Bug in forgotten password page (and potential in all lifecycles)
Reported by Iain | November 4th, 2009 @ 06:37 AM
I've noticed that if I try to reset a user password on the default forgotten password page, and a user with that email address does exist but they're not in the active state then hobo crashes.
Here's the stack trace:
You have a nil object when you didn't expect it!
The error occurred while evaluating nil.run!
/Library/Ruby/Gems/1.8/gems/hobo-0.8.10/lib/hobo/lifecycles/lifecycle.rb:129:in `transition'
(eval):3:in `request_password_reset!'
/Library/Ruby/Gems/1.8/gems/hobo-0.8.10/lib/hobo/user_controller.rb:128:in `hobo_forgot_password'
<my-app-dir>/app/controllers/users_controller.rb:10:in `forgot_password'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/base.rb:1331:in `send'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/base.rb:1331:in `perform_action_without_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/filters.rb:617:in `call_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/filters.rb:638:in `run_before_filters'
/Library/Ruby/Gems/1.8/gems/hobo-0.8.10/lib/hobo/controller.rb:22:in `call'
/Library/Ruby/Gems/1.8/gems/hobo-0.8.10/lib/hobo/controller.rb:22:in `included_in_class'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.4/lib/active_support/callbacks.rb:182:in `call'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.4/lib/active_support/callbacks.rb:182:in `evaluate_method'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/filters.rb:184:in `call'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/filters.rb:635:in `run_before_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/filters.rb:615:in `call_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/filters.rb:610:in `perform_action_without_benchmark'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.4/lib/active_support/core_ext/benchmark.rb:17:in `ms'
/Library/Ruby/Gems/1.8/gems/activesupport-2.3.4/lib/active_support/core_ext/benchmark.rb:17:in `ms'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/benchmarking.rb:68:in `perform_action_without_rescue'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/rescue.rb:160:in `perform_action_without_flash'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/flash.rb:146:in `perform_action'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/base.rb:532:in `send'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/base.rb:532:in `process_without_filters'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/filters.rb:606:in `process'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/base.rb:391:in `process'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/base.rb:386:in `call'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.4/lib/action_controller/routing/route_set.rb:437:in `call'
The lifecycle stage that it dies on is :request_password_reset.
If I put in an email address (for the forgotten password) that is not in the database then the form behaves correctly (displays the next page but does nothing). If I put in the address of a user in the active state (which is what this lifecycle transition is expecting) then it works correctly (displays the next page and emails the user). But if the user exists but is not in the active state then the error above is thrown.
Having traced through the code it looks like the cause of the problem is in Hobo::Lifecycles::Lifecycle.transition - it searches for the requested transition and then runs it, but doesn't check to see if any transitions were found.
The fix might be as simple as a null pointer check but I'm not very confident with lifecycles yet so I wouldn't like to make that call.
Comments and changes to this ticket
-
Bryan Larsen November 5th, 2009 @ 12:25 PM
This seems like two bugs to me. The first is as you mentioned:
def transition(name, user, attributes) transition = find_transition(name, user) transition.run!(record, user, attributes) unless transition.nil? end
The other would be to have a reset_password transition be available on an inactive user. It seems to me that this should be part of our default generator. Doing so would reset the activation key, though -- perhaps it should deliver the activation email instead of the reset_password email?
-
Bryan Larsen November 5th, 2009 @ 04:51 PM
It turns out the generator doesn't add the inactive transition. I'll add this to the agility tutorial:
transition :request_password_reset, { :inactive => :inactive }, :new_key => true do UserMailer.deliver_activation(self, lifecycle.key) end
-
Tom Locke November 5th, 2009 @ 04:55 PM
- State changed from new to resolved
(from [8e0c77a08635d194361c53a29a52bb6ab1a0ec0f]) [#525 state:resolved] transition functions should not die so hard if there's no transition for the state.
http://github.com/tablatom/hobo/commit/8e0c77a08635d194361c53a29a52...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
People watching this ticket
Tags
Referenced by
- 525 Bug in forgotten password page (and potential in all lifecycles) (from [8e0c77a08635d194361c53a29a52bb6ab1a0ec0f]) [#525 s...