unauthenticated users cannot access password recovery page #69

Closed
masterkain opened this Issue Feb 17, 2010 · 4 comments

Comments

Projects
None yet
2 participants
class Clearance::PasswordsController
skip_before_filter :authenticate,        :only => [:edit, :update]

this is a recent addition.

Owner

croaky commented Feb 21, 2010

I don't understand the problem. Unauthenticated users can still access this page even if you before_filter :authenticate in your ApplicationController. That was the reason for this change.

I do before_filter :authenticate in ApplicationController by default.
Clearance::PasswordsController has a 'new' action.

By skipping :authenticate only on :edit and :update by default unauthenticated users cannot access the 'new' action for password recovery.

http://github.com/thoughtbot/clearance/commit/087b55b2fbf465b436a2f5750a67f2b5957d4be5#L3R3

Owner

croaky commented Feb 21, 2010

I see what you're saying. We missed :new and :create with that commit. This problem existed before our recent addition, which was intended to fix the problem. Thanks for noticing it. Fixing it now.

@qrush qrush pushed a commit to qrush/clearance that referenced this issue May 24, 2012

@croaky croaky [#69] Allow Rails apps to before_filter :authenticate the entire app
in ApplicationController and still have password recovery work without
overriding any controllers. (Claudio Poli, Dan Croak)
61b4f2f

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment