jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
92aeb8728f34ead6d20fcbb8893c828d91fe7818
danbooru/app/controllers/passwords_controller.rb
evazion 5625458f69 users: refactor password reset flow. 
The old password reset flow:

* User requests a password reset.
* Danbooru generates a password reset nonce.
* Danbooru emails user a password reset confirmation link.
* User follows link to password reset confirmation page.
* The link contains a nonce authenticating the user.
* User confirms password reset.
* Danbooru resets user's password to a random string.
* Danbooru emails user their new password in plaintext.

The new password reset flow:

* User requests a password reset.
* Danbooru emails user a password reset link.
* User follows link to password edit page.
* The link contains a signed_user_id param authenticating the user.
* User changes their own password.
2020-03-08 23:18:15 -05:00

32 lines
743 B
Ruby
Raw Blame History

class PasswordsController < ApplicationController
before_action :member_only
respond_to :html, :xml, :json
def edit
@user = User.find(params[:user_id])
check_privilege(@user)
respond_with(@user)
end
def update
@user = User.find(params[:user_id])
check_privilege(@user)
@user.update(user_params)
flash[:notice] = @user.errors.none? ? "Password updated" : @user.errors.full_messages.join("; ")
respond_with(@user, location: @user)
end
private
def check_privilege(user)
raise User::PrivilegeError unless user.id == CurrentUser.id || CurrentUser.is_admin?
end
def user_params
params.require(:user).permit(%i[signed_user_id old_password password password_confirmation])
end
end
Reference in New Issue View Git Blame Copy Permalink