Require both user and email for anonymous password resets

2020-11-11 19:39:19 +01:00 · 2020-11-11 19:39:19 +01:00 · a604018249
commit a604018249
parent 2b153bef8d
2 changed files with 21 additions and 8 deletions
--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@ -12,13 +12,15 @@ class Devise::PasswordsController < DeviseController

  # POST /resource/password
  def create
-    self.resource = resource_class.send_reset_password_instructions(resource_params)
-    yield resource if block_given?
+    user = resource_class.find_by(cn: resource_params['cn'])

-    if successfully_sent?(resource)
-      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
+    if (!user || user.email != resource_params['email'])
+      msg = "Username or email address not found."
+      redirect_to new_user_password_path, alert: msg
    else
-      respond_with(resource)
+      resource_class.send_reset_password_instructions(resource_params)
+      msg = "We have sent you an email with a link to reset your password."
+      redirect_to check_your_email_path, notice: msg
    end
  end

--- a/app/views/devise/passwords/new.html.erb
+++ b/app/views/devise/passwords/new.html.erb
@ -4,12 +4,23 @@
  <%= render "devise/shared/error_messages", resource: resource %>

  <div class="field">
-    <%= f.label :email %><br />
-    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+    <p>
+      <%= f.label :cn, 'User' %><br />
+      <%= f.text_field :cn, autofocus: true, autocomplete: "username" %> @ kosmos.org
+    </p>
+  </div>
+
+  <div class="field">
+    <p>
+      <%= f.label :email, 'Email address' %><br />
+      <%= f.email_field :email, autocomplete: "email" %>
+    </p>
  </div>

  <div class="actions">
+    <p>
      <%= f.submit "Send me reset password instructions" %>
+    </p>
  </div>
 <% end %>