Singing & Dancing

When using "Use single form subscription page" - User email leaks into the default text of "E-mail address" in subscribe.html for all sessions after user manages subscription

Bug #924124 reported by Adam Terrey
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Singing & Dancing
New
Undecided
Unassigned

Bug Description

When using "Use single form subscription page" - User email leaks into the default text of "E-mail address" in subscribe.html for all sessions after user manages subscription

To recreate
 - Create a single mailing-list with a collector
 - Set the global settings to "Use single form subscription page"
 - subscribe an email in the /portal_newsletters/channels/----my-mailing-list-name----/subscribe.html
 - confirm subscription from the email
 - edit existing subscriptions through the /portal_newsletters/sendsecret.html form
 - click on the "Manage your subscriptions" in the email sent
 - click "Apply" in the "My subscriptions" form

the user's email is then visible as the default text of the "E-mail address" field even on reload of the form /portal_newsletters/channels/---my-mailing-list-name---/subscribe.html

Version Overview
    Plone 4.1.3 (4112)
    CMF 2.2.4
    Zope 2.13.10
    Python 2.6.6 (r266:84292, Mar 25 2011, 19:36:32) [GCC 4.5.2]
    collective.dancing 0.9.9

Revision history for this message
Daniel Nouri (daniel.nouri) wrote :

This is happening in your Varnish or whatever reverse proxy you have set up to do caching. I assume that it should be enough to configure the system not to cache responses to POST requests. (Since the text seems to appear after you click "Apply", i.e. probably a POST form action.)

Please reopen if you believe that this is not the issue.

Changed in singing-dancing:
status: New → Invalid
Revision history for this message
Adam Terrey (arterrey+launchpad) wrote :

This was my first thought, but it is not the case because I can replicate it on my machine directly accessing the Zope instance.

Changed in singing-dancing:
status: Invalid → New
Revision history for this message
Adam Terrey (arterrey+launchpad) wrote :

this is as far as I got with the trace back

in the portlet code in PortletSubscriptionAddForm.update() ...

> collective/dancing/browser/portlets/channelsubscribe.py(156)update()
-> super(PortletSubscriptionAddForm, self).update()
(Pdb) list
151 def newslettertool(self):
152 return getToolByName(self.context, 'portal_newsletters')
153
154 def update(self):
155 import pdb;pdb.set_trace()
156 -> super(PortletSubscriptionAddForm, self).update()
157 self.channel_id = self.context.id
158
159 if self.context.collector is not None:
160 stored_values = self.stored_values
161 collector_schema = self.context.collector.schema

self.widgets gets assigned somewhere in the super(...) call, but there is so much indirection here, I'm not able to effectively trace down the part which assigns the default value to welf.widgets["composer.email"].value

-> super(PortletSubscriptionAddForm, self).update()
(Pdb) n
> /home/adam/var/buildout-cache/eggs/collective.dancing-0.9.9-py2.6.egg/collective/dancing/browser/portlets/channelsubscribe.py(157)update()
 -> self.channel_id = self.context.id

(Pdb) self.widgets["composer.email"].value
<email address hidden>'

Revision history for this message
tmog (mogensen) wrote :

Problem was subscribers email being set as default value on the collectors schema when accessing my-subscriptions.html with a valid secret. Proper brain fart.

Fix and regression test committed in #248820

Revision history for this message
Marek Kralewski (mck9) wrote :

Great. I was also biten by this bug. Do you know when a new version ist beeing released?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.