Ticket #407 (new defect)

Opened 1 year ago

Last modified 5 months ago

push email change through to mulgara in emailConfirmationSuccess.action - do not require user to logout and then log back in to propagate change to mulgara

Reported by: russ Assigned to:
Priority: high Milestone:
Component: ambra-sso Version: 0.7
Keywords: loginname change Cc:
Blocking: Blocked By:

Description

i login go to preferences->change email address submit the form receive the email click on the verification link view the verification page - it says "you must click here and login to your profile to complete this change".

i'm still logged in, so when i click on the login link, i'm taken directly to the edit preferences page - which displays my OLD email address!!!

once i log out, i can login with the new email address and the preference page displays the correct new email address.

the preference page should display the correct email address, or the user should be logged out (forcing a new login) when requesting a new email address.

Dependency Graph

Change History

08/07/07 16:25:51 changed by

  • milestone deleted.

Milestone Bugs deleted

10/18/07 13:08:32 changed by russ

  • owner deleted.
  • priority changed from low to medium.

upping the priority on this. it's real issue that's causing users grief and plugging up our support queues. we need to find a way to log the user out - delete their cas tickets - when they click the verification link so that we can successfully redirect them to a login page.

also not that it's not enough to just login to cas - they need to login to a journal site so that their mulgara profile is updated.

10/18/07 14:32:35 changed by amit

  • priority changed from medium to high.
  • component changed from publishing-app to signon-server.

Hmmm...surprised this was not upgraded before. I am going to up this to 'high' so it registers when the appropriate team starts to plan next set of features for the application.

10/29/07 20:39:37 changed by amit

  • owner set to jsuttor.

11/29/07 10:13:48 changed by russ

  • summary changed from change email address function has unexpected results for logged in users to push email change through to mulgara in emailConfirmationSuccess.action - do not require user to logout and then log back in to propagate change to mulgara.

after our meeting last week, i think we (or at least i) came to the conclusion that the correct fix for this is to push the email change into mulgara when the user clicks the verification link and hits emailConfirmationSuccess.action

updating the summary to reflect this

(follow-up: ↓ 7 ) 06/19/08 16:20:24 changed by amit

  • owner changed from jsuttor to pradeep.
  • blocking changed.
  • blockedby changed.
  • milestone set to 0.9.0.

Pradeep, how hard is this to do?

(in reply to: ↑ 6 ) 06/20/08 17:22:00 changed by pradeep

Replying to amit:

Pradeep, how hard is this to do?

Not simple to do with the current paradigm. Current solution is biased towards performance and hence stores the email address in the Http Session cache. The cache entry is valid till the time the user actually clicks on the link he receives on the confirmation e-mail. At that point, the cache entry is stale in ambra.

Checking on every request seems excessive. So registration server should be made to notify ambra somehow. How is an open question now.

06/20/08 17:24:11 changed by amit

  • owner deleted.
  • milestone deleted.

(follow-up: ↓ 12 ) 06/20/08 21:39:51 changed by ronald

Where does the link in the email point to? If it points to cas, it should be changed to point to ambra. If it points to ambra, then we can have that link log the user out and redirect to the login. Or am I missing something?

06/21/08 15:32:24 changed by amit

The link I get in the email is: 

https://localhost:7443/ambra-registration/changeEmailVerification.action?loginName....

So it is pointing to the registration application packaged with CAS.

(follow-up: ↓ 13 ) 06/21/08 17:01:49 changed by amit

  • owner set to pradeep.
  • milestone set to 0.9.0.

Why not just force a log out on 'change email address' (as the user has to type the old password in anyway?

(in reply to: ↑ 9 ) 06/23/08 10:07:31 changed by pradeep

Replying to ronald:

Where does the link in the email point to? If it points to cas, it should be changed to point to ambra. If it points to ambra, then we can have that link log the user out and redirect to the login. Or am I missing something?

... and who updates the registration app? The e-mail address is not changed till the registration app validates and accepts the change.

One of the solutions for syncing the email address can be for ambra to service the change-email confirmation (as you suggest) and issue the change confirmation HTTP request to the reg. app and parse the response and indicate appropriate status back to the user and also update mulgara. This assumes ambra is the only user of the registration service of course. If we are going that route may be it would be better if the registration app is purely a back end service (web-service, REST, rmi - whatever) or a library and all of the display related functionality controlled by ambra.

(in reply to: ↑ 11 ) 06/23/08 10:17:15 changed by pradeep

Replying to amit:

Why not just force a log out on 'change email address' (as the user has to type the old password in anyway?

This is change e-mail, not change password btw. Ambra doesn't care about change password and it is not an issue.

The e-mail address is changed only after the registration app processes the confirmation request. Till then the old address is valid. If ambra logs out the user on-click of the 'change email address', it would work as long as the user does not visit ambra served pages till the link in the confirmation e-mail is clicked by the user and the registration app accepts the change. If the user visits ambra in between, he'll be logged in and the old email will again be cached in his HttpSession?.

06/23/08 10:21:22 changed by amit

  • owner deleted.
  • milestone deleted.