From 9e1723c537fee06503a65613398a0953b1dc0042 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sun, 29 Jan 2017 08:58:40 +0000 Subject: [PATCH] Redirect with token in session (#24416). git-svn-id: http://svn.redmine.org/redmine/trunk@16287 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/account_controller.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index ece857a22..54a29fbf4 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -60,12 +60,20 @@ class AccountController < ApplicationController # Lets user choose a new password def lost_password (redirect_to(home_url); return) unless Setting.lost_password? - if params[:token] - @token = Token.find_token("recovery", params[:token].to_s) + if prt = (params[:token] || session[:password_recovery_token]) + @token = Token.find_token("recovery", prt.to_s) if @token.nil? || @token.expired? redirect_to home_url return end + + # redirect to remove the token query parameter from the URL and add it to the session + if request.query_parameters[:token].present? + session[:password_recovery_token] = @token.value + redirect_to lost_password_url + return + end + @user = @token.user unless @user && @user.active? redirect_to home_url -- 2.39.5