[ckan-dev] reset_password; potentially unstable functionality.
Richard Claydon
richard at icdw.co.uk
Thu Mar 6 12:51:15 UTC 2014
Hi
I was looking at the reset password function and came across some this
code in the reset_password function of the users controller, where if
a user cannot be found, the system lists the users and checks for it
again inside an exception handler.
try:
user_dict = get_action('user_show')(context, data_dict)
user_obj = context['user_obj']
except NotFound:
# Try searching the user
del data_dict['id']
data_dict['q'] = id
if id and len(id) > 2:
user_list = get_action('user_list')(context, data_dict)
if len(user_list) == 1:
# This is ugly, but we need the user object for the
# mailer,
# and user_list does not return them
del data_dict['q']
data_dict['id'] = user_list[0]['id']
user_dict = get_action('user_show')(context, data_dict)
user_obj = context['user_obj']
elif len(user_list) > 1:
h.flash_error(_('"%s" matched several users') % (id))
else:
h.flash_error(_('No such user: %s') % id)
else:
h.flash_error(_('No such user: %s') % id)
https://github.com/ckan/ckan/commit/48f62a1ed850a0b4071df74f1bf4d68bfde67907
I tracked it down to this commit, but can't tell if this was a hack to
fix a problem (as the code comment suggests) or if this was to broaden
the search to allow people to search for their name as well as
username.
When testing this code, I get the exception "Action function user_show
did not call its auth function" when the second call to "
get_action('user_show')(context, data_dict)" is made because the auth
auditor wants "check_access" called again
I'm thinking about submitting a pull request but not sure what the fix
would be. Remove the code all together (my preferred approach) or
adjust the check_access problem by calling check_access again.
Any thoughts?
Thanks
Richard
More information about the ckan-dev
mailing list