Problem/Motivation

When logged in as an administrator and visiting /user/[uid]/one-time-login I see the message 'CSRF token validation failed for one-time login generation. User [uid], Target [target], IP [IP]'

Steps to reproduce

- Install module
- Log in as administrator
- Visit /user/1/one-time-login or any similar page

Proposed resolution

I think the problem is here:

https://git.drupalcode.org/project/onetimelogin/-/blob/1.0.5/src/Control...

Why is the module checking that the current user has a CSRF token at this stage? They are logged in and have had their permissions checked, and they are not the user who needs a one time login link.

Thanks for maintaining the module, it's really useful. In the meantime I am reverting to version 1.0.3 which I think is the last version that did not have this bug.

CommentFileSizeAuthor
#2 3571741.patch1.13 KBshank115

Comments

billspreston created an issue. See original summary.

shank115’s picture

shank115 commented
StatusFileSize
new 3571741.patch1.13 KB

I can confirm this issue and reproduce it on a clean install.

The access denied is caused by the CSRF validation inside
OneTimeLoginController::generate()

This patch removes the CSRF token validation block from the controller. The route /user/{user}/one-time-login is accessed via GET and is already protected by permissions.

shank115’s picture

shank115 commented
Status: Active » Needs review

  • 1241af40 committed on 1.0.x 
    feat: #3571741 Can't access login link generation page