codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2024-11-23 23:58:31 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

SECURITY: log off all existing sessions when resetting password

Browse source
This commit is contained in:
Sam 2015-04-15 08:57:43 +10:00
parent 6a0cce8571
commit 2a3f71a9a1
2 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/controllers/users_controller.rb
View file

@ -321,6 +321,7 @@ class UsersController < ApplicationController
else
@user.password = params[:password]
@user.password_required!
@user.auth_token = nil
if @user.save
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
logon_after_password_reset

8
spec/controllers/users_controller_spec.rb
View file

@ -266,13 +266,19 @@ describe UsersController do
context 'valid token' do
it 'returns success' do
user = Fabricate(:user)
user = Fabricate(:user, auth_token: SecureRandom.hex(16))
token = user.email_tokens.create(email: user.email).token
old_token = user.auth_token
get :password_reset, token: token
put :password_reset, token: token, password: 'newpassword'
expect(response).to be_success
expect(assigns[:error]).to be_blank
user.reload
expect(user.auth_token).to_not eq old_token
expect(user.auth_token.length).to eq 32
end
end