Hi,
Since version 2.9.11 of Web2Py this piece of code can be found in tools.py:
if self.settings.prevent_password_reset_attacks:
key = request.vars.key
if not key and len(request.args)>1:
key = request.args[-1]
if key:
session._reset_password_key = key
redirect(self.url(args='reset_password'))
else:
key = session._reset_password_key
Why does this:
if not key and len(request.args)>1:
Needs to be bigger than 1? Why not 0?
We used this url to reset passwords:
http://127.0.0.1:8000/choose-new-password/1404975130-6f97a238-a47c-4ed2-b84a-e2837a1c1fbe
This breaks at the moment, now we need to call an url like this:
http://127.0.0.1:8000/choose-new-password/dummy/1404975130-6f97a238-a47c-4ed2-b84a-e2837a1c1fbe
To get enough args :(
choose-new-password() is located in the default.py and default.py is set as
the default controller in routes.py like this:
default_controller = 'default'
It feeld like >1 is a mistake / bug and it should be >0. In case this is
done by design, be will add the 'dummy' argument to the url :)
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
