Using Acts as Authenticated, imagine this use case:
- User forgets password...has reset code sent to their e-mail.
- User receives e-mail, clicks link to reset password.
- User arrives on reset password page and thinks, "hmmm...I think I'll go visit the homepage instead".
- User types http://www.yoursite.com/ in their browser (or clicks a link the header, or whatever).
What happens is that when the user clicks the link in the email it takes them to /account/reset_password which looks up their account by the reset code on the link (which was sent in the e-mail) and it logs them in. So, when they decide, "hmmm...I think I'll go visit the homepage instead," the user is now logged in, but has not reset their password.
To me, that seems to present a problem. So, I added a before_filter to my ApplicationController that verifies that all logged in users must have a nil password reset code otherwise they are redirected to /account/change_password. (The password reset code isn't cleared until after the user has successfully changed their password.)
In the ApplicationController I added:
before_filter :ensure_password_reset
module AuthenticatedSystem
def ensure_password_reset
redirect_to :controller => :account, :action => :change_password unless reset_password_has_been_changed
end
def reset_password_has_been_changed
if logged_in?
if current_user.password_reset_code.nil?
return true
else
return false
end
else
true
end
end
end
I'm certain that there is a more idiomatic Ruby way to write reset_password_has_been_changed, but I couldn't think of it.
No comments:
Post a Comment