kotovalexarian-likes-github/heartcombo--devise
1
0
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2022-11-09 12:18:31 -05:00
Code Releases Activity

Merge pull request #1902 from gbataille/master

Browse source 
Redirect to sign_in page when trying to access password#edit without a reset password token
This commit is contained in:
José Valim 2012-06-08 01:19:05 -07:00
commit 5df7105301
3 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
app/controllers/devise/passwords_controller.rb
View file

@ -1,5 +1,7 @@
class Devise::PasswordsController < DeviseController class Devise::PasswordsController < DeviseController
prepend_before_filter :require_no_authentication prepend_before_filter :require_no_authentication
# Render the #edit only if coming from a reset password email link
append_before_filter :assert_reset_token_passed, :only => :edit
# GET /resource/password/new # GET /resource/password/new
def new def new
@ -44,4 +46,11 @@ class Devise::PasswordsController < DeviseController
new_session_path(resource_name) new_session_path(resource_name)
end end
# Check if a reset_password_token is provided in the request
def assert_reset_token_passed
if params[:reset_password_token].blank?
set_flash_message(:error, :no_token)
redirect_to new_session_path(resource_name)
end
end
end end

1
config/locales/en.yml
View file

@ -29,6 +29,7 @@ en:
updated: 'Your password was changed successfully. You are now signed in.' updated: 'Your password was changed successfully. You are now signed in.'
updated_not_active: 'Your password was changed successfully.' updated_not_active: 'Your password was changed successfully.'
send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
confirmations: confirmations:
send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.' send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
send_paranoid_instructions: 'If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes.' send_paranoid_instructions: 'If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes.'

6
test/integration/recoverable_test.rb
View file

@ -126,6 +126,12 @@ class PasswordTest < ActionController::IntegrationTest
assert warden.authenticated?(:user) assert warden.authenticated?(:user)
end end
test 'not authenticated user without a reset password token should not be able to visit the page' do
get edit_user_password_path
assert_response :redirect
assert_redirected_to "/users/sign_in"
end
test 'not authenticated user with invalid reset password token should not be able to change his password' do test 'not authenticated user with invalid reset password token should not be able to change his password' do
user = create_user user = create_user
reset_password :reset_password_token => 'invalid_reset_password' reset_password :reset_password_token => 'invalid_reset_password'