[ckan-dev] reset_password; potentially unstable functionality.

Richard Claydon richard at icdw.co.uk
Thu Mar 6 12:51:15 UTC 2014


Hi

I was looking at the reset password function and came across some this
code in the reset_password function of the users controller, where if
a user cannot be found, the system lists the users and checks for it
again inside an exception handler.

try:
    user_dict = get_action('user_show')(context, data_dict)
    user_obj = context['user_obj']
except NotFound:
    # Try searching the user
    del data_dict['id']
    data_dict['q'] = id

    if id and len(id) > 2:
        user_list = get_action('user_list')(context, data_dict)
        if len(user_list) == 1:
            # This is ugly, but we need the user object for the
            # mailer,
            # and user_list does not return them
            del data_dict['q']
            data_dict['id'] = user_list[0]['id']
            user_dict = get_action('user_show')(context, data_dict)
            user_obj = context['user_obj']
        elif len(user_list) > 1:
            h.flash_error(_('"%s" matched several users') % (id))
        else:
            h.flash_error(_('No such user: %s') % id)
    else:
        h.flash_error(_('No such user: %s') % id)

https://github.com/ckan/ckan/commit/48f62a1ed850a0b4071df74f1bf4d68bfde67907

I tracked it down to this commit, but can't tell if this was a hack to
fix a problem (as the code comment suggests) or if this was to broaden
the search to allow people to search for their name as well as
username.

When testing this code, I get the exception "Action function user_show
did not call its auth function" when the second call to "
get_action('user_show')(context, data_dict)" is made because the auth
auditor wants "check_access"  called again

I'm thinking about submitting a pull request but not sure what the fix
would be. Remove the code all together (my preferred approach) or
adjust the check_access problem by calling check_access again.

Any thoughts?

Thanks
Richard



More information about the ckan-dev mailing list