[Mpuls-commits] r5570 - base/trunk/mpulsweb/controllers
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Nov 11 17:10:39 CET 2011
Author: bh
Date: 2011-11-11 17:10:38 +0100 (Fri, 11 Nov 2011)
New Revision: 5570
Modified:
base/trunk/mpulsweb/controllers/usersettings.py
Log:
Do not pass the user id as a hidden input field to changePasswordOnLoginAction.
All actions in UsersettingsController are only used to operate on the
user currently logged in, so there's no need to pass in the id of the
user whose settings are to be changed. It's probably not a security
problem in the specific case of the changePasswordOnLoginAction because
ultimately the database will not allow change another user's password.
This commit fixes the part of usersettings part of mpuls/issue2367
Modified: base/trunk/mpulsweb/controllers/usersettings.py
===================================================================
--- base/trunk/mpulsweb/controllers/usersettings.py 2011-11-10 21:15:29 UTC (rev 5569)
+++ base/trunk/mpulsweb/controllers/usersettings.py 2011-11-11 16:10:38 UTC (rev 5570)
@@ -112,7 +112,7 @@
validator = NewPasswordForm()
try:
form_result = validator.to_python(request.params)
- uo = UserObject(form_result.get('uid'))
+ uo = UserObject(h.getUserId())
new_pass = uo.setPassword(form_result.get('passwd'))
if new_pass:
# Save new password in the session
More information about the Mpuls-commits
mailing list