[Mpuls-commits] r5569 - in base/trunk/mpulsweb: controllers templates/usersettings

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Nov 10 22:15:30 CET 2011 

Author: bh
Date: 2011-11-10 22:15:29 +0100 (Thu, 10 Nov 2011)
New Revision: 5569

Modified:
   base/trunk/mpulsweb/controllers/usersettings.py
   base/trunk/mpulsweb/templates/usersettings/change_password.mako
Log:
Do not pass the user id as a hidden input field to changePasswordAction.

All actions in UsersettingsController are only used to operate on the
user currently logged in, so there's no need to pass in the id of the
user whose settings are to be changed. It's probably not a security
problem in the specific case of the changePasswordAction because
ultimately the database will not allow change another user's password.

This commit fixes the part of usersettings part of mpuls/issue2367


Modified: base/trunk/mpulsweb/controllers/usersettings.py
===================================================================
--- base/trunk/mpulsweb/controllers/usersettings.py	2011-11-10 21:04:28 UTC (rev 5568)
+++ base/trunk/mpulsweb/controllers/usersettings.py	2011-11-10 21:15:29 UTC (rev 5569)
@@ -77,9 +77,8 @@
 
         validator = CheckedNewPasswordForm()
         try:
-            uid = request.params['uid']
-            c.uo = UserObject(uid)
             user = session['USER_AUTHORIZED']
+            c.uo = UserObject(user.id)
             form_result = validator.to_python(request.params, user)
             new_pass = c.uo.setPassword(form_result.get('passwd'))
             if new_pass:

Modified: base/trunk/mpulsweb/templates/usersettings/change_password.mako
===================================================================
--- base/trunk/mpulsweb/templates/usersettings/change_password.mako	2011-11-10 21:04:28 UTC (rev 5568)
+++ base/trunk/mpulsweb/templates/usersettings/change_password.mako	2011-11-10 21:15:29 UTC (rev 5569)
@@ -56,7 +56,6 @@
   % endif
 </div>
 <div>
-  <input type="hidden" name="uid" value="${h.getUserId()}">
   <label class="import_label" for="passwd2"><strong class="import_number">4. </strong>Neues Passwort speichern:</label>
   <input id="account_pw_sub" class="btn_space" type="submit" value="${_('Save')}">
 </div>

More information about the Mpuls-commits mailing list