1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/a74b0112995c/ Changeset: a74b0112995c User: dannon Date: 2015-01-13 21:36:10+00:00 Summary: Remove pointless user check preventing userA from requesting reset for userB. userA could just log out and then request a password reset for userB. Affected #: 1 file diff -r 5e6da19ffd907f39afd795e5d43b306071556bad -r a74b0112995cd2ae396d0916a6e845b7709f9002 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -1149,33 +1149,27 @@ reset_user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email == email ).first() user = trans.get_user() if reset_user: - if user and user.id != reset_user.id: - # This doesn't make any sense because all they have to do is log - # out and then try it again #TODO revisit why this exists. - message = "You may only reset your own password." + prt = trans.app.model.PasswordResetToken( reset_user ) + trans.sa_session.add( prt ) + trans.sa_session.flush() + host = trans.request.host.split( ':' )[ 0 ] + if host == 'localhost': + host = socket.getfqdn() + reset_url = url_for( controller='user', + action="change_password", + token=prt.token, qualified=True) + body = PASSWORD_RESET_TEMPLATE % ( host, reset_url, reset_url ) + frm = 'galaxy-no-reply@' + host + subject = 'Galaxy Password Reset' + try: + util.send_mail( frm, email, subject, body, trans.app.config ) + trans.sa_session.add( reset_user ) + trans.sa_session.flush() + trans.log_event( "User reset password: %s" % email ) + except Exception, e: status = 'error' - else: - prt = trans.app.model.PasswordResetToken( reset_user ) - trans.sa_session.add( prt ) - trans.sa_session.flush() - host = trans.request.host.split( ':' )[ 0 ] - if host == 'localhost': - host = socket.getfqdn() - reset_url = url_for( controller='user', - action="change_password", - token=prt.token, qualified=True) - body = PASSWORD_RESET_TEMPLATE % ( host, reset_url, reset_url ) - frm = 'galaxy-no-reply@' + host - subject = 'Galaxy Password Reset' - try: - util.send_mail( frm, email, subject, body, trans.app.config ) - trans.sa_session.add( reset_user ) - trans.sa_session.flush() - trans.log_event( "User reset password: %s" % email ) - except Exception, e: - status = 'error' - message = 'Failed to reset password: %s' % str( e ) - log.exception( 'Unable to reset password.' ) + message = 'Failed to reset password: %s' % str( e ) + log.exception( 'Unable to reset password.' ) return trans.fill_template( '/user/reset_password.mako', message=message, status=status ) Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.