Another issue with user activation?

(Balázs Nagy) #1

When you register but don’t act on user activation email, the only way to solve the issue by logging in to the forum and request a new activation email, as it’s well defined in SessionController#create. However, the appropriate response handler (SessionController#not_activated) returns user email only (both versions, where the activation email is sent and current one).

Now when people log in, they can use their local username or email address. If you log in with your email address just to realize you haven’t activated your account, the javascript side will think your username is your email address.

I don’t know how deep this rabbit hole is, but the first line where it fails is rails router, where the constraint is the username should consist of alphanumeric characters or underscores only.

I think the easiest fix would be to send username along with the email addresses in SessionController#not_activated.

(Sam Saffron) #2

I am a bit confused, what are the exact steps to repro the issue?

(Balázs Nagy) #3
  1. register (it sends an activation mail)
  2. wait until the activation mail expires (if you can limit expiration time to let’s say 5 minutes, it helps)
  3. log in with email address / password
  4. click on resend activation email link
  5. look at rails logs, you’ll get something like this:
Processing by SessionController#create as */*
  Parameters: {"login"=>"email@addr.ess", "password"=>"[FILTERED]"}
Completed 200 OK in 147ms (Views: 0.3ms | ActiveRecord: 11.2ms)
Started POST "/users/email@addr.ess/send_activation_email" for at 2014-09-23 19:20:38 +0000

ActionController::RoutingError (No route matches [POST] "/users/email@addr.ess/send_activation_email"):
  config/initializers/quiet_logger.rb:10:in `call_with_quiet_assets'
  config/initializers/silence_logger.rb:26:in `call'
  lib/middleware/unicorn_oobgc.rb:95:in `process_client'

(Jeff Atwood) #4

If you can repro @sam this should definitely be fixed.

(Sam Saffron) #5


(Sam Saffron) #6