Modifying recoverable - rails 2
89 views
Skip to first unread message
Nehal Soni
Dec 15, 2010, 4:18:38 AM12/15/10
to Devise
Hi,
I'm using rails 2.3.8.
I have included the recoverable module and modified my authentication
keys to include subdomain and username instead of the email.
When trying to recover the password, the email is requested. This
opens up a security flaw ,for e.g a user can enter another email.
How do I go about modifying this such that user provides nothing. So
just clicks the button and reset instructions are sent. Or a usernme
is requested instead. Do I have to include email in the authentication
keys?
I'm using rails 2.3.8.
I have included the recoverable module and modified my authentication
keys to include subdomain and username instead of the email.
When trying to recover the password, the email is requested. This
opens up a security flaw ,for e.g a user can enter another email.
How do I go about modifying this such that user provides nothing. So
just clicks the button and reset instructions are sent. Or a usernme
is requested instead. Do I have to include email in the authentication
keys?
Andrés Mejía
Dec 15, 2010, 4:24:51 AM12/15/10
to plataforma...@googlegroups.com
Take a look at the code, specially at Devise::PasswordsController.
User.send_reset_password_instructions(:email => current_user.email) should do the trick.
User.send_reset_password_instructions(:email => current_user.email) should do the trick.
Nehal Soni
Dec 15, 2010, 5:16:31 AM12/15/10
to Devise
Thanks, apologies if this is a dumb question....
Do I just overide the class method in my user model?
> Devise::PasswordsController<https://github.com/plataformatec/devise/blob/master/app/controllers/d...>
> .
Do I just overide the class method in my user model?
> Devise::PasswordsController<https://github.com/plataformatec/devise/blob/master/app/controllers/d...>
> .
Andrés Mejía
Dec 15, 2010, 5:35:10 AM12/15/10
to plataforma...@googlegroups.com
No, it's all on the controllers; you don't need to touch the model.
Actually, I found a simpler version of the code I wrote before:
some_user.send_reset_password_instructions
What you need to do is create a new controller action where you find the user you want to reset the password for and then call send_reset_password_instructions on it.
You don't need to use Devise's controllers at all, just create your own controller and call that. So, for example, you could create a form that asks for the username and then on the controller do something like:
@user = User.find_by_username(params[:username])
@user.send_reset_password_instructions
redirect_to root_path, :notice => "Instructions to reset your password have been sent to your email."
I want to ask though, what's wrong with the default behavior? Why is finding user by email a security flaw?
Actually, I found a simpler version of the code I wrote before:
some_user.send_reset_password_instructions
What you need to do is create a new controller action where you find the user you want to reset the password for and then call send_reset_password_instructions on it.
You don't need to use Devise's controllers at all, just create your own controller and call that. So, for example, you could create a form that asks for the username and then on the controller do something like:
@user = User.find_by_username(params[:username])
@user.send_reset_password_instructions
redirect_to root_path, :notice => "Instructions to reset your password have been sent to your email."
I want to ask though, what's wrong with the default behavior? Why is finding user by email a security flaw?
Nehal Soni
Dec 15, 2010, 5:50:04 AM12/15/10
to Devise
I'm my app it is possible to have more than one user with same email.
I am using subdomains, where the owner can setup users of the site.
My.concern is anyone can supply another owners username, and put their
own email and reset the password.
I am using subdomains, where the owner can setup users of the site.
My.concern is anyone can supply another owners username, and put their
own email and reset the password.
Reply all
Reply to author
Forward
0 new messages