New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hledger-web: actually add transaction to the selected journal file #1873
Conversation
8ea8a4d
to
5128032
Compare
Thanks for the PR and for calling out the above, which does sound like a blocker. |
Do you have any pointer to where I could get a list of allowed files from? I'm a bit lost in the code base currently. |
Sure, hledger-lib:Hledger.Journal.Data.journalFilePaths will list all the journal's files. |
PS, this worked once - possible some spelunking in code history is useful ? |
e9e5b78
to
b3e0d39
Compare
I implemented the check for the journal file. Didn't look at the code history though, so I have no idea what broke this. I also quickly tested this on my setup and it seems to work. Adding to legitimate files still works, but forging the file path to a different one produces the desired error message without appending to the file. |
We went with a different fix, see #1229. |
[Fix for #1229]
The hledger-web interface currently allows for selecting a file on which to append a transaction, but currently that data isn't used anywhere. It just writes to the default file, regardless of the selection.
My solution is somewhat of a hack; I use the
tsourcepos
metadata in theTransaction
type to carry the preffered journal file around.Also this currently has the security implication, that it allows users to append transactions to arbitrary files. It probably would make sense to only restrict this to the files that are discovered by hledger, but I'm not familiar with the logic.