On Oct 26, 2009, at 9:06 PM, Nick Retallack wrote:
> Ugh. On further investigation, the forgot password feature doesn't
> work even if there aren't multiple users with the same email address.
> I found that exception I alluded to. Try this:
>
> 1) Create a new user
> 2) Log out and choose Forgot Password
> 3) Type in the user's email
> 4) Paste the url and choose a new password
> 5) New password works. Repeat from step 2.
> 6) MultipleObjectsReturned at /account/password_reset_key/
> ae4667a26a1c040454eb2f0b68be2b7c196f0055/
> get() returned more than one PasswordReset -- it returned 2! Lookup
> parameters were {'temp_key__exact':
> u'ae4667a26a1c040454eb2f0b68be2b7c196f0055'}
>
> This is the real consequence of my issue #2 above. The problem is
> given away by the differences between these lines:
>
> 293: if not PasswordReset.objects.filter(temp_key=temp_key,
> reset=False).count() == 1:
> 306: password_reset = PasswordReset.objects.get
> (temp_key__exact=temp_key)
>
> 293 is done in the validation step, 306 in the save step. The form
> passes validation because only one password reset key exists such that
> reset=False. Then, when the form is saved, it breaks because an old
> password reset still exists but does not meet the reset=False
> requirement.
>
> The naive fix would be to just add reset=False to this query as well.
> But that only serves to mask the real problem, which is that these old
> password confirmations are still there. The validation step should be
> removed anyway, since this is not something the user has any control
> over.
>
> Oho, and I just discovered a way to break the app the way I broke it
> in issue #2, except this time I only need one user. It's quite
> simple.
>
> 1) Type your email into the forgotten password form
> 2) Go back and do it again
> 3) follow either email's link.
> 4) Experience the same unresponsive form from issue #3.
> Why? Because it's failing validation on that hidden field, because
> there are two identical password reset keys in the database.
>
It looks like these issues are direct result of the fact it is
possible to create multiple password resets keys for the same e-mail
address. Though I think we should additionally add the reset=False on
save to allow the database to serve as record of password resets.
Brian Rosner
http://oebfare.com
http://twitter.com/brosner
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Pinax Core Development" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/pinax-core-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
