Redirect if password reset token is expired

Don't display the password editing form if the user's token is expired; redirect to the form that allows users to request a new password reset token.

Redirect if password reset token is expired
Don't display the password editing form if the user's token is expired; redirect to the form that allows users to request a new password reset token.
c68c2321 · Vinnie Okada · 0bfab084 · c68c2321
Commit c68c2321 authored May 13, 2015 by Vinnie Okada
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

app/controllers/passwords_controller.rb app/controllers/passwords_controller.rb +20 -0

No files found.
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -36,4 +36,24 @@ class PasswordsController < Devise::PasswordsController
      end
    end
  end
+
+  def edit
+    super
+    reset_password_token = Devise.token_generator.digest(
+      User,
+      :reset_password_token,
+      resource.reset_password_token
+    )
+
+    unless reset_password_token.nil?
+      user = User.where(
+        reset_password_token: reset_password_token
+      ).first_or_initialize
+
+      unless user.reset_password_period_valid?
+        flash[:alert] = 'Your password reset token has expired.'
+        redirect_to(new_user_password_url)
+      end
+    end
+  end
 end