Redirect with token in session (#24416).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 29 Jan 2017 08:58:40 +0000 (08:58 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 29 Jan 2017 08:58:40 +0000 (08:58 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 29 Jan 2017 08:58:40 +0000 (08:58 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 29 Jan 2017 08:58:40 +0000 (08:58 +0000)
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb

index ece857a22456bacc9a941b4be4cfcc9b85653c0e..54a29fbf4932c0a46c5fdc0a4d32c34e9ad3b24f 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -60,12 +60,20 @@ class AccountController < ApplicationController
    # Lets user choose a new password
    def lost_password
      (redirect_to(home_url); return) unless Setting.lost_password?
-    if params[:token]
-      @token = Token.find_token("recovery", params[:token].to_s)
+    if prt = (params[:token] || session[:password_recovery_token])
+      @token = Token.find_token("recovery", prt.to_s)
        if @token.nil? || @token.expired?
          redirect_to home_url
          return
        end
+
+      # redirect to remove the token query parameter from the URL and add it to the session
+      if request.query_parameters[:token].present?
+        session[:password_recovery_token] = @token.value
+        redirect_to lost_password_url
+        return
+      end
+
        @user = @token.user
        unless @user && @user.active?
          redirect_to home_url
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 29 Jan 2017 08:58:40 +0000 (08:58 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 29 Jan 2017 08:58:40 +0000 (08:58 +0000)