No, it's all on the controllers; you don't need to touch the model.
Actually, I found a simpler version of the code I wrote before:
some_user.send_reset_password_instructions
What you need to do is create a new controller action where you find the user you want to reset the password for and then call
send_reset_password_instructions on it.
You don't need to use Devise's controllers at all, just create your own controller and call that. So, for example, you could create a form that asks for the username and then on the controller do something like:
@user = User.find_by_username(params[:username])@user.send_reset_password_instructions
redirect_to root_path, :notice => "Instructions to reset your password have been sent to your email."I want to ask though, what's wrong with the default behavior? Why is finding user by email a security flaw?