From a604018249ace1a6da88a0123159808b931c2776 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Wed, 11 Nov 2020 19:39:19 +0100
Subject: [PATCH] Require both user and email for anonymous password resets

---
 app/controllers/devise/passwords_controller.rb | 12 +++++++-----
 app/views/devise/passwords/new.html.erb        | 17 ++++++++++++++---
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/app/controllers/devise/passwords_controller.rb b/app/controllers/devise/passwords_controller.rb
index adf163e..ab99fc8 100644
--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@@ -12,13 +12,15 @@ class Devise::PasswordsController < DeviseController
 
   # POST /resource/password
   def create
-    self.resource = resource_class.send_reset_password_instructions(resource_params)
-    yield resource if block_given?
+    user = resource_class.find_by(cn: resource_params['cn'])
 
-    if successfully_sent?(resource)
-      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
+    if (!user || user.email != resource_params['email'])
+      msg = "Username or email address not found."
+      redirect_to new_user_password_path, alert: msg
     else
-      respond_with(resource)
+      resource_class.send_reset_password_instructions(resource_params)
+      msg = "We have sent you an email with a link to reset your password."
+      redirect_to check_your_email_path, notice: msg
     end
   end
 
diff --git a/app/views/devise/passwords/new.html.erb b/app/views/devise/passwords/new.html.erb
index 9b486b8..b4ccd6a 100644
--- a/app/views/devise/passwords/new.html.erb
+++ b/app/views/devise/passwords/new.html.erb
@@ -4,12 +4,23 @@
   <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
-    <%= f.label :email %><br />
-    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+    <p>
+      <%= f.label :cn, 'User' %><br />
+      <%= f.text_field :cn, autofocus: true, autocomplete: "username" %> @ kosmos.org
+    </p>
+  </div>
+
+  <div class="field">
+    <p>
+      <%= f.label :email, 'Email address' %><br />
+      <%= f.email_field :email, autocomplete: "email" %>
+    </p>
   </div>
 
   <div class="actions">
-    <%= f.submit "Send me reset password instructions" %>
+    <p>
+      <%= f.submit "Send me reset password instructions" %>
+    </p>
   </div>
 <% end %>