Fixed a long standing bug in login_user which was using 'password' instead of settings.password_field

Fixes #636

gluon/authapi.py

@@ -688,19 +688,22 @@ class AuthAPI(object):
             return True
         return False
 
-    def login_user(self, user):
-        """
-        Logins the `user = db.auth_user(id)`
-        """
+    def _update_session_user(self, user):
         if global_settings.web2py_runtime_gae:
             user = Row(self.table_user()._filter_fields(user, id=True))
-            delattr(user, 'password')
+            delattr(user, self.settings.password_field)
         else:
             user = Row(user)
             for key in list(user.keys()):
                 value = user[key]
-                if callable(value) or key == 'password':
+                if callable(value) or key == self.settings.password_field:
                     delattr(user, key)
+
+    def login_user(self, user):
+        """
+        Logins the `user = db.auth_user(id)`
+        """
+        self._update_session_user(user)
         if self.settings.renew_session_onlogin:
             current.session.renew(clear_session=not self.settings.keep_session_onlogin)
         current.session.auth = Storage(user=user,
@@ -924,7 +927,7 @@ class AuthAPI(object):
             log = self.messages['profile_log']
 
         self.log_event(log, user)
-        self.user.update(**kwargs)
+        self._update_session_user(user)
         return {'errors': None, 'message': self.messages.profile_updated, 'user': {k: user[k] for k in table_user.fields if table_user[k].readable}}
 
     def change_password(self, log=DEFAULT, **kwargs):

gluon/tools.py

@@ -3734,7 +3734,14 @@ class Auth(AuthAPI):
                         formname='profile',
                         onvalidation=onvalidation,
                         hideerror=self.settings.hideerror):
-            self.user.update(table_user._filter_fields(form.vars))
+            extra_fields = self.settings.extra_fields.get(self.settings.table_user_name, [])
+            if any(f.compute for f in extra_fields):
+                user = table_user[self.user.id]
+                self._update_session_user(user) 
+            else:
+                self.user.update(table_user._filter_fields(form.vars))
+
+            
             session.flash = self.messages.profile_updated
             self.log_event(log, self.user)
             callback(onaccept, form)