Bug: Unlock button makes URL with unlocking as side effect

If you start editing a page, and then cancel that edit, the result is a browser window visiting a URL ending in ?unlock=on. This URL will (perhaps unexpectedly) unlock the page at any time in the future when visited.

Test case

Start editing a page. Select `Cancel'. Note that the URL in the browser URL box ends in `?unlock=on'. Bookmark this URL (as if you hadn't noticed the bug). Once more, start editing the page and leave that browser window open on the edit page. In a second browser window, select the previously created bookmark entry. Observe that a second user can now edit the page, as it is unlocked.

Environment

-- IanJackson - 23 Nov 2004

Follow up

Perhaps the value to the unlock parameter should be the timestamp of the lock?

-- SamHasler - 26 Nov 2004

Alternatively, we modified setLock so that it will only let you break your own lock:

    if( $lock ) {
        my $lockTime = time();
        $self->_saveFile( $lockFilename, "$userName\n$lockTime" );    
    } else {
#       Check to see if $username matches username stored in lockfile.
        my $tmp = TWiki::Store::readFile( $lockFilename );
        my( $lockUser, $lockTime ) = split( /\n/, $tmp );

        if ($lockUser eq $userName) {
            unlink "$lockFilename";    
        }
    }

-- RobertoHoyle - 01 Feb 2006

Fix record