Handles the case when an expired token is in the users session (#29781).

Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@17601 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Go MAEDA <maeda@farend.jp> 2018-10-28 05:59:11 +0000
committer: Go MAEDA <maeda@farend.jp> 2018-10-28 05:59:11 +0000
commit: 57a4fedd346a50d36760d689a4bcaa8e17f71d3c (patch)
tree: 895f907a0a12f01caeb21eba377ebfbbad974060 /app/controllers
parent: 9a53b68b73a7d39d45f74c17c1e3ddc6ff51bc87 (diff)
download: redmine-57a4fedd346a50d36760d689a4bcaa8e17f71d3c.tar.gz
redmine-57a4fedd346a50d36760d689a4bcaa8e17f71d3c.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 7bb644761..f604540a7 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -62,9 +62,15 @@ class AccountController < ApplicationController
     (redirect_to(home_url); return) unless Setting.lost_password?
     if prt = (params[:token] || session[:password_recovery_token])
       @token = Token.find_token("recovery", prt.to_s)
-      if @token.nil? || @token.expired?
+      if @token.nil?
         redirect_to home_url
         return
+      elsif @token.expired?
+        # remove expired token from session and let user try again
+        session[:password_recovery_token] = nil
+        flash[:error] = l(:error_token_expired)
+        redirect_to lost_password_url
+        return
       end
 
       # redirect to remove the token query parameter from the URL and add it to the session
author	Go MAEDA <maeda@farend.jp>	2018-10-28 05:59:11 +0000
committer	Go MAEDA <maeda@farend.jp>	2018-10-28 05:59:11 +0000
commit	57a4fedd346a50d36760d689a4bcaa8e17f71d3c (patch)
tree	895f907a0a12f01caeb21eba377ebfbbad974060 /app/controllers
parent	9a53b68b73a7d39d45f74c17c1e3ddc6ff51bc87 (diff)
download	redmine-57a4fedd346a50d36760d689a4bcaa8e17f71d3c.tar.gz redmine-57a4fedd346a50d36760d689a4bcaa8e17f71d3c.zip