[web2py] Re: Lost Password ends up with 'Invalid reset password' Error

Sat, 07 Jan 2017 09:02:11 -0800 

Two lines of code in tools.py appear to have been changed to blanks:

In current source distribution, starting at line 3748 we have:

        if self.settings.prevent_password_reset_attacks:
            key = request.vars.key



            if key:
                session._reset_password_key = key
                redirect(self.url(args='reset_password'))
            else:
                key = session._reset_password_key

I changed the two blank lines as in:

        if self.settings.prevent_password_reset_attacks:
            key = request.vars.key
            if not key and len(request.args) > 1:
                key = request.args[-1]
 
            if key:
                session._reset_password_key = key
                redirect(self.url(args='reset_password'))
            else:
                key = session._reset_password_key

(as in confirm_registration() at line 3609)


On Friday, January 6, 2017 at 6:05:54 PM UTC-5, David Manns wrote:
>
> I don't know how long this has been broken. Login is working, password 
> change is working. Noticed this in my local test environment, on Windows, 
> running latest 2.14.6 web2py with local sqlite test database. The reset 
> email is sent out, and looks like:
>
> Click on the link 
> http://127.0.0.1:8000/init/default/user/reset_password/1483740713-ae224ddb-11a3-41bc-a294-9d31e1dfa660
>  
> to reset your password.
>
> Clicking the link brings up a new browser tab, displays the login page 
> with the error message flash. I tried using the debugger to trace the flow 
> of the user controller. Looked as though some kind of @cache.. decorator 
> was being run, in any case it got to a point where it should have had the 
> reset password from the request, but the variable was set to None. I used 
> the admin app to check in the database and the matching password to that in 
> the email is sitting in the auth_reset_password_key field of the auth_user 
> record.
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to