]> git.openstreetmap.org Git - rails.git/blobdiff - app/controllers/passwords_controller.rb
Be paranoid when sending password reset emails
[rails.git] / app / controllers / passwords_controller.rb
index 87d25df68037599c8b70d058ffbe6b257c6cf963..25b2b96075bb2d24e79a8e21f4170a2e89756a65 100644 (file)
@@ -19,11 +19,10 @@ class PasswordsController < ApplicationController
     @title = t ".title"
 
     if params[:token]
-      token = UserToken.find_by(:token => params[:token])
+      self.current_user = User.find_by_token_for(:password_reset, params[:token]) ||
+                          UserToken.unexpired.find_by(:token => params[:token])&.user
 
-      if token
-        self.current_user = token.user
-      else
+      if current_user.nil?
         flash[:error] = t ".flash token bad"
         redirect_to :action => "new"
       end
@@ -42,23 +41,20 @@ class PasswordsController < ApplicationController
     end
 
     if user
-      token = user.tokens.create
+      token = user.generate_token_for(:password_reset)
       UserMailer.lost_password(user, token).deliver_later
-      flash[:notice] = t ".notice email on way"
-      redirect_to login_path
-    else
-      flash.now[:error] = t ".notice email cannot find"
-      render :new
     end
+
+    flash[:notice] = t ".send_paranoid_instructions"
+    redirect_to login_path
   end
 
   def update
     if params[:token]
-      token = UserToken.find_by(:token => params[:token])
-
-      if token
-        self.current_user = token.user
+      self.current_user = User.find_by_token_for(:password_reset, params[:token]) ||
+                          UserToken.unexpired.find_by(:token => params[:token])&.user
 
+      if current_user
         if params[:user]
           current_user.pass_crypt = params[:user][:pass_crypt]
           current_user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
@@ -66,7 +62,7 @@ class PasswordsController < ApplicationController
           current_user.email_valid = true
 
           if current_user.save
-            token.destroy
+            UserToken.delete_by(:token => params[:token])
             session[:fingerprint] = current_user.fingerprint
             flash[:notice] = t ".flash changed"
             successful_login(current_user)