Merge pull request #1902 from gbataille/master

Redirect to sign_in page when trying to access password#edit without a reset password token
2022-11-09 12:18:31 -05:00 · 2012-06-08 01:19:05 -07:00 · 2012-06-08 01:19:05 -07:00 · 5df7105301
commit 5df7105301
parent f0d48a96ca a84fdb771f
3 changed files with 16 additions and 0 deletions
--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@ -1,5 +1,7 @@
 class Devise::PasswordsController < DeviseController
  prepend_before_filter :require_no_authentication
+  # Render the #edit only if coming from a reset password email link
+  append_before_filter :assert_reset_token_passed, :only => :edit

  # GET /resource/password/new
  def new
@ -44,4 +46,11 @@ class Devise::PasswordsController < DeviseController
      new_session_path(resource_name)
    end

+    # Check if a reset_password_token is provided in the request
+    def assert_reset_token_passed
+      if params[:reset_password_token].blank?
+        set_flash_message(:error, :no_token)
+        redirect_to new_session_path(resource_name)
+      end
+    end
 end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -29,6 +29,7 @@ en:
      updated: 'Your password was changed successfully. You are now signed in.'
      updated_not_active: 'Your password was changed successfully.'
      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
    confirmations:
      send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
      send_paranoid_instructions: 'If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes.'
--- a/test/integration/recoverable_test.rb
+++ b/test/integration/recoverable_test.rb
@ -126,6 +126,12 @@ class PasswordTest < ActionController::IntegrationTest
    assert warden.authenticated?(:user)
  end

+  test 'not authenticated user without a reset password token should not be able to visit the page' do
+    get edit_user_password_path
+    assert_response :redirect
+    assert_redirected_to "/users/sign_in"
+  end
+
  test 'not authenticated user with invalid reset password token should not be able to change his password' do
    user = create_user
    reset_password :reset_password_token => 'invalid_reset_password'