Ticket #11054 (closed Bug: fixed)

Opened 17 months ago

Last modified 12 months ago

Unauthorized Exception when reseting password for non-existing user

Reported by: lzdych Owned by:
Priority: minor Milestone: 4.0.1
Component: Infrastructure Keywords: TuneUp36
Cc: naro

Description

User gets unauthorized exception if does typo when entering email address in the password reset page, so he has no change to get information about that he entered email address for non-existing user.

Attachments

mail_password.py Download (547 bytes) - added by lzdych 16 months ago.
Quick workaround is to customize mail_password.py script like this.

Change History

comment:1 Changed 17 months ago by lzdych

This happens because exception's error string isn't accessible in the python script due to security checks.

Traceback (innermost last):

Module ZPublisher.Publish, line 127, in publish Module ZPublisher.mapply, line 77, in mapply Module ZPublisher.Publish, line 47, in call_object Module Products.CMFCore.FSPythonScript, line 130, in call Module Shared.DC.Scripts.Bindings, line 324, in call Module Shared.DC.Scripts.Bindings, line 361, in _bindAndExec Module Products.PythonScripts.PythonScript, line 344, in _exec Module script, line 6, in mail_password

  • <FSPythonScript at /portal/mail_password>
  • Line 6

Module AccessControl.ImplPython, line 729, in guarded_getattr Module AccessControl.ImplPython, line 671, in aq_validate Module AccessControl.ImplPython, line 565, in validate Module AccessControl.ImplPython, line 335, in validate Module AccessControl.ImplPython, line 810, in raiseVerbose

Unauthorized: The container has no security assertions. Access to 'message' of ValueError('The username you entered could not be found',) denied.

comment:2 Changed 17 months ago by kleist

  • Component changed from Unknown to Infrastructure

comment:3 Changed 17 months ago by naro

  • Cc naro added

comment:4 Changed 17 months ago by kleist

related to #9744 ?

comment:5 Changed 16 months ago by naro

Another related bug ? #9743

Changed 16 months ago by lzdych

Quick workaround is to customize mail_password.py script like this.

comment:6 Changed 16 months ago by do3cc

This is a more generic problem. The error handling can trigger Exceptions in various ways. I personally stepped over this issue with a user that does not have a valid email address.

The RestrictedPython code is funny and lies to you when you go through it with a debugger, so I gave that one up. My first error was the same as described here: #9743 . But this is related to a Zope bug which has been fixed today, and will hopefully be in zope 2.12.13. Here is the Launchpad URL:  https://bugs.launchpad.net/zope2/+bug/659968

The workaround by lzdych would tell my people that they don't exist if they did not provide a valid mail adress

comment:7 Changed 16 months ago by do3cc

  • Status changed from new to closed
  • Resolution set to fixed

(In [40657]) More careful error handling. This fixes #11054

comment:8 Changed 16 months ago by jessilfp

  • Keywords TuneUp36 added

comment:9 Changed 12 months ago by datakurre

I'm sorry for commenting old ticket, but I don't understand, why the line 15/25 in [40657]: 

    context.plone_utils.addPortalMessage(pmf(e.message))

doesn't use the carefully generated msg, e.g. 

    context.plone_utils.addPortalMessage(msg)

but is still allowed to raise the same exception.

comment:10 Changed 12 months ago by do3cc

There is no good reason. I changed it. Thanks for noticing!

Note: See TracTickets for help on using tickets.