Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Clear the session after a reset token was used

This commit is contained in:
Robin Ward 2016-09-30 12:20:02 -04:00
parent 4d8d5613e4
commit f62d01ff1b
2 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/users_controller.rb
View File

@ -409,6 +409,7 @@ class UsersController < ApplicationController
@user.auth_token = nil
if @user.save
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
session["password-#{params[:token]}"] = nil
logon_after_password_reset
end
end

1
spec/controllers/users_controller_spec.rb
View File

@ -251,6 +251,7 @@ describe UsersController do
user.reload
expect(user.auth_token).to_not eq old_token
expect(user.auth_token.length).to eq 32
expect(session["password-#{token}"]).to be_blank
end
it "doesn't invalidate the token when loading the page" do