From 4ae0982fb08bc6772f87bcc603f6e1a098f0e2f3 Mon Sep 17 00:00:00 2001
From: Ryan Cross <rcross@amsl.com>
Date: Wed, 18 Apr 2018 23:23:20 +0000
Subject: [PATCH] Fix issue where user can make two session request
 submissions, corrupting data.  Also, ignore deleted session requests in edit
 view.  Commit ready for merge  - Legacy-Id: 15055

---
 ietf/secr/sreq/tests.py |  6 ++++++
 ietf/secr/sreq/views.py | 16 +++++++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/ietf/secr/sreq/tests.py b/ietf/secr/sreq/tests.py
index 0b6045090..6b84129f3 100644
--- a/ietf/secr/sreq/tests.py
+++ b/ietf/secr/sreq/tests.py
@@ -114,6 +114,12 @@ class SubmitRequestCase(TestCase):
         session_count_after = Session.objects.filter(meeting=meeting, group=group).count()
         self.assertTrue(session_count_after == session_count_before + 1)
 
+        # test that second confirm does not add sessions
+        r = self.client.post(confirm_url,post_data)
+        self.assertRedirects(r, main_url)
+        session_count_after = Session.objects.filter(meeting=meeting, group=group).count()
+        self.assertTrue(session_count_after == session_count_before + 1)
+
     def test_submit_request_invalid(self):
         make_test_data()
         group = Group.objects.get(acronym='mars')
diff --git a/ietf/secr/sreq/views.py b/ietf/secr/sreq/views.py
index 5a0236591..e9bd42660 100644
--- a/ietf/secr/sreq/views.py
+++ b/ietf/secr/sreq/views.py
@@ -229,12 +229,22 @@ def confirm(request, acronym):
     group = get_object_or_404(Group,acronym=acronym)
     login = request.user.person
 
+    # check if request already exists for this group
+    if Session.objects.filter(group=group,meeting=meeting).exclude(status__in=('deleted','notmeet')):
+        messages.warning(request, 'Sessions for working group %s have already been requested once.' % group.acronym)
+        return redirect('ietf.secr.sreq.views.main')
+                
     session_data = form.data.copy()
     if 'bethere' in session_data:
         person_id_list = [ id for id in form.data['bethere'].split(',') if id ]
         session_data['bethere'] = Person.objects.filter(pk__in=person_id_list)
     session_data['resources'] = [ ResourceAssociation.objects.get(pk=pk) for pk in request.POST.getlist('resources') ]
     
+    button_text = request.POST.get('submit', '')
+    if button_text == 'Cancel':
+        messages.success(request, 'Session Request has been canceled')
+        return redirect('ietf.secr.sreq.views.main')
+
     button_text = request.POST.get('submit', '')
     if button_text == 'Cancel':
         messages.success(request, 'Session Request has been canceled')
@@ -322,7 +332,7 @@ def edit_mtg(request, num, acronym):
     '''
     meeting = get_meeting(num)
     group = get_object_or_404(Group, acronym=acronym)
-    sessions = Session.objects.filter(meeting=meeting,group=group).order_by('id')
+    sessions = Session.objects.filter(meeting=meeting,group=group).exclude(status__in=('deleted','notmeet')).order_by('id')
     sessions_count = sessions.count()
     initial = get_initial_session(sessions)
     if 'resources' in initial:
@@ -527,10 +537,6 @@ def new(request, acronym):
 
         form = SessionForm(request.POST)
         if form.is_valid():
-            # check if request already exists for this group
-            if Session.objects.filter(group=group,meeting=meeting).exclude(status__in=('deleted','notmeet')):
-                messages.warning(request, 'Sessions for working group %s have already been requested once.' % group.acronym)
-                return redirect('ietf.secr.sreq.views.main')
             return confirm(request, acronym)
 
     # the "previous" querystring causes the form to be returned