ignore auth checks on loading user details during password resets, ck…

…an#5185
qld-gov-au · Nov 30, 2020 · 437b6bb · 437b6bb
1 parent c04b6d6
commit 437b6bb
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/ckan/views/user.py b/ckan/views/user.py
@@ -595,10 +595,12 @@ def _prepare(self, id):
         except logic.NotAuthorized:
             base.abort(403, _(u'Unauthorized to reset password.'))
 
+        context[u'ignore_auth'] = True
         try:
             user_dict = logic.get_action(u'user_show')(context, {u'id': id})
         except logic.NotFound:
             base.abort(404, _(u'User not found'))
+        del context[u'ignore_auth']
         user_obj = context[u'user_obj']
         g.reset_key = request.params.get(u'key')
         if not mailer.verify_reset_link(user_obj, g.reset_key):