Be paranoid when sending password reset emails
This implements what is known as "paranoid" password reset flash messages (using the terminology from Devise). It avoids revealing whether the supplied email address is already registered. Added an explicit test for this situation, so that the test for email non-existance is separate from the duplicate-case tests.
This commit is contained in:
parent
664d02982c
commit
4e237db390
3 changed files with 24 additions and 15 deletions
|
@ -43,12 +43,10 @@ class PasswordsController < ApplicationController
|
|||
if user
|
||||
token = user.generate_token_for(:password_reset)
|
||||
UserMailer.lost_password(user, token).deliver_later
|
||||
flash[:notice] = t ".notice email on way"
|
||||
redirect_to login_path
|
||||
else
|
||||
flash.now[:error] = t ".notice email cannot find"
|
||||
render :new
|
||||
end
|
||||
|
||||
flash[:notice] = t ".send_paranoid_instructions"
|
||||
redirect_to login_path
|
||||
end
|
||||
|
||||
def update
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue