Permalink
Browse files

If user access /resource/password/edit?reset_password_token=token wit…

…h an invalid

reset_password_token, let them know immediately as soon they get there rather than waiting until
*after* they've taken the time to enter their new password twice and submit the form to tell them
about the problem.

Also redirect them to the "Forgot your password?" page so that they can request a new one instead of
leaving them wondering what to do next.
  • Loading branch information...
1 parent 7c8f636 commit b149f4203c70fedad9144e4476adfb9b7994f3e4 Tyler Rick committed Dec 18, 2012
Showing with 15 additions and 2 deletions.
  1. +5 −2 app/controllers/devise/passwords_controller.rb
  2. +10 −0 test/integration/recoverable_test.rb
@@ -21,8 +21,11 @@ def create
# GET /resource/password/edit?reset_password_token=abcdef
def edit
- self.resource = resource_class.new
- resource.reset_password_token = params[:reset_password_token]
+ self.resource = resource_class.find_or_initialize_with_error_by(:reset_password_token, params[:reset_password_token])
+ if resource.errors[:reset_password_token].any?
+ flash[:error] = resource.errors.full_message(:reset_password_token, resource.errors[:reset_password_token].first)
+ redirect_to new_user_password_path
+ end
end
# PUT /resource/password
@@ -132,6 +132,16 @@ def reset_password(options={}, &block)
assert_redirected_to "/users/sign_in"
end
+ test 'not authenticated user with an invalid reset password token should not be able to visit the edit_user_password page' do
+ get edit_user_password_path(:reset_password_token => 'something_invalid')
+ assert_response :redirect
+ assert_redirected_to "/users/password/new"
+
+ get "/users/password/new"
+ assert_have_selector '#flash_error'
+ assert_contain /Reset password token(.*)invalid/
+ end
+
test 'not authenticated user with invalid reset password token should not be able to change his password' do
user = create_user
reset_password :reset_password_token => 'invalid_reset_password'

0 comments on commit b149f42

Please sign in to comment.