We found some users on my client's wholesale site able to circumvent the activation on their account. Running latest version of customer activation extension. we are running magento 126.96.36.199
Steps to reproduce:
Quick status update:
Inspecting the code of the Mage_Customer_AccountController::resetPasswordPostAction() it apears the method has changes in Magento 1.7.
So the issue only exists on Magento 1.6 and older.
Attempt to solve #37. Needs to be tested on 1.6 though.
Please try the fix in the latest version and let me know if it works for you.
I've only got newer Magento instances to test the code on, and there the fix isn't needed.
many thanks. I will check this week. Thanks for such fast feedback on the issue :)
This doesn't work I'm afraid - most likely due to the fact that the resetPasswordPostAction function does a redirect, so your observer never gets called.
The _redirect() method call just seta a few headers on the response object it has no influence on the postDispatch method being called, where the post dispatch event is triggered.
The redirect headers are later sent by the front controller after the action controller has completed.
I guess the I might have gotten the event code wrong or something.
aah ok. thanks for the clarification. I will look into it further. You said btw the resetPasswordPostAction function had changed. I compared the magento 188.8.131.52 and 184.108.40.206 version and I couldn't see any differences that would change this behaviour - I was wondering what the core code change is that is different on 1.7 if you knew.
Change action name part of postdispatch event name to lower case. Hop…
…efully takes care of #37 now for real
I couldn't see in this function even on 1.6 where the customer session is being set. so I assume it was in one of the class functions being called, unless I have just missed something obvious.
The problem was the following:
The resetpasswordpost action is specified in lower case in the template.
The method name in the PHP class is in CamelCase.
This works only because PHP method names are case insensitive.
The XML node names however are case sensitive.
So the action name part of the event code in the XML has to match what is used in the template file.
Please try again, the last commit should do the job now finally :)
yep. that fixes it thanks. Would still be interested in where the 1.6 -> 1.7 behaviour has changed in the code btw if you have an answer to that - just because I didn't spot it yet. Cheers.
Flesh out the previous commit regarding #37
It seems I was mistaken. Looking for the code that logged the customer in after the reset I had slipped into the editPostAction method.
That said, on a standard 220.127.116.11 Magento installation, customers are not automatically logged in after they reset their password.
I just installed a vanilla 18.104.22.168 to try to reproduct the issue.
No login after password reset.
You got to have some customization in place that caused that behavior in the first place.
I'll leave the event observer in place never the less, but I fleshed out the method a little (see the commit above).
Thanks for the additional info. I will attempt to work out what is causing this.
Will apreciate any update on the issue here! Its always good to know why something is happening!