Redirect to PasswordController#new when reset_password_token is invalid (#4506)

author nullkal <nullkal@users.noreply.github.com>

Thu, 3 Aug 2017 15:45:45 +0000 (00:45 +0900)

committer Eugen Rochko <eugen@zeonfederated.com>

Thu, 3 Aug 2017 15:45:45 +0000 (17:45 +0200)
author nullkal <nullkal@users.noreply.github.com>
Thu, 3 Aug 2017 15:45:45 +0000 (00:45 +0900)
committer Eugen Rochko <eugen@zeonfederated.com>
Thu, 3 Aug 2017 15:45:45 +0000 (17:45 +0200)
diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/auth/passwords_controller.rb

index 54ee1c39c0051ae6a36c8df3204939a656499a0c..171b997dc486f62c6e002c7f838cb3343f602316 100644 (file)
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@@ -1,5 +1,20 @@
  # frozen_string_literal: true
  
  class Auth::PasswordsController < Devise::PasswordsController
+  before_action :check_validity_of_reset_password_token, only: :edit
+
    layout 'auth'
+
+  private
+
+  def check_validity_of_reset_password_token
+    unless reset_password_token_is_valid?
+      flash[:error] = I18n.t('auth.invalid_reset_password_token')
+      redirect_to new_password_path(resource_name)
+    end
+  end
+
+  def reset_password_token_is_valid?
+    resource_class.with_reset_password_token(params[:reset_password_token]).present?
+  end
  end
diff --git a/config/locales/en.yml b/config/locales/en.yml

index 90b4fe82bcce26df442ec18cca61d8222717d5bf..1d092d20c0f102e149df06a477a4d3fd6a9b0f66 100644 (file)
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -234,6 +234,7 @@ en:
      resend_confirmation: Resend confirmation instructions
      reset_password: Reset password
      set_new_password: Set new password
+    invalid_reset_password_token: Password reset link is invalid or expired. Please try again.
    authorize_follow:
      error: Unfortunately, there was an error looking up the remote account
      follow: Follow
diff --git a/spec/controllers/auth/passwords_controller_spec.rb b/spec/controllers/auth/passwords_controller_spec.rb

index 60b225efaed5065d278ee438fdff2c12e28cfa34..992d2e29d2c48d66b1c07c62346b3d3c1abc144e 100644 (file)
--- a/spec/controllers/auth/passwords_controller_spec.rb
+++ b/spec/controllers/auth/passwords_controller_spec.rb
@@ -3,6 +3,8 @@
  require 'rails_helper'
  
  describe Auth::PasswordsController, type: :controller do
+  include Devise::Test::ControllerHelpers
+
    describe 'GET #new' do
      it 'returns http success' do
        @request.env['devise.mapping'] = Devise.mappings[:user]
@@ -10,4 +12,27 @@ describe Auth::PasswordsController, type: :controller do
        expect(response).to have_http_status(:success)
      end
    end
+
+  describe 'GET #edit' do
+    let(:user) { Fabricate(:user) }
+
+    before do
+      request.env['devise.mapping'] = Devise.mappings[:user]
+      @token = user.send_reset_password_instructions
+    end
+
+    context 'with valid reset_password_token' do
+      it 'returns http success' do
+        get :edit, params: { reset_password_token: @token }
+        expect(response).to have_http_status(:success)
+      end
+    end
+
+    context 'with invalid reset_password_token' do
+      it 'redirects to #new' do
+        get :edit, params: { reset_password_token: 'some_invalid_value' }
+        expect(response).to redirect_to subject.new_password_path(subject.send(:resource_name))
+      end
+    end
+  end
  end
author	nullkal <nullkal@users.noreply.github.com>
	Thu, 3 Aug 2017 15:45:45 +0000 (00:45 +0900)
committer	Eugen Rochko <eugen@zeonfederated.com>
	Thu, 3 Aug 2017 15:45:45 +0000 (17:45 +0200)
app/controllers/auth/passwords_controller.rb		patch \| blob \| history
config/locales/en.yml		patch \| blob \| history
spec/controllers/auth/passwords_controller_spec.rb		patch \| blob \| history