Reset Password link is not working

Created on 21 March 2023, almost 2 years ago
Updated 18 May 2023, over 1 year ago

Problem/Motivation

We are getting following error :
TypeError: Drupal\shy_one_time\Controller\ShyController::resetPass(): Return value must be of type Symfony\Component\HttpFoundation\RedirectResponse, none returned in Drupal\shy_one_time\Controller\ShyController->resetPass() (line 89 of modules\contrib\shy_one_time\src\Controller\ShyController.php).

Steps to reproduce

We are using Drupal version 9.5.2 & contrib module username_enumeration_prevention

🐛 Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Hi,

    I created 1 patch for it.

  • 🇬🇧United Kingdom philipnorton42 Cheshire

    I see this problem too.

    The above patch does solve the issue, but the code contains other issues that cause more crashes. For example, the `$this->userStorage` property is called, but that property is never set so the page crashes if the user reaches that code.

    I wonder if a better approach might be to decorate or extend the original UserController here? Most of the code in the ShyController is using code from that controller and that would mean that the ShyController only needs to reject the request or call the parent UserController resetPass action.

    I'll give this a go.

  • Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    Waiting for branch to pass
  • @philipnorton42 opened merge request.
  • Status changed to Needs review over 1 year ago
  • Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    Waiting for branch to pass
  • 🇬🇧United Kingdom philipnorton42 Cheshire

    Created an MR with the proposed change.

    Marking as ready for review.

  • 🇩🇪Germany zcht

    @philipnorton42 Thank you for the patch, however, this one leverages the primary mechanic. Initially, when the module was still an alpha version, the UserController class was also extended. However, this is not allowed to happen, as a team member from the security team informed me at the time. Attached is his explanation from back then.

    As Drupal 8 and 9 backwards compatibility and internal API policy (backend) says, database schema for core modules, HTTP headers, automated test classes, controller and form classes, plugins, entity handlers, parameter converters, access checkers, event subscribers, and hook implementations should always be treated as internal.
    For classes, this means they cannot be extended from a class implemented by contributed code, except in the case of base classes like the ConfigBase class. For hooks, it means contributed code cannot call a hook implemented by a Drupal core module directly.

  • 🇬🇧United Kingdom philipnorton42 Cheshire

    That's interesting, thanks for the update @zcht.

    In that case there are two options:
    - We copy and paste the entire codebase from the UserController module into the ShyController controller.
    - We select another mechanism to perform this check. I'm thinking that instead of using the controller to return an access denied we do this through an event listener.

    I was looking at event listeners the other day and one to perform this action should be pretty simple to write (I think!).

    I'll revert that code and have another go at it.

  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.x + Environment: PHP 7.4 & MySQL 5.7
    15:26
    35:13
    Running
  • 🇬🇧United Kingdom philipnorton42 Cheshire

    Hi @zcht,

    I have updated the MR with an event subscriber approach to this issue. As this removes the need for the ShyController I have removed that from the codebase.

    I have never used the passwordless login module before, but I'm assuming that these changes would also negate the need for that controller. I've left it alone for now, but I'd be interested to hear what you think.

  • Status changed to Fixed over 1 year ago
  • 🇩🇪Germany zcht

    Thanks @philipnorton42, yes find the approach also good and more generic it is too. I'm so happy to take over the patch and make a new release right away. Thanks for the work.

  • Status changed to Fixed over 1 year ago
  • 🇬🇧United Kingdom philipnorton42 Cheshire

    I know this is closed, but I just wanted to thank you very much for releasing a new version of the module so quickly. I really appreciate it.

  • 🇩🇪Germany zcht

    no problem and gladly, thank you for the work and support of the project. :)

Production build 0.71.5 2024