Merged r16287 to r16289 (#24416).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 29 Jan 2017 10:42:50 +0000 (10:42 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 29 Jan 2017 10:42:50 +0000 (10:42 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 29 Jan 2017 10:42:50 +0000 (10:42 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 29 Jan 2017 10:42:50 +0000 (10:42 +0000)
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb

index 7101d17bed63e65368ce12ab9a86731f5257a584..1a2e5b6b21d7c0e2e38c16b6cd46c1747522b11e 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -58,12 +58,20 @@ class AccountController < ApplicationController
    # Lets user choose a new password
    def lost_password
      (redirect_to(home_url); return) unless Setting.lost_password?
-    if params[:token]
-      @token = Token.find_token("recovery", params[:token].to_s)
+    if prt = (params[:token] || session[:password_recovery_token])
+      @token = Token.find_token("recovery", prt.to_s)
        if @token.nil? || @token.expired?
          redirect_to home_url
          return
        end
+
+      # redirect to remove the token query parameter from the URL and add it to the session
+      if request.query_parameters[:token].present?
+        session[:password_recovery_token] = @token.value
+        redirect_to lost_password_url
+        return
+      end
+
        @user = @token.user
        unless @user && @user.active?
          redirect_to home_url
diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb

index ad187b293e93de9a4ab4b10d696e289055612503..2a44e1218519aed2df4f42c78bd5378f38693837 100644 (file)
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -381,11 +381,22 @@ class AccountControllerTest < ActionController::TestCase
      end
    end
  
-  def test_get_lost_password_with_token_should_display_the_password_recovery_form
+  def test_get_lost_password_with_token_should_redirect_with_token_in_session
      user = User.find(2)
      token = Token.create!(:action => 'recovery', :user => user)
  
      get :lost_password, :token => token.value
+    assert_redirected_to '/account/lost_password'
+
+    assert_equal token.value, request.session[:password_recovery_token]
+  end
+
+  def test_get_lost_password_with_token_in_session_should_display_the_password_recovery_form
+    user = User.find(2)
+    token = Token.create!(:action => 'recovery', :user => user)
+    request.session[:password_recovery_token] = token.value
+
+    get :lost_password
      assert_response :success
      assert_template 'password_recovery'
  
diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb

index 5adbe86314868169587b8f916a2253b0ac99b424..18426dff589a3c52fbba2751c95b4a05ed61a3dc 100644 (file)
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@@ -118,6 +118,9 @@ class AccountTest < Redmine::IntegrationTest
      assert !token.expired?
  
      get "/account/lost_password", :token => token.value
+    assert_redirected_to '/account/lost_password'
+
+    follow_redirect!
      assert_response :success
      assert_template "account/password_recovery"
      assert_select 'input[type=hidden][name=token][value=?]', token.value
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 29 Jan 2017 10:42:50 +0000 (10:42 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 29 Jan 2017 10:42:50 +0000 (10:42 +0000)
app/controllers/account_controller.rb		patch \| blob \| history
test/functional/account_controller_test.rb		patch \| blob \| history
test/integration/account_test.rb		patch \| blob \| history