password recovery throws error when e-mail exists
Reported by Tiago Franco | January 7th, 2009 @ 12:52 AM | in Hobo 1.0 - Final
The password recovery process throws an exception when the e-mail exists in the database.
Please fix user_controller from:
def hobo_forgot_password
if request.post?
user = model.find_by_email_address(params[:email_address])
if user && (!block_given? || yield(user))
user.lifecycle.request_password_reset!(:nobody)
end
render_tag :forgot_password_email_sent_page
end
end
to:
def hobo_forgot_password
if request.post?
user = model.find_by_email_address(params[:email_address])
if user && (!block_given? || yield(user))
user.lifecycle.request_password_reset!(current_user)
end
render_tag :forgot_password_email_sent_page
end
end
Mind that user.lifecycle.request_password_reset!(:nobody) is the cause for the exception (:nobody != "Guest").
user.lifecycle.request_password_reset!(current_user) is the solution. If the user is Guest, he will have permissions to the action.
See attached user.rb for the lifecycle used to debug the error.
Comments and changes to this ticket
-
Tom Locke March 12th, 2009 @ 11:21 AM
- Milestone set to Hobo 1.0 - Final
- Tag changed from lifecycles, user_controller to defect, lifecycles, user_controller
- State changed from new to open
-
Bryan Larsen May 6th, 2009 @ 08:01 PM
Tiago,
Is there any particular reason why you have
:available_to => 'Guest'
on yourrequest_password_reset
action? The generatedrequest_password_reset
does not contain this option. -
Tiago Franco May 6th, 2009 @ 10:21 PM
Bryan,
This lifecyle was not generated by Hobo. I've developed it with Solars help.
By that time either Hobo was not able to generate the life cyle or I didn't know how to do it.
Probably :available_to => 'Guest' should be removed from my code after all :)
Thanks.
-
Bryan Larsen May 7th, 2009 @ 04:24 PM
Adding :available_to makes the action "publishable", so makes the action routable. This isn't necessary for the default forgot-password-page, but may be on your app. If so, you can use
:available_to => :all
instead.That doesn't mean that your change isn't an improvement. I'll let Tom make that call.
-
Tiago Franco May 7th, 2009 @ 04:41 PM
Hi,
Yep, this is working now, either with or without :avaiable_to.
By the time I reported the bug the feature wasn't working, so it was fixed somewhere in the past.
Regards. TF
-
Tom Locke May 8th, 2009 @ 08:41 AM
request_password_reset
is a very unique and unusual lifecycle step, because you are not logged in, but you "become" a signed up user for this one specific action (send the email), without providing a password.Because this situation is so unusual, there is no direct support for it in the lifecycle API. Instead there is a general way to say "I'll handle access to this lifecycle with my own code". That is done by not making the lifecycle
:available_to
anyone at all. It is still available internally to your controller code of course.So I think passing
:nobody
is correct. I think probably:system
or:internal
would be a better term to use than:nobody
-
Bryan Larsen May 8th, 2009 @ 11:58 AM
- State changed from open to wontfix
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป