From e360394be7a4aac1f30a7c65819c78543b172870 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sun, 29 Jan 2017 10:42:50 +0000 Subject: [PATCH] Merged r16287 to r16289 (#24416). git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@16298 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/account_controller.rb | 12 ++++++++++-- test/functional/account_controller_test.rb | 13 ++++++++++++- test/integration/account_test.rb | 3 +++ 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 7101d17be..1a2e5b6b2 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -58,12 +58,20 @@ class AccountController < ApplicationController # Lets user choose a new password def lost_password (redirect_to(home_url); return) unless Setting.lost_password? - if params[:token] - @token = Token.find_token("recovery", params[:token].to_s) + if prt = (params[:token] || session[:password_recovery_token]) + @token = Token.find_token("recovery", prt.to_s) if @token.nil? || @token.expired? redirect_to home_url return end + + # redirect to remove the token query parameter from the URL and add it to the session + if request.query_parameters[:token].present? + session[:password_recovery_token] = @token.value + redirect_to lost_password_url + return + end + @user = @token.user unless @user && @user.active? redirect_to home_url diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb index ad187b293..2a44e1218 100644 --- a/test/functional/account_controller_test.rb +++ b/test/functional/account_controller_test.rb @@ -381,11 +381,22 @@ class AccountControllerTest < ActionController::TestCase end end - def test_get_lost_password_with_token_should_display_the_password_recovery_form + def test_get_lost_password_with_token_should_redirect_with_token_in_session user = User.find(2) token = Token.create!(:action => 'recovery', :user => user) get :lost_password, :token => token.value + assert_redirected_to '/account/lost_password' + + assert_equal token.value, request.session[:password_recovery_token] + end + + def test_get_lost_password_with_token_in_session_should_display_the_password_recovery_form + user = User.find(2) + token = Token.create!(:action => 'recovery', :user => user) + request.session[:password_recovery_token] = token.value + + get :lost_password assert_response :success assert_template 'password_recovery' diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb index 5adbe8631..18426dff5 100644 --- a/test/integration/account_test.rb +++ b/test/integration/account_test.rb @@ -118,6 +118,9 @@ class AccountTest < Redmine::IntegrationTest assert !token.expired? get "/account/lost_password", :token => token.value + assert_redirected_to '/account/lost_password' + + follow_redirect! assert_response :success assert_template "account/password_recovery" assert_select 'input[type=hidden][name=token][value=?]', token.value -- 2.39.5