
@@ -19,6 +22,13 @@ <h1>{{ title }}</h1>
 							{{ render_field(form.impact, class='full size', maxlength=Advisory.IMPACT_LENGTH, placeholder='Overall impact...', indent=7, autofocus='') }}
 						</div>
 					</div>
+					{%- if concurrent_modification %}
+					<div class="row">
+						<div class="one-quarter column">
+							{{ render_checkbox(form.force_submit, indent=7) }}
+						</div>
+					</div>
+					{%- endif %}
 					{{ form.edit(class='button-primary', accesskey='s') }}
 				</form>
 			</div>
diff --git a/tracker/templates/form/cve.html b/tracker/templates/form/cve.html
@@ -2,6 +2,9 @@
 {% block content %}
 			<h1>{{ title }}</h1>
 			<div class="wide size">
+				{%- if concurrent_modification %}
+				{%- include 'log/cve_log_table.html' %}
+				{%- endif %}
 				<form action="{{ action }}" method="post" name="add">
 					{{ form.hidden_tag() }}
 					<div class="row">
@@ -23,6 +26,13 @@ <h1>{{ title }}</h1>
 					{{ render_field(form.description, class='full size', maxlength=CVE.DESCRIPTION_LENGTH, placeholder='Detailed description...', indent=5) }}
 					{{ render_field(form.reference, class='full size', maxlength=CVE.REFERENCES_LENGTH, placeholder='Relevant external references...', indent=5) }}
 					{{ render_field(form.notes, class='full size', maxlength=CVE.NOTES_LENGTH, placeholder='Internal side notes...', indent=5) }}
+					{%- if concurrent_modification %}
+					<div class="row">
+						<div class="one-quarter column">
+							{{ render_checkbox(form.force_submit, indent=7) }}
+						</div>
+					</div>
+					{%- endif %}
 					{{ form.submit(class='button-primary', accesskey='s') }}
 				</form>
 			</div>
diff --git a/tracker/templates/form/group.html b/tracker/templates/form/group.html
@@ -2,6 +2,9 @@
 {% block content %}
 			<h1>{{ title }}</h1>
 			<div class="wide size">
+				{%- if concurrent_modification %}
+				{%- include 'log/group_log_table.html' %}
+				{%- endif %}
 				<form action="{{ action }}" method="post" name="add">
 					{{ form.hidden_tag() }}
 					<div class="row">
@@ -32,9 +35,14 @@ <h1>{{ title }}</h1>
 						<div class="one-quarter column">
 							{{ render_checkbox(form.advisory_qualified, indent=7) }}
 						</div>
-						{%- if show_force %}
+						{%- if concurrent_modification %}
 						<div class="one-quarter column">
-							{{ render_checkbox(form.force_submit, indent=7) }}
+							{{ render_checkbox(form.force_update, indent=7) }}
+						</div>
+						{%- endif %}
+						{%- if show_force_creation %}
+						<div class="one-quarter column">
+							{{ render_checkbox(form.force_creation, indent=7) }}
 						</div>
 						{%- endif %}
 					</div>
diff --git a/tracker/templates/log/advisory_log.html b/tracker/templates/log/advisory_log.html
@@ -1,5 +1,4 @@
 {%- extends "base.html" -%}
-{%- from "_formhelpers.html" import colorize_diff, log_transaction_header -%}
 {% block content %}
 			<h1>{{ advisory.id }} - log
 			<a href="/{{  advisory.id }}" accesskey="b">back</a></h1>
diff --git a/tracker/templates/log/advisory_log_table.html b/tracker/templates/log/advisory_log_table.html
@@ -1,3 +1,4 @@
+{%- from "_formhelpers.html" import colorize_diff, log_transaction_header %}
 			<table class="styled-table column-major full size">
 				<thead>
 					<tr>
diff --git a/tracker/templates/log/cve_log.html b/tracker/templates/log/cve_log.html
@@ -1,5 +1,4 @@
 {%- extends "base.html" -%}
-{%- from "_formhelpers.html" import colorize_diff, log_transaction_header -%}
 {% block content %}
 			<h1>{{ issue.id }} - log
 			<a href="/{{  issue.id }}" accesskey="b">back</a></h1>
diff --git a/tracker/templates/log/cve_log_table.html b/tracker/templates/log/cve_log_table.html
@@ -1,3 +1,4 @@
+{%- from "_formhelpers.html" import colorize_diff, log_transaction_header %}
 			<table class="styled-table column-major full size">
 				<thead>
 					<tr>
diff --git a/tracker/templates/log/group_log.html b/tracker/templates/log/group_log.html
@@ -1,5 +1,4 @@
 {%- extends "base.html" -%}
-{%- from "_formhelpers.html" import colorize_diff, log_transaction_header, boolean_value -%}
 {% block content %}
 			<h1>{{ group.name }} - log
 			<a href="/{{  group.name }}" accesskey="b">back</a></h1>
diff --git a/tracker/templates/log/group_log_table.html b/tracker/templates/log/group_log_table.html
@@ -1,19 +1,20 @@
+{%- from "_formhelpers.html" import colorize_diff, log_transaction_header, boolean_value %}
 			<table class="styled-table column-major full size">
 				<thead>
 					<tr>
 						<th colspan="2">{{ log_transaction_header(group, can_watch_user_log) }}</th>
 					</tr>
 				</thead>
 				<tbody>
-					{%- if (group.packages or group.previous.packages) and group.packages != group.previous.packages %}
+					{%- if (group.packages or group.previous.packages) and group.packages|map(attribute='pkgname')|sort != group.previous.packages|map(attribute='pkgname')|sort %}
 					<tr>
 						<td>Packages</td>
 						<td class="full size">
 							{{- colorize_diff(group.previous.packages|map(attribute='pkgname')|sort|join('\n'), group.packages|map(attribute='pkgname')|sort|join('\n')) }}
 						</td>
 					</tr>
 					{%- endif %}
-					{%- if (group.issues or group.previous.issues) and group.issues != group.previous.issues %}
+					{%- if (group.issues or group.previous.issues) and group.issues|map(attribute='cve_id')|issuesort != group.previous.issues|map(attribute='cve_id')|issuesort %}
 					<tr>
 						<td>Issues</td>
 						<td class="full size">
diff --git a/tracker/view/add.py b/tracker/view/add.py
@@ -166,7 +166,7 @@ def add_group():
     pkgnames = multiline_to_list(form.pkgnames.data)
 
     # check if a package with a CVE clashes with an existing group
-    if not form.force_submit.data:
+    if not form.force_creation.data:
         same_group = (db.session.query(CVEGroup, CVE, CVEGroupPackage)
                       .join(CVEGroupEntry, CVEGroup.issues)
                       .join(CVE, CVEGroupEntry.cve)
@@ -183,7 +183,7 @@ def add_group():
                                    title='Add AVG',
                                    form=form,
                                    CVEGroup=CVEGroup,
-                                   show_force=True)
+                                   show_force_creation=True)
 
     for cve_id in list(filter(lambda issue: issue not in existing_issue_ids, issue_ids)):
         cve = db.create(CVE, id=cve_id)
diff --git a/tracker/view/edit.py b/tracker/view/edit.py
