[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

proposed fix for bug #20491: users cannot change their passwords?

From: boud
Subject: proposed fix for bug #20491: users cannot change their passwords?
Date: Fri, 3 Aug 2007 22:33:06 +0200 (CEST)

hi samizdat-devel,

Here's a hack which i think fixes the password change bug #20491

The change in application_helper.rb - action_token_key is clearly a hack - a better solution would be in member_controller, but
i didn't want to mess around with member_controller too much.

IMHO the problem is confusion in the 2-stage process of "change":

1. "index" method and @request.route = member - presents a form for
the user to change his/her password (or other member parameters) with

2. the "change" method and @request.route = member/change - checks the
data, checks for the action_token against cross-scripting attacks, and
then does the change

The problem in 070618-1 is that the action_confirmed? script compares tokens from member and member/change and finds that something
is different and so rejects the attempted change.

The hack in application_helper.rb:

   def action_token_key
-    %{action_token/address@hidden@request.route}}

is one way of hacking around this.

i've also made a change in member_controller, since despite the
recommendation to users to press the 'back' button, some users might
decide to log out after changing their password, without bothering to
use the back button since they see a logout prompt already. In the absence of this change, something goes wrong and seems to cause an infinite URI redirect. Hence the change in member_controller shifts
the feedback page to a separate method "changed_ok".



reply via email to

[Prev in Thread] Current Thread [Next in Thread]