[URL branch] Anonymous visit a page should not

[GoogleCodeExporter]

Reproduce steps:
1. Not logged in, visit URL accounts/email/validation.

As an anonymoys user you can visit /accounts/email/validation. This path
will give you a validation form which in fact it shouldn't.

Decorator @login_required needed by email_validation and
email_validation_process in line 343 and 362 repsectively.

http://code.google.com/p/django-profile/source/browse/trunk/userprofile/views.py
#343

Original issue reported on code.google.com by gakos.ioannis@gmail.com on 13 Jul 2009 at 10:26

[GoogleCodeExporter]

I have commited your proposal to the trunk.

Original comment by david.ru...@gmail.com on 15 Jul 2009 at 9:05

[GoogleCodeExporter]

You can't do that because if I'm a new user I has to be able to validate my 
email
without loggin in! right?

Original comment by wsart...@gmail.com on 10 Aug 2009 at 7:56

[GoogleCodeExporter]

E-mail validation(/accounts/email/validation)is used to change your account's
e-mail.So you have to be logged in to do so. It differs from e-mail 
verification when
registering your account. 

Original comment by gakos.ioannis@gmail.com on 10 Aug 2009 at 11:50

[GoogleCodeExporter]

No, you're wrong. If you look at urls.py(en or es) you'll find that the link 
sent by
email use the view email_validation_process(request, key). This view can't have 
the
login_required decorator. The other one is correct.

Original comment by wsart...@gmail.com on 10 Aug 2009 at 11:55

[GoogleCodeExporter]

Well, this might be another defect if i understand right what you mean. What i 
see is
that a guest user must not have permission to request for e-mail validation by 
the
time he has not an active account.

Original comment by gakos.ioannis@gmail.com on 11 Aug 2009 at 12:32

[GoogleCodeExporter]

exactly... just remove the @login_required from email_validation_process that
everything will be fine without security problems.

Original comment by wsart...@gmail.com on 11 Aug 2009 at 12:35

[GoogleCodeExporter]

Could you point some steps to reproduce the problem? I really cannot understand 
why
this decorator could cause any security problems.

Original comment by gakos.ioannis@gmail.com on 11 Aug 2009 at 12:46

[GoogleCodeExporter]

1) set REQUIRE_EMAIL_CONFIRMATION=True and configure email settings in 
settings.py
2) sign up
3) you'll receive an email with a link to activate an
account(http://yourwebsite/accounts/email/<RANDOMCHARS>)
4) If you click the link you'll be redirected to the sign in because 
@login_required
in email_validation_process view

I agree that the view email_validation needs to be logged in to access it but 
the
link that you receive in email can't be.

Original comment by wsart...@gmail.com on 11 Aug 2009 at 1:00

[GoogleCodeExporter]

Ok, now i've got what you mean. Although i don't think it's ` security issue and
additionally i cannot remember any site confirming my email after registering 
and
redirecting me to my profile. After confirming, i always remember myself giving
username & password. I think there is a reason for that, think about someone 
stranger
confirming your email(either in a netcafe forgot your browser open or sth 
else), you
don't want him to be redirected to your profile, he will be asked for username 
and
password.

Original comment by gakos.ioannis@gmail.com on 11 Aug 2009 at 6:50

[GoogleCodeExporter]

The #c8 seems to make sense.

It shouldn't require login in the email_validation_process view.

Could you fix it, please?

Original comment by diegobz@gmail.com on 20 Jan 2010 at 8:17

[GoogleCodeExporter]

i confirm, i'll fix this

Original comment by stephane.angel on 3 Feb 2010 at 1:25

• Changed state: Accepted

[GoogleCodeExporter]

The bug introduced in revision r420 (when REQUIRE_EMAIL_CONFIRMATION=True) is 
fixed
in revision 429 (which resolved the security problem discussed in issue #20)

Original comment by stephane.angel on 3 Feb 2010 at 1:40

• Changed state: Fixed