Closed
Bug 432584
Opened 16 years ago
Closed 16 years ago
Password reset form broken
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
3.4.2
People
(Reporter: wenzel, Assigned: cpollett)
References
()
Details
(Keywords: regression)
Attachments
(1 file)
2.01 KB,
patch
|
wenzel
:
review+
|
Details | Diff | Splinter Review |
The password reset form is broken (on production but on preview as well). When you enter and submit an email address, you get: "There are errors in this form. Please correct them and resubmit." It may be related to bug 427974.
Updated•16 years ago
|
Keywords: regression
Reporter | ||
Comment 1•16 years ago
|
||
Chris, could you take a look at it? If it's related to the CSRF fix, it's probably easy to do.
Assignee: nobody → cpollett
Assignee | ||
Comment 2•16 years ago
|
||
This was caused by the patch to the CSRF bug which is forbidding any posted data that is not explicitly allowed and which does not have the correct hidden variable. Since users_controller has several methods which need to be run before a session has started these need to be explicitly allowed. The fix makes the process of allowing an action a little easier. Instead of adding new special cases to the app_controller checkCSRF function, one uses the field variable to ones controller $exceptionCSRF which should be an array of allowed paths for this controller. In the case of the bug, this list is now: "/users/login", "/users/register", "/users/pwreset", "/users/verify" I looked through users_controller.php and I think this is now a complete list of things that might need to post data before a session starts, but this should be double-checked.
Attachment #319740 -
Flags: review?(fwenzel)
Comment 3•16 years ago
|
||
Are you saying that /users/verify is currently broken on production, too (besides pwreset)? ... meaning people can't active new accounts? If so, that's really bad.
Severity: major → blocker
Comment 4•16 years ago
|
||
Ah, /users/verify is probably not affected by this because it's a GET instead of POST, right? or am I missing something?
Reporter | ||
Comment 5•16 years ago
|
||
No, I noticed the same. verify is a GET-only action, indeed.
Reporter | ||
Comment 6•16 years ago
|
||
Comment on attachment 319740 [details] [diff] [review] proposed patch It works, but please remove users/verify from the list, as it has no POST form.
Attachment #319740 -
Flags: review?(fwenzel) → review+
Assignee | ||
Updated•16 years ago
|
Comment 8•16 years ago
|
||
Verified FIXED using: https://preview.addons.mozilla.org/en-US/firefox/users/pwreset
Status: RESOLVED → VERIFIED
Updated•16 years ago
|
Keywords: push-needed
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•