From 743cceecb30936768923d424d6f8b5d8f0ab0b57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Wed, 5 Feb 2020 07:39:59 +0100 Subject: [PATCH] [32178] Don't use flash in rendering change password form https://community.openproject.com/wp/32178 --- app/controllers/account_controller.rb | 2 +- app/controllers/concerns/user_password_change.rb | 1 - app/views/my/password.html.erb | 1 + spec/controllers/account_controller_spec.rb | 4 +--- 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 880b1515dd..a52d801faf 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -250,7 +250,7 @@ class AccountController < ApplicationController # When making changes here, also check MyController.change_password def change_password # Retrieve user_id from session - @user = User.find(flash[:_password_change_user_id]) + @user = User.find(params[:password_change_user_id]) change_password_flow(user: @user, params: params, show_user_name: true) do password_authentication(@user.login, params[:new_password]) diff --git a/app/controllers/concerns/user_password_change.rb b/app/controllers/concerns/user_password_change.rb index f369b4f6f1..3d8bfdf84c 100644 --- a/app/controllers/concerns/user_password_change.rb +++ b/app/controllers/concerns/user_password_change.rb @@ -81,7 +81,6 @@ module Concerns::UserPasswordChange def render_password_change(user, message, show_user_name: false) flash[:error] = message unless message.nil? - flash[:_password_change_user_id] = user.id @user = user @username = user.login render 'my/password', locals: { show_user_name: show_user_name } diff --git a/app/views/my/password.html.erb b/app/views/my/password.html.erb index deb89b1230..eb2105f931 100644 --- a/app/views/my/password.html.erb +++ b/app/views/my/password.html.erb @@ -34,6 +34,7 @@ See docs/COPYRIGHT.rdoc for more details. <%= styled_form_tag({ action: :change_password }, { autocomplete: 'off', class: 'form -wide-labels' }) do %> <%= back_url_hidden_field_tag %> + <%= hidden_field_tag :password_change_user_id, @user.id %>
<%= render partial: 'my/password_form_fields', locals: { show_user_name: !!(defined? show_user_name) ? show_user_name : nil, diff --git a/spec/controllers/account_controller_spec.rb b/spec/controllers/account_controller_spec.rb index 7b137ec8db..c9164a1751 100644 --- a/spec/controllers/account_controller_spec.rb +++ b/spec/controllers/account_controller_spec.rb @@ -421,10 +421,8 @@ describe AccountController, type: :controller do describe "User who is not allowed to change password can't login" do before do post 'change_password', - flash: { - _password_change_user_id: admin.id - }, params: { + password_change_user_id: admin.id, username: admin.login, password: 'adminADMIN!', new_password: 'adminADMIN!New',