From c68c23210bdf9f0d7212fa55e7bef71ac0f87bcf Mon Sep 17 00:00:00 2001
From: Vinnie Okada <vokada@mrvinn.com>
Date: Wed, 13 May 2015 20:29:15 -0600
Subject: Redirect if password reset token is expired

Don't display the password editing form if the user's token is expired;
redirect to the form that allows users to request a new password reset
token.
---
 app/controllers/passwords_controller.rb | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'app/controllers/passwords_controller.rb')

diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index 88459d4080a..fbb9d371a79 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -36,4 +36,24 @@ class PasswordsController < Devise::PasswordsController
       end
     end
   end
+
+  def edit
+    super
+    reset_password_token = Devise.token_generator.digest(
+      User,
+      :reset_password_token,
+      resource.reset_password_token
+    )
+
+    unless reset_password_token.nil?
+      user = User.where(
+        reset_password_token: reset_password_token
+      ).first_or_initialize
+
+      unless user.reset_password_period_valid?
+        flash[:alert] = 'Your password reset token has expired.'
+        redirect_to(new_user_password_url)
+      end
+    end
+  end
 end
-- 
cgit v1.2.1