|reset password token--checking db before displaying form||Eric Harris-Braun||1/3/11 12:31 PM|
I'm wondering if there was any logic behind the fact that PasswordsController#edit doesn't check the db for a valid reset token before showing the form? This means that if the user tries to re-use a token by mistake, they will be able to enter a new password but it won't work.
As a test I changed my own version of the code to:
# GET /resource/password/edit?reset_password_token=abcdef
self.resource = resource_class.find_or_initialize_with_error_by(:reset_password_token, params[:reset_password_token])
set_flash_message :notice, :invalid_reset_token
Which shows an error and redirects to the login page. This seems to make more sense to me. Am I missing something?