We are experiencing some odd behaviour when attempting to POST to the Lost Password action on the Account Controller in Orchard.Users.
The important details
- We are not directly using Orchard source code, we are using a compiled re-distributable and building modules that are deployed to the redist host, so direct debugging is a challenge.
- We have tried this with the vanilla Orchard 1.8.1 (the version of our redist) so we can all but eliminate any of our module's code.
- When POSTing the form we get back a 302 Moved response with the Location Header set to /. This then does end up to root rather than to the Success page or back to the Enter New Details password. The user's password is not successfully changed.
- Looking at the Account Controller in source shows that the only result that expressly returns the root is when the the call IUserService.ValidateLostPassword(nonce) fails and the return Redirect("~/"); is called.
- Seeing as direct debugging is a little complex, we acquired a copy of the Controller from source and moved the action code and all related service call logic into an Orchard command for testing. This has succeeded in changing a user's password. and returning without error, using the NOnce captured from the reset email.
So we suspect this may be a bug with Orchard itself though more likely to be with our instance and it's configuration seeing as "Cannot change password" is a pretty expansive issue.
Anyone have any advice to offer? Known bugs that may apply?
Update 1:
Thank you Bertrand. We have not tried it with Orchard 1.9 yet but did manage to get a completely clean 1.8 (as this is the version we are currently running out in the wild from with one of our repos. P.S. Are you aware that your GitHub repo braches go 1.4.x, 1.5.x, 1.9.x? No 1.8.x available. Anyway.) and this worked. The short version: we played around with what could be different and we got it down to it works when our theme is off and doesn't when it on.
A little digging showed that our FE guys has overwritten the Lost Password view to match our business look. Here is what I found:
In the default Orchard view the form is started using:
@using (Html.BeginFormAntiForgeryPost()) {
and ends up looking like
<form action="/OrchardLocal/Users/Account/LostPassword?nonce=Vc7ABvKcwfMO0jrRkJFxiBWoJzbdGAqQ7bbEgGySqlyAAKnHPTIkyhzG8nn%2FXJsqKkh6e9sreTnHx223BKFOs17gY%2FDWMggtCZw%2BSfz194Mviua5smhl5d%2FnACXCI%2BrdQaGcJj%2BjvoFE7m2OIiaX8w%3D%3D" method="post">
all fine and dandy. I presume that because the nonce came in as a query param on the get, it is persisted to the post through inference in calling the default Begin Form without any additional settings.
However, our override currently uses:
@using (Html.BeginFormAntiForgeryPost(Url.Action("LostPassword"), FormMethod.Post, new{ @class="form-lost-password"} ) ) {
Here we specify some additional class for the needs of our theme and on the page we get:
<form action="/Users/Account/LostPassword" class="form-lost-password" method="post">
The nonce has disappered (or rather has not been added at all since we are specifying an particular route). So the ready solution is the add the nonce on using the
Action(String, String, Object)
form of Url.Action() to specify it as a route value.
However, the nonce is not passed through as either a member on the Model nor through the ViewBag (like the minimum password length is).
I found this this previous question from the time of Orchard 1.6/1.7 which suggests updating the controller to add the nonce to the Viewbag but we are using a pre-compiled re-dist of Orchard so this is less than ideal for our needs.
I will be other ways of writing that form using what we have available to us without updating the Controller but is there any plan to make the nonce available to this view for use?