Bug#755671: tracker.debian.org: Merging two accounts results in a "403 Forbidden" message

[Raphael Hertzog <hertzog@debian.org>]

Control: retitle -1 Merging a @debian.org account in a non @debian.org account leads to "403 Forbidden"

Hi,

On Tue, 22 Jul 2014, Axel Beckert wrote:
> I just tried to merge the two accounts "abe@deuxchevaux.org" and
> "abe@debian.org". I'm currently logged in as "abe@deuxchevaux.org" and
> entered "abe@debian.org" as additional address.
> 
> When I open the
> https://tracker.debian.org/accounts/+merge-accounts/finalize/<hash> URL
> in a browser where I'm logged in into the "abe@deuxchevaux.org" account,
> I get a "403 Forbidden" error message.

It's probably a result of some of the special handling made by the
distro_tracker.vendor.debian.sso_auth.DebianSsoUserMiddleware middleware.
Basically it forces you to use sso.debian.org as authentication
as soon as you have a @debian.org email attached to your account.

Since you were logged with non debian.org account, as soon
as the merge was complete, you got logged out and you no longer had the
permissions to view the page that you were redirected to.

That's my current guess at least.

Can you try to login as abe@debian.org (using the sso link in
https://tracker.debian.org/accounts/login/) and see if the account merge
was effectively completed?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/