Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


recovery password: not safety #15

yas375 opened this Issue · 0 comments

1 participant

Victor Ilyukevich
Victor Ilyukevich

if we start using it as you described, then anybody can start checking urls like "" and if you have many users on your system then it is more possible to find url for changing pass to somebody else.

The simplest solution: add required field 'email' to app/views/password_resets/edit.html.erb and check it before changing.
Or better add ? to link in email. And check for it in load_user_using_perishable_token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.