do authlogic-style password resets

CHANGELOG

@@ -2,6 +2,7 @@
 
 =1.1.0
 * fixed time_ago formatting problem on user/index
+* user Authlogic's perishable token for doing password resets (instead of sending them a password)
 
 
 = 1.0.4.2

app/controllers/password_resets_controller.rb

@@ -0,0 +1,53 @@
+class PasswordResetsController < BaseController
+
+  before_filter :require_no_user
+  before_filter :load_user_using_perishable_token, :only => [ :edit, :update ]
+
+  def new
+  end
+
+  def create
+    @user = User.find_by_email(params[:email])
+    if @user
+      @user.deliver_password_reset_instructions!
+
+      flash[:info] = :your_password_reset_instructions_have_been_emailed_to_you.l      
+
+      redirect_to login_path
+    else
+      flash[:error] = :sorry_we_dont_recognize_that_email_address.l      
+
+      render :action => :new
+    end
+  end
+
+  def edit
+  end
+
+  def update
+    @user.password = params[:password]
+    @user.password_confirmation = params[:password_confirmation]
+
+    if @user.save
+      flash[:notice] = :your_changes_were_saved.l
+
+      redirect_to dashboard_user_path(@user)
+    else
+      flash[:error] = @user.errors.full_messages.to_sentence
+      render :action => :edit
+    end
+  end
+
+
+  private
+
+  def load_user_using_perishable_token
+    @user = User.find_using_perishable_token(params[:id])
+    unless @user
+      flash[:error] = :an_error_occurred.l
+
+      redirect_to login_path
+    end
+  end
+
+end

app/controllers/users_controller.rb

@@ -311,20 +311,6 @@ def welcome_complete
     flash[:notice] = :walkthrough_complete.l_with_args(:site => AppConfig.community_name) 
     redirect_to user_path
   end
-
-  def forgot_password  
-    return unless request.post?   
-
-    @user = User.active.find_by_email(params[:email])  
-    if @user && @user.reset_password
-      UserNotifier.deliver_reset_password(@user)
-      @user.save_without_session_maintenance
-      redirect_to login_url
-      flash[:info] = :your_password_has_been_reset_and_emailed_to_you.l      
-    else
-      flash[:error] = :sorry_we_dont_recognize_that_email_address.l
-    end 
-  end
 
   def forgot_username  
     return unless request.post?   

app/models/user.rb

@@ -428,6 +428,11 @@ def update_last_seen_at
     self.sb_last_seen_at = Time.now.utc
   end
 
+  def deliver_password_reset_instructions!
+    reset_perishable_token!
+    UserNotifier.deliver_password_reset_instructions(self)
+  end  
+
   ## End Instance Methods
 
 

app/models/user_notifier.rb

@@ -101,9 +101,11 @@ def activation(user)
     @body[:url]  = home_url
   end
 
-  def reset_password(user)
+  def password_reset_instructions(user)
     setup_email(user)
     @subject    += "#{:user_information.l(:site => AppConfig.community_name)}"
+    sent_on       Time.now
+    body          :edit_password_reset_url => edit_password_reset_url(user.perishable_token)    
   end
 
   def forgot_username(user)

app/views/password_resets/edit.html.haml

@@ -0,0 +1,16 @@
+.yui-b.sidebar
+
+#yui-main
+  .yui-b.main_column
+    -box do
+      %h3=:forgot_your_password.l
+
+      - form_tag password_reset_path, :method => :put, :class => "MainForm" do
+        %label=:password.l
+        = password_field_tag :password
+
+        %label=:confirm_password.l
+        = password_field_tag :password_confirmation
+
+        %p= submit_tag :reset_my_password.l
+

app/views/users/forgot_password.html.haml → app/views/password_resets/new.html.haml

@@ -6,7 +6,7 @@
     -box do
       %h3=:forgot_your_password.l
 
-      - form_tag forgot_password_url, :class => 'MainForm' do
+      - form_tag password_resets_path, :class => 'MainForm' do
         %label{"for"=>"email"}=:enter_your_email_address.l+":"
         = text_field_tag 'email', nil, :size => 35
         %p

app/views/user_notifier/password_reset_instructions.erb

@@ -0,0 +1,10 @@
+Hi there!
+
+A request to reset your <%= AppConfig.community_name %> password has been made. If you did not make this request, simply ignore this email. If you did make this request, visit the URL below.
+
+<%= @edit_password_reset_url %>
+
+If you have any questions, please contact <%= AppConfig.community_name %> support at <%= AppConfig.support_email %>.
+
+Thanks,
+The <%= AppConfig.community_name %> team

app/views/user_notifier/reset_password.fr.erb → app/views/user_notifier/password_reset_instructions.fr.erb

@@ -1,7 +1,8 @@
 Bonjour !
 
-Nous avons réinitialisé votre mot de passe <%= AppConfig.community_name %>.
-Votre nouveau mot de passe est : <%= @user.password %>. 
+Pour réinitialiser votre mot de passe <%= AppConfig.community_name %>, visite:
+
+<%= @edit_password_reset_url %>
 
 Pour tout information complémentaire, merci de contacter le support <%= AppConfig.community_name %> à l'adresse <%= AppConfig.support_email %>.
 

config/desert_routes.rb

@@ -48,7 +48,9 @@
 logout '/logout', :controller => 'sessions', :action => 'destroy'
 signup_by_id '/signup/:inviter_id/:inviter_code', :controller => 'users', :action => 'new'
 
-forgot_password '/forgot_password', :controller => 'users', :action => 'forgot_password'
+forgot_password '/forgot_password', :controller => 'password_resets', :action => 'new'
+resources :password_resets, :only => [ :new, :create, :edit, :update]
+
 forgot_username '/forgot_username', :controller => 'users', :action => 'forgot_username'  
 resend_activation '/resend_activation', :controller => 'users', :action => 'resend_activation'  
 
@@ -112,7 +114,6 @@
     :update_account => :put,
     :edit_pro_details => :get,
     :update_pro_details => :put,      
-    :forgot_password => [:get, :post],
     :signup_completed => :get,
     :invite => :get,
     :welcome_photo => :get, 

lang/ui/de-DE.yml

@@ -1294,8 +1294,8 @@ de-DE:
   your_about_text_goes_here: "Der Über-uns-Text kommt hier hin"
   #en: your_changes_were_saved: Your changes were saved.
   your_changes_were_saved: "Die Änderungen wurden gespeichert."
-  #en: your_password_has_been_reset_and_emailed_to_you: Your password has been reset and emailed to you.
-  your_password_has_been_reset_and_emailed_to_you: "Dein Passwort wurde zurückgesetzt und dir per E-Mail zugesendet."
+  #en:   your_password_reset_instructions_have_been_emailed_to_you: Your password has been reset and emailed to you.
+  your_password_reset_instructions_have_been_emailed_to_you: "Dein Passwort wurde zurückgesetzt und dir per E-Mail zugesendet."
   #en: your_post_was_deleted: Your post was deleted.
   your_post_was_deleted: "Dein Eintrag wurde gelöscht."
   #en: your_post_was_successfully_created: Your post was successfully created.

lang/ui/en.yml

@@ -1589,8 +1589,8 @@ en:
   your_faq_text_goes_here: Your FAQ text goes here.
   #en: your_changes_were_saved: Your changes were saved.
   your_changes_were_saved: Your changes were saved.
-  #en: your_password_has_been_reset_and_emailed_to_you: Your password has been reset and emailed to you.
-  your_password_has_been_reset_and_emailed_to_you: Your password has been reset and emailed to you.
+  #en:   your_password_reset_instructions_have_been_emailed_to_you: Instructions to reset your password have been emailed to you.
+  your_password_reset_instructions_have_been_emailed_to_you: Instructions to reset your password have been emailed to you.
   #en: your_post_was_deleted: Your post was deleted.
   your_post_was_deleted: Your post was deleted.
   #en: your_post_was_successfully_created: Your post was successfully created.

test/functional/password_reset_controller_test.rb

@@ -0,0 +1,34 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class PasswordResetsControllerTest < ActionController::TestCase
+  fixtures :all
+
+  test "should get new and respond with success" do
+    get :new
+
+    assert_response :success
+  end
+
+  test "should post to create and send an email" do
+    assert_emails 1 do 
+      post :create, :email => users(:quentin).email
+      assert_response :redirect
+      assert_redirected_to login_path
+    end
+  end
+
+  test "should get edit and respond with success" do
+    get :edit, :id => users(:quentin).perishable_token    
+
+    assert_response :success  
+  end
+
+  test "should put to update and redirect to dashboard" do
+    @user = users(:quentin)
+
+    put :update, :id => @user.perishable_token, :user => { :password => "newpassword" }
+
+    assert_redirected_to dashboard_user_path(@user)    
+  end
+
+end

test/functional/users_controller_test.rb

@@ -311,14 +311,6 @@ def test_should_update_account
     assert_equal assigns(:user).login, 'changed_login'
   end
 
-  def test_should_reset_password
-    assert_difference ActionMailer::Base.deliveries, :length, 1 do
-      post :forgot_password, :email => users(:quentin).email
-      assert_redirected_to login_path    
-      assert_nil UserSession.find
-    end
-  end
-
   def test_should_remind_username
     assert_difference ActionMailer::Base.deliveries, :length, 1 do
       post :forgot_username, :email => users(:quentin).email

test/unit/user_notifier_test.rb

@@ -89,9 +89,10 @@ def test_should_deliver_activation
     end    
   end
 
-  def test_should_deliver_reset_password
+  def test_should_deliver_password_reset_instructions
+    activate_authlogic
     assert_difference ActionMailer::Base.deliveries, :length, 1 do
-      UserNotifier.deliver_reset_password(users(:aaron))
+      UserNotifier.deliver_password_reset_instructions(users(:aaron))
     end    
   end
 

test/unit/user_test.rb

@@ -93,11 +93,17 @@ def test_should_handle_email_upcase
     end
   end
 
-  def test_should_reset_password
+  def test_should_update_password
     activate_authlogic
     users(:quentin).update_attributes(:password => 'new password', :password_confirmation => 'new password')
     assert_equal users(:quentin), UserSession.create(:login => 'quentin', :password => 'new password').record
   end
+
+  test "should deliver password reset instructions" do
+    assert_emails 1 do
+      users(:quentin).deliver_password_reset_instructions!
+    end
+  end
 
   def test_should_not_rehash_password
     activate_authlogic