#363 ✓wontfix
Tiago Franco

password recovery throws error when e-mail exists

Reported by Tiago Franco | January 7th, 2009 @ 12:52 AM | in Hobo 1.0 - Final

The password recovery process throws an exception when the e-mail exists in the database.

Please fix user_controller from:

def hobo_forgot_password
  if request.post?
    user = model.find_by_email_address(params[:email_address])
    if user && (!block_given? || yield(user))
      user.lifecycle.request_password_reset!(:nobody)
    end
    render_tag :forgot_password_email_sent_page
  end
end

to:

def hobo_forgot_password
  if request.post?
    user = model.find_by_email_address(params[:email_address])
    if user && (!block_given? || yield(user))
      user.lifecycle.request_password_reset!(current_user)
    end
    render_tag :forgot_password_email_sent_page
  end
end

Mind that user.lifecycle.request_password_reset!(:nobody) is the cause for the exception (:nobody != "Guest").

user.lifecycle.request_password_reset!(current_user) is the solution. If the user is Guest, he will have permissions to the action.

See attached user.rb for the lifecycle used to debug the error.

Comments and changes to this ticket

  • Tom Locke

    Tom Locke March 12th, 2009 @ 11:21 AM

    • Milestone set to Hobo 1.0 - Final
    • Tag changed from lifecycles, user_controller to defect, lifecycles, user_controller
    • State changed from “new” to “open”
  • Bryan Larsen

    Bryan Larsen May 6th, 2009 @ 08:01 PM

    Tiago,

    Is there any particular reason why you have :available_to => 'Guest' on your request_password_reset action? The generated request_password_reset does not contain this option.

  • Tiago Franco

    Tiago Franco May 6th, 2009 @ 10:21 PM

    Bryan,

    This lifecyle was not generated by Hobo. I've developed it with Solars help.

    By that time either Hobo was not able to generate the life cyle or I didn't know how to do it.

    Probably :available_to => 'Guest' should be removed from my code after all :)

    Thanks.

  • Bryan Larsen

    Bryan Larsen May 7th, 2009 @ 04:24 PM

    Adding :available_to makes the action "publishable", so makes the action routable. This isn't necessary for the default forgot-password-page, but may be on your app. If so, you can use :available_to => :all instead.

    That doesn't mean that your change isn't an improvement. I'll let Tom make that call.

  • Tiago Franco

    Tiago Franco May 7th, 2009 @ 04:41 PM

    Hi,

    Yep, this is working now, either with or without :avaiable_to.

    By the time I reported the bug the feature wasn't working, so it was fixed somewhere in the past.

    Regards. TF

  • Tom Locke

    Tom Locke May 8th, 2009 @ 08:41 AM

    request_password_reset is a very unique and unusual lifecycle step, because you are not logged in, but you "become" a signed up user for this one specific action (send the email), without providing a password.

    Because this situation is so unusual, there is no direct support for it in the lifecycle API. Instead there is a general way to say "I'll handle access to this lifecycle with my own code". That is done by not making the lifecycle :available_to anyone at all. It is still available internally to your controller code of course.

    So I think passing :nobody is correct. I think probably :system or :internal would be a better term to use than :nobody

  • Bryan Larsen

    Bryan Larsen May 8th, 2009 @ 11:58 AM

    • State changed from “open” to “wontfix”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

People watching this ticket

Attachments

Tags

Pages