reset password token--checking db before displaying form

Showing 1-1 of 1 messages
reset password token--checking db before displaying form Eric Harris-Braun 1/3/11 12:31 PM
Hi,

I'm wondering if there was any logic behind the fact that PasswordsController#edit doesn't check the db for a valid reset token before showing the form?  This means that if the user tries to re-use a token by mistake, they will be able to enter a new password but it won't work.  

As a test I changed my own version of the code to:

  # GET /resource/password/edit?reset_password_token=abcdef
  def edit
    self.resource = resource_class.find_or_initialize_with_error_by(:reset_password_token, params[:reset_password_token])
    if resource.errors.empty?
      render_with_scope :edit
    else
      set_flash_message :notice, :invalid_reset_token
      redirect_to new_session_path(resource_name)
    end
  end

Which shows an error and redirects to the login page.  This seems to make more sense to me.  Am I missing something?

-e