Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

recovery password: not safety #15

yas375 opened this Issue Oct 1, 2010 · 0 comments


None yet
1 participant

yas375 commented Oct 1, 2010

if we start using it as you described, then anybody can start checking urls like "http://example.com/password_resets/zAk3O7mRnjTdPfaLkePU/edit" and if you have many users on your system then it is more possible to find url for changing pass to somebody else.

The simplest solution: add required field 'email' to app/views/password_resets/edit.html.erb and check it before changing.
Or better add ?email=text@example.com to link in email. And check for it in load_user_using_perishable_token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment