summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2017-01-29 10:42:58 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2017-01-29 10:42:58 +0000
commita170c3d93c955242908815bd7e5b013334befde4 (patch)
tree069bb00862718b4950a1519379f5dc9cb12ff0ad
parent83921f27d4aff8b24c3a3e4685b92196d3439424 (diff)
downloadredmine-a170c3d93c955242908815bd7e5b013334befde4.tar.gz
redmine-a170c3d93c955242908815bd7e5b013334befde4.zip
Merged r16287 to r16289 (#24416).
git-svn-id: http://svn.redmine.org/redmine/branches/3.2-stable@16299 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r--app/controllers/account_controller.rb12
-rw-r--r--test/functional/account_controller_test.rb13
-rw-r--r--test/integration/account_test.rb3
3 files changed, 25 insertions, 3 deletions
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 504ca6013..10516bc8c 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -58,12 +58,20 @@ class AccountController < ApplicationController
# Lets user choose a new password
def lost_password
(redirect_to(home_url); return) unless Setting.lost_password?
- if params[:token]
- @token = Token.find_token("recovery", params[:token].to_s)
+ if prt = (params[:token] || session[:password_recovery_token])
+ @token = Token.find_token("recovery", prt.to_s)
if @token.nil? || @token.expired?
redirect_to home_url
return
end
+
+ # redirect to remove the token query parameter from the URL and add it to the session
+ if request.query_parameters[:token].present?
+ session[:password_recovery_token] = @token.value
+ redirect_to lost_password_url
+ return
+ end
+
@user = @token.user
unless @user && @user.active?
redirect_to home_url
diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb
index 020dce97b..2adceb340 100644
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -355,11 +355,22 @@ class AccountControllerTest < ActionController::TestCase
end
end
- def test_get_lost_password_with_token_should_display_the_password_recovery_form
+ def test_get_lost_password_with_token_should_redirect_with_token_in_session
user = User.find(2)
token = Token.create!(:action => 'recovery', :user => user)
get :lost_password, :token => token.value
+ assert_redirected_to '/account/lost_password'
+
+ assert_equal token.value, request.session[:password_recovery_token]
+ end
+
+ def test_get_lost_password_with_token_in_session_should_display_the_password_recovery_form
+ user = User.find(2)
+ token = Token.create!(:action => 'recovery', :user => user)
+ request.session[:password_recovery_token] = token.value
+
+ get :lost_password
assert_response :success
assert_template 'password_recovery'
diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb
index 0f12a1c83..b308cf47d 100644
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@@ -118,6 +118,9 @@ class AccountTest < Redmine::IntegrationTest
assert !token.expired?
get "/account/lost_password", :token => token.value
+ assert_redirected_to '/account/lost_password'
+
+ follow_redirect!
assert_response :success
assert_template "account/password_recovery"
assert_select 'input[type=hidden][name=token][value=?]', token.value