[#1178] perform_reset uses the received id as the context's user

When performing a password reset, the user is probably (always?) not logged in. So c.user is an empty string. So, the auth functions have no way to tell which user is trying to reset his/her password. This worked fine before, because everyone was able to reset the password. But now that we've got users in DELETED state, it's not the case anymore.
ckan · Aug 15, 2013 · 59e6a74 · 59e6a74
1 parent 11011e0
commit 59e6a74
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/ckan/controllers/user.py b/ckan/controllers/user.py
@@ -447,17 +447,16 @@ def perform_reset(self, id):
         # FIXME We should reset the reset key when it is used to prevent
         # reuse of the url
         context = {'model': model, 'session': model.Session,
-                   'user': c.user or id,
+                   'user': id,
                    'keep_sensitive_data': True}
 
-        data_dict = {'id': id}
-
         try:
             check_access('user_reset', context)
         except NotAuthorized:
             abort(401, _('Unauthorized to reset password.'))
 
         try:
+            data_dict = {'id': id}
             user_dict = get_action('user_show')(context, data_dict)
 
             # Be a little paranoid, and get rid of sensitive data that's