]> git.openstreetmap.org Git - rails.git/commitdiff
projects / rails.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c49e400)
Prevent CSRF bypass with password reset form
authorTom Hughes <tom@compton.nu>
Tue, 9 Feb 2021 22:59:54 +0000 (22:59 +0000)
committerTom Hughes <tom@compton.nu>
Tue, 9 Feb 2021 23:00:21 +0000 (23:00 +0000)
app/controllers/users_controller.rb patch | blob | history
test/controllers/users_controller_test.rb patch | blob | history

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8e3f0a355516be99f539039855a8bd270e40b483..c2cbca4ae8defe29675e24ab933c37c732e49aa2 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -151,7 +151,7 @@ class UsersController < ApplicationController
   def lost_password
     @title = t "users.lost_password.title"
 
-    if params[:email]
+    if request.post?
       user = User.visible.find_by(:email => params[:email])
 
       if user.nil?
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index 02e5db7db25dd54d5cd3ae5d19f85817040fca82..ff75df548e827b9bb2986be4620c9de713d96687 100644 (file)
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -812,6 +812,16 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = create(:user)
     uppercase_user = build(:user, :email => user.email.upcase).tap { |u| u.save(:validate => false) }
 
+    # Resetting with GET should fail
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      perform_enqueued_jobs do
+        get user_forgot_password_path, :params => { :email => user.email }
+      end
+    end
+    assert_response :success
+    assert_template :lost_password
+
+    # Resetting with POST should work
     assert_difference "ActionMailer::Base.deliveries.size", 1 do
       perform_enqueued_jobs do
         post user_forgot_password_path, :params => { :email => user.email }
The OpenStreetMap web site