cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent CSRF bypass with password reset form

Browse source
This commit is contained in:
Tom Hughes 2021-02-09 22:59:54 +00:00
parent c49e400aa3
commit 51af102c00
2 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/users_controller.rb
View file

@ -151,7 +151,7 @@ class UsersController < ApplicationController
def lost_password def lost_password
@title = t "users.lost_password.title" @title = t "users.lost_password.title"
if params[:email] if request.post?
user = User.visible.find_by(:email => params[:email]) user = User.visible.find_by(:email => params[:email])
if user.nil? if user.nil?

10
test/controllers/users_controller_test.rb
View file

@ -812,6 +812,16 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
user = create(:user) user = create(:user)
uppercase_user = build(:user, :email => user.email.upcase).tap { |u| u.save(:validate => false) } uppercase_user = build(:user, :email => user.email.upcase).tap { |u| u.save(:validate => false) }
# Resetting with GET should fail
assert_no_difference "ActionMailer::Base.deliveries.size" do
perform_enqueued_jobs do
get user_forgot_password_path, :params => { :email => user.email }
end
end
assert_response :success
assert_template :lost_password
# Resetting with POST should work
assert_difference "ActionMailer::Base.deliveries.size", 1 do assert_difference "ActionMailer::Base.deliveries.size", 1 do
perform_enqueued_jobs do perform_enqueued_jobs do
post user_forgot_password_path, :params => { :email => user.email } post user_forgot_password_path, :params => { :email => user.email }