[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
proposed fix for bug #20491: users cannot change their passwords?
From: |
boud |
Subject: |
proposed fix for bug #20491: users cannot change their passwords? |
Date: |
Fri, 3 Aug 2007 22:33:06 +0200 (CEST) |
hi samizdat-devel,
Here's a hack which i think fixes the password change bug #20491
https://savannah.nongnu.org/bugs/?20491
The change in application_helper.rb - action_token_key is clearly
a hack - a better solution would be in member_controller, but
i didn't want to mess around with member_controller too much.
IMHO the problem is confusion in the 2-stage process of "change":
1. "index" method and @request.route = member - presents a form for
the user to change his/her password (or other member parameters) with
the
2. the "change" method and @request.route = member/change - checks the
data, checks for the action_token against cross-scripting attacks, and
then does the change
The problem in 070618-1 is that the action_confirmed? script
compares tokens from member and member/change and finds that something
is different and so rejects the attempted change.
The hack in application_helper.rb:
def action_token_key
- %{action_token/address@hidden@request.route}}
+
%{action_token/address@hidden@request.route}}.sub("/member/change","/member")
end
is one way of hacking around this.
i've also made a change in member_controller, since despite the
recommendation to users to press the 'back' button, some users might
decide to log out after changing their password, without bothering to
use the back button since they see a logout prompt already. In the
absence of this change, something goes wrong and seems to cause an
infinite URI redirect. Hence the change in member_controller shifts
the feedback page to a separate method "changed_ok".
patch: https://savannah.nongnu.org/bugs/download.php?file_id=13575
cheers
boud
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- proposed fix for bug #20491: users cannot change their passwords?,
boud <=