Handle multiple @action values from broken trackers

Author: Richard Jones

CHANGES.txt

@@ -1,6 +1,12 @@
 This file contains the changes to the Roundup system over time. The entries
 are given with the most recent entry first.
 
+2010-??0?? 1.5.1
+
+Fixed:
+- Handle multiple @action values from broken trackers.
+
+
 2010-02-23 1.5.0
 
 Fixed:

roundup/cgi/client.py

@@ -733,12 +733,17 @@ def check_anonymous_access(self):
         """
         # allow Anonymous to use the "login" and "register" actions (noting
         # that "register" has its own "Register" permission check)
+
         if ':action' in self.form:
-            action = self.form[':action'].value.lower()
+            action = self.form[':action']
         elif '@action' in self.form:
-            action = self.form['@action'].value.lower()
+            action = self.form['@action']
+        else:
+            action = ''
+        if isinstance(action, list):
+            raise SeriousError('broken form: multiple @action values submitted')
         else:
-            action = None
+            action = action.value.lower()
         if action in ('login', 'register'):
             return
 
@@ -1115,12 +1120,17 @@ def handle_action(self):
             present their messages to the user.
         """
         if ':action' in self.form:
-            action = self.form[':action'].value.lower()
+            action = self.form[':action']
         elif '@action' in self.form:
-            action = self.form['@action'].value.lower()
+            action = self.form['@action']
         else:
             return None
 
+        if isinstance(action, list):
+            raise SeriousError('broken form: multiple @action values submitted')
+        else:
+            action = action.value.lower()
+
         try:
             action_klass = self.get_action_class(action)