Item2569: Add strikeone protection for reset password and change email on 1.1
Current State: Closed
Released In: 1.1.0
Target Release: minor
Applies To: Engine
There is a good use of also using the already implemented strikeone for password rest and changing email. It makes making spam bots a little more a challenge.
This bug report is for trunk. I already implemented it on release branch for 1.0.9
On trunk I need a hand from Crawford to get it nailed. When I implement the same code I do not get redirected to where I want to go when the validation screen shows. It seems that the needed hidden fields and the target topic is not correctly carried over. You end up on the topic you came from instead of the manage script with the message that things went OK or went wrong.
Crawford I will try to catch you on IRC to address this.
- 03 Jan 2010
Need more details to comment. Specifically I need to see the code changes you are making; paste a patch here?
- 01 Feb 2010
The code is http://trac.foswiki.org/changeset/5922
Two simple code lines in release branch. But I get redirected to the wrong place when I do the same in trunk. You have changed something in trunk and I cannot figure out how to do it now.
- 20 Mar 2010
Possibly you got caught when strikeone wasn't working properly. I just added validation checks to password reset and change and bulk user registration as well as user deletion.
Were those the cases you were concerned about? If not, the same method should work anywhere else you need it.
- 23 May 2010
Yes. The exact cases. And the code you checked in with SVN 7518 is the exact same one liners I could not get to work. So it seems you did fix the bug that gave me trouble.
Except I also see that you reverted the change again because of unit test trouble. We have this validation in 1.0 now so removing it in 1.1 would not fly. It is a security feature and therefore now setting it urgent so we do not forget it.
- 02 Jun 2010
Yeah, I had to revert it because I had far too many irons in the fire at the time, and had to focus. I thought that since you knew what had to be done......
- 02 Jun 2010
Done, this time with unit tests, and more careful positioning of the validation call as well.
- 07 Jun 2010