OTK generation was busted (thanks Stuart D. Gathman)

Richard Jones · Richard Jones · commit 00adc9c2e26c · 2004-03-31T23:08:39.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -7,6 +7,7 @@ Fixed:
 - MultiMapping deviated from the Zope C implementation in a number of
   places (thanks Toby Sargeant)
 - MySQL and Postgresql use BOOL/BOOLEAN for Boolean types
+- OTK generation was busted (thanks Stuart D. Gathman)
 
 
 2004-03-27 0.7.0b2
diff --git a/doc/index.txt b/doc/index.txt
@@ -79,6 +79,7 @@ Paul F. Dubois,
 Jeff Epler,
 Tom Epperly,
 Hernan Martinez Foffani,
+Stuart D. Gathman,
 Ajit George,
 Frank Gibbons,
 Johannes Gijsbers,
diff --git a/roundup/backends/sessions_dbm.py b/roundup/backends/sessions_dbm.py
@@ -1,4 +1,4 @@
-#$Id: sessions_dbm.py,v 1.4 2004-03-26 23:56:11 richard Exp $
+#$Id: sessions_dbm.py,v 1.5 2004-03-31 23:08:38 richard Exp $
 """This module defines a very basic store that's used by the CGI interface
 to store session and one-time-key information.
 
@@ -22,6 +22,13 @@ def __init__(self, db):
         # ensure files are group readable and writable
         os.umask(0002)
 
+    def exists(self, infoid):
+        db = self.opendb('c')
+        try:
+            return db.has_key(infoid)
+        finally:
+            db.close()
+
     def clear(self):
         path = os.path.join(self.dir, self.name)
         if os.path.exists(path):
diff --git a/roundup/backends/sessions_rdbms.py b/roundup/backends/sessions_rdbms.py
@@ -1,4 +1,4 @@
-#$Id: sessions_rdbms.py,v 1.1 2004-03-18 01:58:45 richard Exp $
+#$Id: sessions_rdbms.py,v 1.2 2004-03-31 23:08:39 richard Exp $
 """This module defines a very basic store that's used by the CGI interface
 to store session and one-time-key information.
 
@@ -21,6 +21,12 @@ def __init__(self, db):
     def clear(self):
         self.cursor.execute('delete from %ss'%self.name)
 
+    def exists(self, infoid):
+        n = self.name
+        self.cursor.execute('select count(*) from %ss where %s_key=%s'%(n,
+            n, self.db.arg), (infoid,))
+        return self.cursor.fetchone()[0]
+
     _marker = []
     def get(self, infoid, value, default=_marker):
         n = self.name
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
@@ -1,4 +1,4 @@
-#$Id: actions.py,v 1.21 2004-03-30 06:43:08 richard Exp $
+#$Id: actions.py,v 1.22 2004-03-31 23:08:39 richard Exp $
 
 import re, cgi, StringIO, urllib, Cookie, time, random
 
@@ -723,6 +723,7 @@ def handle(self):
             elif isinstance(proptype, hyperdb.Password):
                 props[propname] = str(value)
         otks = self.db.getOTKManager()
+        otk = ''.join([random.choice(chars) for x in range(32)])
         while otks.exists(otk):
             otk = ''.join([random.choice(chars) for x in range(32)])
         otks.set(otk, **props)
@@ -744,8 +745,8 @@ def handle(self):
 
 """ % {'name': props['username'], 'tracker': tracker_name, 'url': self.base,
         'otk': otk, 'tracker_email': tracker_email}
-        if not self.client.standard_message([props['address']], subject, body,
-        tracker_email):
+        if not self.client.standard_message([props['address']], subject,
+                body, tracker_email):
             return
 
         # commit changes to the database
