Re: password#edit for non authenticated users?

[José Valim]

It is meant to be used only when users forget they password and they receive a token via e-mail.

On Tuesday, June 5, 2012 10:09:12 AM UTC+2, Bataille Gregory wrote:

Hi all,

I'm new to Devise and something strikes me.

Looks like the "normal" way to change a user's password with devise is through the registration#edit action.

However, there is a password#edit action, as well as a route /users/password/edit that I kinda like.

What I find strange is that this is behind a :require_no_authentication filter !

Therefore I have a hard time understanding what this action is supposed to be.

Additionally, I would expect it to ask for the password of the current user (for confirmation) but it does not. There is a hidden token though, is this enough in term of security?

Started GET "/users/password/edit" for 127.0.0.1 at 2012-06-05 10:01:24 +0200
Processing by Devise::PasswordsController#edit as HTML
  User Load (0.3ms)  SELECT "users".* FROM "users" WHERE "users"."id" = 1 LIMIT 1
Redirected to http://localhost:3000/
Filter chain halted as :require_no_authentication rendered or redirected

Thanks 

[Bataille Gregory]

Hi Jose,

No, what you are describing is password#new, right?

you get a form title "Forgot your password?" that contains only a e-mail field.

That makes sense.

However, password#edit, displays only when NOT authenticated and gives me 2 fields: new password and password confirmation, which I can't make sense of for a not authenticated user.

Thanks

[Linus Pettersson]

No.

password#new

This is where you request a new password. A token is created and an email is sent to your mail.

password#edit

The link in the email goes to this action. Without a token you can't do anything with this form. Try it :)

Regards

Linus

[Carlos Antonio da Silva]

Exactly like Linus explained.

password#edit is not meant to be used for signed in users to edit their password, but for non signed in users to enter a new password after they receive an email containing a link with the token to recover the password.

If you want to allow users to change their password while signed in, you'd have to use the registerable module with registrations#edit (if you want sign up enabled), or create your own controller to handle that.

-- 

At.

Carlos Antonio

[Grégory Bataille]

Ok, now it all makes sense.

Sorry I was reading the docs, trying to set up all the routes in my application and ended up with this one that I could not make sense of.

Although, now that I think about it, couldn't we think about a before filter on update action that would not let you display the page if you don't even come in with a token (not even checking token validity). I got really confused when I first tried this route, logged in, could not, found why in the log, went back in without being logged... You get my point.

Anyway, thanks for that.

[Carlos Antonio da Silva]

Yes, this has been a point of confusion for some time already, and usually needs some explanation. But I don't think we should use the same controller for two distinct cases, we already have edit action for those using the registration module, and those that do not will have to handle that by themselves.

Also, for a signed in user to change his password, it's also required to enter the "current password" (unless you change the default logic, of course), which means that that controller / view would need even more logic for that.

At the end, two different responsibilities in the same action doesn't seem the best way for Devise to go now, so we prefer to keep everything separated.

Regards.

-- 

At.

Carlos Antonio

[Grégory Bataille]

Definitely, and that is for sure not my point. "Normal" password update is fine and good in the registration resource.

The only thing I was hinting at was trying to get rid of the confusion.

To me, it mostly comes from the fact that I can access this page by referencing its URL and I'm just left wondering what to do about it.

The thing I would propose would be to have a before filter on the edit action that redirects you elsewhere with a nice flash if you try to access the password#edit with a nil token, i.e. most likely not from a reset password email link.

What do you think?

[Carlos Antonio da Silva]

Hm yeah, redirecting to somewhere with a flash message seems reasonable. Would you like to provide a pull request implementing such functionality? Would be awesome.

Thanks!

-- 

At.

Carlos Antonio

[Grégory Bataille]

Ok, I'll try and have a look into it.

Cheers