Closed Bug 432584 Opened 16 years ago Closed 16 years ago

Password reset form broken

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: wenzel, Assigned: cpollett)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(1 file)

proposed patch
2.01 KB, patch
wenzel
: review+
Details | Diff | Splinter Review 
The password reset form is broken (on production but on preview as well).

When you enter and submit an email address, you get: "There are errors in this form. Please correct them and resubmit."

It may be related to bug 427974.
Chris, could you take a look at it? If it's related to the CSRF fix, it's probably easy to do.
Assignee: nobody → cpollett
Attached patch proposed patchSplinter Review 
This was caused by the patch to the CSRF bug which is forbidding any posted data that is not explicitly allowed and which does not have the correct hidden variable. Since users_controller has several methods which need to be run before a session has started these need to be explicitly allowed. The fix makes the process of allowing an action a little easier. Instead of adding new special cases to the app_controller checkCSRF function, one uses the field variable to ones controller $exceptionCSRF which should be an array of allowed paths for this controller. In the case of the bug, this list is now:

"/users/login", "/users/register", "/users/pwreset", "/users/verify"

I looked through users_controller.php and I think this is now a complete list of things that might need to post data before a session starts, but this should be double-checked.
Attachment #319740 - Flags: review?(fwenzel)
Are you saying that /users/verify is currently broken on production, too (besides pwreset)? ... meaning people can't active new accounts? If so, that's really bad.
Severity: major → blocker
Ah, /users/verify is probably not affected by this because it's a GET instead of POST, right? or am I missing something?
No, I noticed the same. verify is a GET-only action, indeed.
Comment on attachment 319740 [details] [diff] [review]
proposed patch

It works, but please remove users/verify from the list, as it has no POST form.
Attachment #319740 - Flags: review?(fwenzel) → review+
checked into r12911, got rid of /users/verify as asked
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: push-needed
Resolution: --- → FIXED
Keywords: push-needed
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: