Prevent CSRF bypass with password reset form

2021-02-09 22:59:54 +00:00 · 2021-02-09 22:59:54 +00:00 · 51af102c00
commit 51af102c00
parent c49e400aa3
2 changed files with 11 additions and 1 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -151,7 +151,7 @@ class UsersController < ApplicationController
  def lost_password
    @title = t "users.lost_password.title"

-    if params[:email]
+    if request.post?
      user = User.visible.find_by(:email => params[:email])

      if user.nil?
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@ -812,6 +812,16 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
    user = create(:user)
    uppercase_user = build(:user, :email => user.email.upcase).tap { |u| u.save(:validate => false) }

+    # Resetting with GET should fail
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      perform_enqueued_jobs do
+        get user_forgot_password_path, :params => { :email => user.email }
+      end
+    end
+    assert_response :success
+    assert_template :lost_password
+
+    # Resetting with POST should work
    assert_difference "ActionMailer::Base.deliveries.size", 1 do
      perform_enqueued_jobs do
        post user_forgot_password_path, :params => { :email => user.email }