Require both user and email for anonymous password resets

app/controllers/devise/passwords_controller.rb

@@ -12,13 +12,15 @@ class Devise::PasswordsController < DeviseController
 
   # POST /resource/password
   def create
-    self.resource = resource_class.send_reset_password_instructions(resource_params)
+    user = resource_class.find_by(cn: resource_params['cn'])
-    yield resource if block_given?
 
-    if successfully_sent?(resource)
+    if (!user || user.email != resource_params['email'])
-      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
+      msg = "Username or email address not found."
+      redirect_to new_user_password_path, alert: msg
     else
-      respond_with(resource)
+      resource_class.send_reset_password_instructions(resource_params)
+      msg = "We have sent you an email with a link to reset your password."
+      redirect_to check_your_email_path, notice: msg
     end
   end
 

app/views/devise/passwords/new.html.erb

@@ -4,12 +4,23 @@
   <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
-    <%= f.label :email %><br />
+    <p>
-    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+      <%= f.label :cn, 'User' %><br />
+      <%= f.text_field :cn, autofocus: true, autocomplete: "username" %> @ kosmos.org
+    </p>
+  </div>
+
+  <div class="field">
+    <p>
+      <%= f.label :email, 'Email address' %><br />
+      <%= f.email_field :email, autocomplete: "email" %>
+    </p>
   </div>
 
   <div class="actions">
-    <%= f.submit "Send me reset password instructions" %>
+    <p>
+      <%= f.submit "Send me reset password instructions" %>
+    </p>
   </div>
 <% end %>