Changing your user name produces an error and logs you out

[davidread]

If you edit your user and change your user name, it says "Profile updated" (which is good - it worked) and "Unauthorized to edit a user" and you are now logged out.

All the other user fields work ok.

[davidread]

BTW there is a test for this in #2393 with the name field commented out

[amercader]

@davidread do you have time to have a look at investigate a bit more what might be happening? cheers

[davidread]

I've got a bit of a backlog, and we don't use this feature in DGU, so I'd rather not, unless it can wait a couple of weeks

[nateprewitt]

So I believe I've tracked this down to the BaseController, which is superseding the redirect_to call in _save_edit. The comment in there says the user needs to be forced to logout when they update their name (I'm not sure if this is correct) which is what is causing the issue.

I think this is redirecting back to the /user/edit/ page after performing the logout function which is what is generating the 401 error and then forcing the user to the login page since they're currently unauthenticated.

As for a fix, I'm not sure what the best way to approach this is, but I can probably dig around this week and see what I come up with.

[davidread]

Good spot finding the relevant code.

The authtkt cookie contains the user's name, so when you change your user.name in the database, then the cookie is out of date. Then when it gets to that code in BaseController you referenced, it finds that user name isn't in the database and therefore the best thing is to log you out. (The cookie's user name is read by the AuthKit middleware and that sets request.environ['REMOTE_USER'].)

The best solution would be to tell authtkt to change the cookie to have the new username.
Failing that, CKAN could just warn the user that they will have to log-in again if they change their username.