proposed fix for bug #20491: users cannot change their passwords?

[boud]

hi samizdat-devel,

Here's a hack which i think fixes the password change bug #20491
https://savannah.nongnu.org/bugs/?20491

The change in application_helper.rb - action_token_key is clearly 
a hack - a better solution would be in member_controller, but
i didn't want to mess around with member_controller too much.

IMHO the problem is confusion in the 2-stage process of "change":

1. "index" method and @request.route = member - presents a form for
the user to change his/her password (or other member parameters) with
the

2. the "change" method and @request.route = member/change - checks the
data, checks for the action_token against cross-scripting attacks, and
then does the change

The problem in 070618-1 is that the action_confirmed? script 
compares tokens from member and member/change and finds that something
is different and so rejects the attempted change.

The hack in application_helper.rb:

   def action_token_key
-    %{action_token/address@hidden@request.route}}
+    
%{action_token/address@hidden@request.route}}.sub("/member/change","/member")
   end

is one way of hacking around this.


i've also made a change in member_controller, since despite the
recommendation to users to press the 'back' button, some users might
decide to log out after changing their password, without bothering to
use the back button since they see a logout prompt already.  In the 
absence of this change, something goes wrong and seems to cause an 
infinite URI redirect.  Hence the change in member_controller shifts
the feedback page to a separate method "changed_ok".


patch: https://savannah.nongnu.org/bugs/download.php?file_id=13575

cheers
boud