Hi there!
I'm using the `/default/user/change_password` controller from
`gluon.tools.Auth`. I've noticed that the submission of the change password
form always triggers a redirect, even if the entered old password wasn't
correct and the password wasn't changed because of that. Looking into the
source, I found:
(gluon/tools.py, L2703-2721)
if form.accepts(request, session,
formname='change_password',
onvalidation=onvalidation,
hideerror=self.settings.hideerror):
if not form.vars['old_password'] == s.select().first()[passfield
]:
form.errors['old_password'] = self.messages.invalid_password
else:
d = {passfield: str(form.vars.new_password)}
s.update(**d)
session.flash = self.messages.password_changed
self.log_event(log, self.user)
callback(onaccept, form)
if not next:
next = self.url(args=request.args)
else:
next = replace_id(next, form)
redirect(next)
Because of the redirect, `form.errors` is never displayed to the user. My
question is: Is that behaviour a choice by-design? To me, it would be more
logical if the redirect would only occur if the action was successful, i.e.
just indent `redirect(next)` one level to the right:
if not form.vars['old_password'] == s.select().first()[passfield
]:
form.errors['old_password'] = self.messages.invalid_password
else:
#snip
if not next:
next = self.url(args=request.args)
else:
next = replace_id(next, form)
redirect(next)
What do you think about that? :-)
Cheers!
Friedrich
--
