You found a bug. Thanks Rowdy. I am fixing it in trunk. This is a major security issue so I will post a new web2py version later today.
On Jan 13, 12:37 am, Rowdy <da...@fielden.com.au> wrote: > I am using web2py 1.74.5. > > In Auth.retrieve_password() after form.accepts(...), there is a check > that the email address corresponds to a valid user. > > Next there is a check of the user's registration_key value, however it > reads: > > elif users[0].registration_key[:7] in ['pending', 'disabled']: > self.environment.session.flash = \ > self.messages.registration_pending > redirect(self.url(args=request.args)) > > The users[0].registration_key[:7] only checks the first 7 characters > of the registration_key, which truncates 'disabled' to 'disable' and > fails the comparison as the truncated string is not in the list. What > happens is that a disabled user's account will be automatically > enabled and they will be emailed a new password. > > Really, the [:7] bit is not necessary or, if retained, should be > increased to [:8] in order to return the first 8 characters of the > 'disabled' string. > > Or am I missing something?
-- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
