github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 19:54:14 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Clear the session after a reset token was used

Browse Source
This commit is contained in:
Robin Ward
2016-09-30 12:20:02 -04:00
parent 4d8d5613e4
commit f62d01ff1b
2 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/users_controller.rb
View File

@ -409,6 +409,7 @@ class UsersController < ApplicationController
@user.auth_token = nil @user.auth_token = nil
if @user.save if @user.save
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
session["password-#{params[:token]}"] = nil
logon_after_password_reset logon_after_password_reset
end end
end end

1
spec/controllers/users_controller_spec.rb
View File

@ -251,6 +251,7 @@ describe UsersController do
user.reload user.reload
expect(user.auth_token).to_not eq old_token expect(user.auth_token).to_not eq old_token
expect(user.auth_token.length).to eq 32 expect(user.auth_token.length).to eq 32
expect(session["password-#{token}"]).to be_blank
end end
it "doesn't invalidate the token when loading the page" do it "doesn't invalidate the token when loading the page" do