Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#27840 closed Bug (fixed)

Password reset: `post_reset_login` throws KeyError if user already logged in

Reported by: Quentin Marlats Owned by: Markus Holtermann
Component: contrib.auth Version: 1.11
Severity: Release blocker Keywords: auth
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When the option post_reset_login of PasswordResetConfirmView is set to True, it throws KeyError when the user is already logged in. I think you should check if the user is not already logged in before logging in him to avoid this error.

Change History (5)

comment:1 by Markus Holtermann, 7 years ago

Owner: changed from nobody to Markus Holtermann
Severity: NormalRelease blocker
Status: newassigned
Triage Stage: UnreviewedAccepted 
Traceback (most recent call last):
  File "/usr/lib64/python3.5/unittest/case.py", line 58, in testPartExecutor
    yield
  File "/usr/lib64/python3.5/unittest/case.py", line 600, in run
    testMethod()
  File "/home/markus/Coding/django/tests/auth_tests/test_views.py", line 338, in test_confirm_login_post_reset
    response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})
  File "/home/markus/Coding/django/tests/auth_tests/client.py", line 41, in post
    return super(PasswordResetConfirmClient, self).post(redirect_url, *args, **kwargs)
  File "/home/markus/Coding/django/django/test/client.py", line 548, in post
    secure=secure, **extra)
  File "/home/markus/Coding/django/django/test/client.py", line 350, in post
    secure=secure, **extra)
  File "/home/markus/Coding/django/django/test/client.py", line 416, in generic
    return self.request(**r)
  File "/home/markus/Coding/django/django/test/client.py", line 501, in request
    six.reraise(*exc_info)
  File "/home/markus/Coding/django/django/utils/six.py", line 686, in reraise
    raise value
  File "/home/markus/Coding/django/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/home/markus/Coding/django/django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/home/markus/Coding/django/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/markus/Coding/django/django/views/generic/base.py", line 68, in view
    return self.dispatch(request, *args, **kwargs)
  File "/home/markus/Coding/django/django/utils/decorators.py", line 67, in _wrapper
    return bound_func(*args, **kwargs)
  File "/home/markus/Coding/django/django/views/decorators/debug.py", line 76, in sensitive_post_parameters_wrapper
    return view(request, *args, **kwargs)
  File "/home/markus/Coding/django/django/utils/decorators.py", line 63, in bound_func
    return func.__get__(self, type(self))(*args2, **kwargs2)
  File "/home/markus/Coding/django/django/utils/decorators.py", line 67, in _wrapper
    return bound_func(*args, **kwargs)
  File "/home/markus/Coding/django/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/home/markus/Coding/django/django/utils/decorators.py", line 63, in bound_func
    return func.__get__(self, type(self))(*args2, **kwargs2)
  File "/home/markus/Coding/django/django/contrib/auth/views.py", line 465, in dispatch
    return super(PasswordResetConfirmView, self).dispatch(*args, **kwargs)
  File "/home/markus/Coding/django/django/views/generic/base.py", line 88, in dispatch
    return handler(request, *args, **kwargs)
  File "/home/markus/Coding/django/django/views/generic/edit.py", line 183, in post
    return self.form_valid(form)
  File "/home/markus/Coding/django/django/contrib/auth/views.py", line 497, in form_valid
    del self.request.session[INTERNAL_RESET_SESSION_TOKEN]
  File "/home/markus/Coding/django/django/contrib/sessions/backends/base.py", line 64, in __delitem__
    del self._session[key]
KeyError: '_password_reset_token'

comment:2 by Markus Holtermann, 7 years ago

Has patch: set

PR: https://github.com/django/django/pull/8062

comment:3 by Tim Graham, 7 years ago

Triage Stage: AcceptedReady for checkin

comment:4 by Markus Holtermann <info@…>, 7 years ago

Resolution: fixed
Status: assignedclosed

In b9b35f9e:

Fixed #27840 -- Fixed KeyError in PasswordResetConfirmView.form_valid().

When a user is already logged in when submitting the password and
password confirmation to reset a password, a KeyError occurred while
removing the reset session token from the session.

Refs #17209

Thanks Quentin Marlats for the report and Florian Apolloner and Tim
Graham for the review.

comment:5 by Markus Holtermann <info@…>, 7 years ago

In f5ff5be2:

[1.11.x] Fixed #27840 -- Fixed KeyError in PasswordResetConfirmView.form_valid().

When a user is already logged in when submitting the password and
password confirmation to reset a password, a KeyError occurred while
removing the reset session token from the session.

Refs #17209

Thanks Quentin Marlats for the report and Florian Apolloner and Tim
Graham for the review.

Note: See TracTickets for help on using tickets.
Back to Top