Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

recovery password: not safety #15

Open
yas375 opened this Issue · 0 comments

1 participant

Victor Ilyukevich
Victor Ilyukevich

if we start using it as you described, then anybody can start checking urls like "http://example.com/password_resets/zAk3O7mRnjTdPfaLkePU/edit" and if you have many users on your system then it is more possible to find url for changing pass to somebody else.

The simplest solution: add required field 'email' to app/views/password_resets/edit.html.erb and check it before changing.
Or better add ?email=text@example.com to link in email. And check for it in load_user_using_perishable_token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.