From metatracker at psf.upfronthosting.co.za Sun Mar 8 12:52:58 2015 From: metatracker at psf.upfronthosting.co.za (Ezio Melotti) Date: Sun, 08 Mar 2015 11:52:58 +0000 Subject: [Tracker-discuss] [issue564] Password reset sends new password to wrong email In-Reply-To: <1422721439.89.0.840459452488.issue564@psf.upfronthosting.co.za> Message-ID: <1425815578.09.0.499387508452.issue564@psf.upfronthosting.co.za> Ezio Melotti added the comment: I think you should report this upstream: http://issues.roundup-tracker.org/ ---------- nosy: +ezio.melotti _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sat Mar 28 09:46:35 2015 From: metatracker at psf.upfronthosting.co.za (kinggreedy) Date: Sat, 28 Mar 2015 08:46:35 +0000 Subject: [Tracker-discuss] [issue564] Password reset sends new password to wrong email In-Reply-To: <1422721439.89.0.840459452488.issue564@psf.upfronthosting.co.za> Message-ID: <1427532395.38.0.622861880654.issue564@psf.upfronthosting.co.za> kinggreedy added the comment: I can reproduce this issue for issues.roundup-tracker.org, will try to make a fix ---------- assignedto: -> kinggreedy nosy: +kinggreedy _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sat Mar 28 11:10:35 2015 From: metatracker at psf.upfronthosting.co.za (kinggreedy) Date: Sat, 28 Mar 2015 10:10:35 +0000 Subject: [Tracker-discuss] [issue564] Password reset sends new password to wrong email In-Reply-To: <1422721439.89.0.840459452488.issue564@psf.upfronthosting.co.za> Message-ID: <1427537435.97.0.752286681686.issue564@psf.upfronthosting.co.za> kinggreedy added the comment: I think a fix for this is possible, and I'm looking into it However, secondary email address(es) were not verified. Thus can create some security issue when user can reset their password. But I think it's not a big problem since changing primary email address also don't require user to verify their new email address _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Sat Mar 28 18:55:06 2015 From: metatracker at psf.upfronthosting.co.za (kinggreedy) Date: Sat, 28 Mar 2015 17:55:06 +0000 Subject: [Tracker-discuss] [issue564] Password reset sends new password to wrong email In-Reply-To: <1422721439.89.0.840459452488.issue564@psf.upfronthosting.co.za> Message-ID: <1427565306.01.0.122718547325.issue564@psf.upfronthosting.co.za> kinggreedy added the comment: I've attached the patch regard to this issue ---------- assignedto: kinggreedy -> _______________________________________________________ PSF Meta Tracker _______________________________________________________ -------------- next part -------------- # HG changeset patch # User Chau Nguyen # Date 1427564723 -7200 # Sat Mar 28 19:45:23 2015 +0200 # Branch experiment # Node ID 6d76e69070af99589d1c931bd393ff0984e80777 # Parent 20786c5152e433832650a4300dd1a603605d6a3e issue564 from meta tracker diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py --- a/roundup/cgi/actions.py +++ b/roundup/cgi/actions.py @@ -698,6 +698,9 @@ "to show up erroneously, please check your email)")) return + # pull the additional email address if exist + uaddress = otks.get(otk, 'uaddress', default=None) + # re-open the database as "admin" if self.user != 'admin': self.client.opendb('admin') @@ -720,8 +723,11 @@ return # user info - address = self.db.user.get(uid, 'address') name = self.db.user.get(uid, 'username') + if uaddress is None: + address = self.db.user.get(uid, 'address') + else: + address = uaddress # send the email tracker_name = self.db.config.TRACKER_NAME @@ -764,7 +770,7 @@ otk = ''.join([random.choice(chars) for x in range(32)]) while otks.exists(otk): otk = ''.join([random.choice(chars) for x in range(32)]) - otks.set(otk, uid=uid) + otks.set(otk, uid=uid, uaddress=address) self.db.commit() # send the email