[Bug 924124] [NEW] When using "Use single form subscription page" - User email leaks into the default text of "E-mail address" in subscribe.html for all sessions after user manages subscription

10 views
Skip to first unread message

Adam Terrey

unread,
Jan 31, 2012, 1:35:37 AM1/31/12
to singing...@googlegroups.com
Public bug reported:

When using "Use single form subscription page" - User email leaks into
the default text of "E-mail address" in subscribe.html for all sessions
after user manages subscription

To recreate
- Create a single mailing-list with a collector
- Set the global settings to "Use single form subscription page"
- subscribe an email in the /portal_newsletters/channels/----my-mailing-list-name----/subscribe.html
- confirm subscription from the email
- edit existing subscriptions through the /portal_newsletters/sendsecret.html form
- click on the "Manage your subscriptions" in the email sent
- click "Apply" in the "My subscriptions" form

the user's email is then visible as the default text of the "E-mail
address" field even on reload of the form /portal_newsletters/channels
/---my-mailing-list-name---/subscribe.html

Version Overview
Plone 4.1.3 (4112)
CMF 2.2.4
Zope 2.13.10
Python 2.6.6 (r266:84292, Mar 25 2011, 19:36:32) [GCC 4.5.2]
collective.dancing 0.9.9

** Affects: singing-dancing
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Singing &
Dancing developers, which is the registrant for Singing & Dancing.
https://bugs.launchpad.net/bugs/924124

Title:
When using "Use single form subscription page" - User email leaks into
the default text of "E-mail address" in subscribe.html for all
sessions after user manages subscription

Status in Singing & Dancing:
New

Bug description:
When using "Use single form subscription page" - User email leaks into
the default text of "E-mail address" in subscribe.html for all
sessions after user manages subscription

To recreate
- Create a single mailing-list with a collector
- Set the global settings to "Use single form subscription page"
- subscribe an email in the /portal_newsletters/channels/----my-mailing-list-name----/subscribe.html
- confirm subscription from the email
- edit existing subscriptions through the /portal_newsletters/sendsecret.html form
- click on the "Manage your subscriptions" in the email sent
- click "Apply" in the "My subscriptions" form

the user's email is then visible as the default text of the "E-mail
address" field even on reload of the form /portal_newsletters/channels
/---my-mailing-list-name---/subscribe.html

Version Overview
Plone 4.1.3 (4112)
CMF 2.2.4
Zope 2.13.10
Python 2.6.6 (r266:84292, Mar 25 2011, 19:36:32) [GCC 4.5.2]
collective.dancing 0.9.9

To manage notifications about this bug go to:
https://bugs.launchpad.net/singing-dancing/+bug/924124/+subscriptions

Daniel Nouri

unread,
Feb 6, 2012, 9:04:36 AM2/6/12
to singing...@googlegroups.com
This is happening in your Varnish or whatever reverse proxy you have set
up to do caching. I assume that it should be enough to configure the
system not to cache responses to POST requests. (Since the text seems
to appear after you click "Apply", i.e. probably a POST form action.)

Please reopen if you believe that this is not the issue.

** Changed in: singing-dancing
Status: New => Invalid

--
You received this bug notification because you are a member of Singing &
Dancing developers, which is the registrant for Singing & Dancing.
https://bugs.launchpad.net/bugs/924124

Title:
When using "Use single form subscription page" - User email leaks into
the default text of "E-mail address" in subscribe.html for all
sessions after user manages subscription

Status in Singing & Dancing:

Invalid

Adam Terrey

unread,
Feb 6, 2012, 5:17:57 PM2/6/12
to singing...@googlegroups.com
This was my first thought, but it is not the case because I can
replicate it on my machine directly accessing the Zope instance.

** Changed in: singing-dancing
Status: Invalid => New

Adam Terrey

unread,
Feb 6, 2012, 6:26:30 PM2/6/12
to singing...@googlegroups.com
this is as far as I got with the trace back


in the portlet code in PortletSubscriptionAddForm.update() ...

> collective/dancing/browser/portlets/channelsubscribe.py(156)update()
-> super(PortletSubscriptionAddForm, self).update()
(Pdb) list
151 def newslettertool(self):
152 return getToolByName(self.context, 'portal_newsletters')
153
154 def update(self):
155 import pdb;pdb.set_trace()
156 -> super(PortletSubscriptionAddForm, self).update()
157 self.channel_id = self.context.id
158
159 if self.context.collector is not None:
160 stored_values = self.stored_values
161 collector_schema = self.context.collector.schema


self.widgets gets assigned somewhere in the super(...) call, but there is so much indirection here, I'm not able to effectively trace down the part which assigns the default value to welf.widgets["composer.email"].value

-> super(PortletSubscriptionAddForm, self).update()
(Pdb) n
> /home/adam/var/buildout-cache/eggs/collective.dancing-0.9.9-py2.6.egg/collective/dancing/browser/portlets/channelsubscribe.py(157)update()
-> self.channel_id = self.context.id

(Pdb) self.widgets["composer.email"].value
u'an-e...@example.com'

tmog

unread,
Mar 14, 2012, 7:49:42 AM3/14/12
to singing...@googlegroups.com
Problem was subscribers email being set as default value on the
collectors schema when accessing my-subscriptions.html with a valid
secret. Proper brain fart.

Fix and regression test committed in #248820

Marek Kralewski

unread,
Feb 19, 2013, 6:55:34 AM2/19/13
to singing...@googlegroups.com
Great. I was also biten by this bug. Do you know when a new version ist
beeing released?

--
You received this bug notification because you are a member of Singing &
Dancing developers, which is subscribed to Singing & Dancing.
Reply all
Reply to author
Forward
0 new messages