KenWasetis <[email protected]> writes: > The remember product's registration.py overrides > testPasswordValidity() (otherwise provided by > CMFDefault.RegistrationTool.) This override of the method removes the > password/confirm_password field comparison/match test and delegates it > to a call of post_validate() from remember's member.py. > > In some cases, it seems as though a user can enter a different value > for the password and confirm_passowrd fields and remember's custom > testPasswordValidity() will not catch the error. Instead, the > password is set to the first value and the user could be confused > (thinking the password is whatever he/she entered as the > confirm_password value, not knowing he/she mistyped the password > value.)
In some cases or all cases? Is the problem intermittent for you? > I provided my own little fix for this on my local instance, which does > not touch the remember code at all, but instead customizes two forms > that ship with Plone and ResetPasswordTool, which call > testPasswordValidity(). These two scripts call my own custom > testPasswordMatch() script, in addition to executing the normal > remember testPasswordValidity(), but you may want to instead fix > post_validate() or testPasswordValidity() in remember, if it's true > that there's a problem. > > It seems like this revision from svn was related to such an issue/fix, > but for some reason, it still doesn't seem to cover all cases: > http://dev.plone.org/collective/changeset/47279#file0 > > I'd really like to know whether other developers/users are seeing the > same problem. To test, click on the 'click here to retrieve it' link > under the 'Forgot your password?' heading on the login_form page or > login portlet. Can you try allowing users to set their own password in the site settings control panel and use the profile edit form to change the password? Do you still see this problem then. Can you also test and see if this happens on user registration when they're allowed to set their own password? If you can add test coverage for this issue, I'd definitely welcome the contribution. Thanks! Ross > An email will be sent to the user's email address for the username you > enter on the mail_password_form page. If you click on the link in > that email, you're redirect to the /passwordreset (actually the > pwreset_form.) > > When you enter the username, password, and confirm password values, if > you're password/confirm values don't match, the form is still > submitted and password is changed to the first value. > > So, if it's helpful, here's the little script (borrowed snippet of > code from original CMFDefault RegistrationTool.py > testPasswordValidity() ) that I put into a new testPasswordMatch() > script: > > from Products.CMFPlone import PloneMessageFactory as _ > if confirm is not None and confirm ! return _(u'Your password and > confirmation did not match. ' > u'Please try again.') > > return None > > Then, all I had to do was modify validate_pwreset_form by inserting > the following few lines (just below the current block that calls > testPasswordValidity() ) to the new method: > result if result: > state.setError('password', result) > > And also customize plone_change_password (also after the existing > block that calls testPasswordValidity: > failMessage=context.testAllmedPasswordMatch(password, > confirm=password_confirm) > if failMessage: > context.plone_utils.addPortalMessage(failMessage, 'error') > return context.password_form(context, > REQUEST, > errorĂșilMessage) > > > If you're able to test whether your remember Plone site has the > problem I mentioned above, it'd be helpful, though. I'd be glad to > then update the issue tracker with the issue and code above, but I > believe the best patch for this is to address the source of the > problem, which might be that post_validate is coded to expect a field > on the request.form named 'confirm_password'. Less than ideal to have > this hardcoded, if we can avoid it, even if there is the attempt in > remember's registration.py testPasswordValidity() to set this field on > the form, if it doesn't already exist. -- Archive: http://www.openplans.org/projects/remember/lists/remember/archive/2009/03/1237690061052 To unsubscribe send an email with subject "unsubscribe" to [email protected]. Please contact [email protected] for questions.
