Require both user and email for anonymous password resets

app/controllers/devise/passwords_controller.rb

@@ -12,13 +12,15 @@ class Devise::PasswordsController < DeviseController
 
   # POST /resource/password
   def create
-    self.resource = resource_class.send_reset_password_instructions(resource_params)
-    yield resource if block_given?
+    user = resource_class.find_by(cn: resource_params['cn'])
 
-    if successfully_sent?(resource)
-      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
+    if (!user || user.email != resource_params['email'])
+      msg = "Username or email address not found."
+      redirect_to new_user_password_path, alert: msg
     else
-      respond_with(resource)
+      resource_class.send_reset_password_instructions(resource_params)
+      msg = "We have sent you an email with a link to reset your password."
+      redirect_to check_your_email_path, notice: msg
     end
   end