request password generates an infite loop?

[Martin Weissenboeck]

I have a fresh copy of w2p 2.9.9 and I have tried the request_reset_password function.

It generates an email with a text like http://127.0.0.1:8000/testupdate/default/user/reset_password/14104...

It's the right auth_user.reset_password_key

That's ok, but if I try this link I get an error message from my browser (Google Chrome):

ERR_TOO_MANY_REDIRECTS

​and the address line shows ​ http://127.0.0.1:8000/testupdate/default/user/reset_password (without any parameter).

It seems to be an infite look of redirections.

This error occurs indipendent of username=True or username=False

​Regards, Martin

[Leonel Câmara]

Can you provide a simple app with this happening?

[Martin Weissenboeck]

2014-09-11 12:37 GMT+02:00 Leonel Câmara <leonel...@gmail.com>:

Can you provide a simple app with this happening?

​It is not necessary to create a new application. Please try the following steps:

1. Install a fresh copy of web2py

2. Goto to the welcom app

3. Register with your name

4. Logoff

5. Click "Lost password?"

6. Enter your email-address

7a. If you have a local installation you will see in the console window something like

Click on the link http://127.0.0.1:8000/welcome/default/user/reset_password/1410497936-3c109603-5d02-4e29-974b-e79800dde46a to reset your password

7b. Or open the admin app/database administration and look at the field auth_user.reset_password_key. There is the same key - enter this key http://<your_server>/welcome/default/user/reset_password/<reset_password_key>

8. w2p 2.9.6 answers with a form for the new password, 

    w2p 2.9.9 generates "ERR_TOO_MANY_REDIRECTS" (Chrome)

Submitted as issue 1979

[Leonel Câmara]

Ahh yes I see the problem. Tried to figure out what was going on, but the code has too many redirects for my head too.

[Ricardo Pedroso]

I sent a pull request that, I think, fix this issue.

You can try it by change line 3014 on gluon/tools.py

if not key and len(request.args)>0:

to

if not key and len(request.args)>1:

Ricardo

On 9/12/14, Leonel Câmara <leonel...@gmail.com> wrote:
> Ahh yes I see the problem. Tried to figure out what was going on, but the
> code has too many redirects for my head too.
>

> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+un...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

[Martin Weissenboeck]

This change does the job - works fine. Thank you.

--

Mit freundlichen Grüßen / With kind regards
Martin Weissenböck
Gregor-Mendel-Str. 37, 1190 Wien
Austria / European Union

[Leonel Câmara]

Well spotted Ricardo that is indeed the problem.

However this is still wrong imho. This assumes that reset password is being called in a controller like the "def user" one in the welcome application and so reset_password will be request.args(0) and the key will be request.args(1), however one could make a controller where that's not true. We should just remove the key from args altogether and just use it in the vars to avoid this problem.