X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/eeb9866d50e35b8f8b75e59aed582caba533778f..93a617fec9febfb74040cab5bda0891075703ab1:/app/controllers/user_controller.rb

diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index c7e44dab6..0c2514927 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -252,14 +252,12 @@ class UserController < ApplicationController
   def login
     session[:referer] = params[:referer] if params[:referer]
 
-    if params[:username] || params[:openid_url]
-      if params[:openid_url].present?
-        session[:remember_me] ||= params[:remember_me_openid]
-        redirect_to auth_url("openid", params[:openid_url])
-      else
-        session[:remember_me] ||= params[:remember_me]
-        password_authentication(params[:username], params[:password])
-      end
+    if params[:username].present? && params[:password].present?
+      session[:remember_me] ||= params[:remember_me]
+      password_authentication(params[:username], params[:password])
+    elsif params[:openid_url].present?
+      session[:remember_me] ||= params[:remember_me_openid]
+      redirect_to auth_url("openid", params[:openid_url])
     end
   end
 
@@ -320,16 +318,19 @@ class UserController < ApplicationController
     else
       user = User.find_by_display_name(params[:display_name])
 
-      redirect_to root_path if !user || user.active?
+      redirect_to root_path if user.nil? || user.active?
     end
   end
 
   def confirm_resend
-    if user = User.find_by_display_name(params[:display_name])
+    user = User.find_by_display_name(params[:display_name])
+    token = UserToken.find_by_token(session[:token])
+
+    if user.nil? || token.nil? || token.user != user
+      flash[:error] = t "user.confirm_resend.failure", :name => params[:display_name]
+    else
       Notifier.signup_confirm(user, user.tokens.create).deliver_now
       flash[:notice] = t "user.confirm_resend.success", :email => user.email
-    else
-      flash[:error] = t "user.confirm_resend.failure", :name => params[:display_name]
     end
 
     redirect_to :action => "login"
@@ -547,7 +548,7 @@ class UserController < ApplicationController
   # omniauth failure callback
   def auth_failure
     flash[:error] = t("user.auth_failure." + params[:message])
-    redirect_to params[:origin]
+    redirect_to params[:origin] || login_url
   end
 
   private
@@ -633,6 +634,8 @@ class UserController < ApplicationController
   ##
   #
   def unconfirmed_login(user)
+    session[:token] = user.tokens.create.token
+
     redirect_to :action => "confirm", :display_name => user.display_name
 
     session.delete(:remember_me)