1
0
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2022-11-09 12:18:31 -05:00

Properly check for authentication_keys or encrypted_password changes when clearing the reset password token

This change is required to better support scenarios where records don't have
an `encrypted_password` column and the password is managed elsewhere (LDAP, for instance).

The move from `email_changed?` to loop through the `authentication_keys` is also
useful to support edge cases where users can authenticate with different attributes
besides their email.

Closes #3624.
This commit is contained in:
Lucas Mazza 2016-07-01 14:08:38 -03:00
parent 5b57aa0b85
commit b1508e93e1
No known key found for this signature in database
GPG key ID: C009F9A6BE4A44CB

View file

@ -27,11 +27,7 @@ module Devise
end end
included do included do
before_update do before_update :clear_reset_password_token, if: :clear_reset_password_token?
if (respond_to?(:email_changed?) && email_changed?) || encrypted_password_changed?
clear_reset_password_token
end
end
end end
# Update password saving the record and clearing token. Returns true if # Update password saving the record and clearing token. Returns true if
@ -97,6 +93,15 @@ module Devise
send_devise_notification(:reset_password_instructions, token, {}) send_devise_notification(:reset_password_instructions, token, {})
end end
def clear_reset_password_token?
encrypted_password_changed = respond_to?(:encrypted_password_changed?) && encrypted_password_changed?
authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
end
authentication_keys_changed || encrypted_password_changed
end
module ClassMethods module ClassMethods
# Attempt to find a user by password reset token. If a user is found, return it # Attempt to find a user by password reset token. If a user is found, return it
# If a user is not found, return nil # If a user is not found, return nil