From b42c761b0b986402c973d53697e937cd692e1adf Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Fri, 12 Mar 2021 09:46:28 -0800
Subject: [PATCH] Safer author add logic

---
 bookwyrm/templates/edit_book.html | 6 ++++--
 bookwyrm/views/books.py           | 4 ++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/bookwyrm/templates/edit_book.html b/bookwyrm/templates/edit_book.html
index 107e75c5..61f04e37 100644
--- a/bookwyrm/templates/edit_book.html
+++ b/bookwyrm/templates/edit_book.html
@@ -74,7 +74,9 @@
         </div>
 
         <button class="button is-primary" type="submit">{% trans "Confirm" %}</button>
-        <button class="button" type="button">{% trans "Back" %}</button>
+        <a href="#" class="button" data-back>
+            <span>{% trans "Back" %}</span>
+        </a>
     </div>
 
     <hr class="block">
@@ -129,7 +131,7 @@
                 {% endif %}
                 <label class="label" for="id_add_author">{% trans "Add Authors:" %}</label>
                 <p class="help">Separate multiple author names with commas.</p>
-                <input class="input" type="text" name="add_author" id="id_add_author" placeholder="{% trans 'John Doe, Jane Smith' %}" value="{{ add_author }}">
+                <input class="input" type="text" name="add_author" id="id_add_author" placeholder="{% trans 'John Doe, Jane Smith' %}" value="{{ add_author }}" {% if confirm_mode %}readonly{% endif %}>
             </section>
         </div>
 
diff --git a/bookwyrm/views/books.py b/bookwyrm/views/books.py
index 1cb21f5e..0a11b87c 100644
--- a/bookwyrm/views/books.py
+++ b/bookwyrm/views/books.py
@@ -133,6 +133,8 @@ class EditBook(View):
             data["add_author"] = add_author
             data["author_matches"] = []
             for author in add_author.split(","):
+                if not author:
+                    continue
                 # check for existing authors
                 vector = SearchVector("name", weight="A") + SearchVector(
                     "aliases", weight="B"
@@ -200,6 +202,8 @@ class ConfirmEditBook(View):
             # get or create author as needed
             if request.POST.get("add_author"):
                 for (i, author) in enumerate(request.POST.get("add_author").split(",")):
+                    if not author:
+                        continue
                     match = request.POST.get("author_match-%d" % i)
                     if match and match != "0":
                         author = get_object_or_404(