Protect against interception of confirmation emails
authorTom Hughes <tom@compton.nu>
Mon, 15 Nov 2010 21:41:32 +0000 (21:41 +0000)
committerTom Hughes <tom@compton.nu>
Mon, 15 Nov 2010 21:41:32 +0000 (21:41 +0000)
When processing an account confirmation email don't automatically
log the user in unless their browser session has a token that
matches the same user. Closes #3337.

app/controllers/user_controller.rb

index c8603afec560666d3dd54514b984f32452f96d28..19e8aeb7c16ac60fda8aa8f307f9d6cc68db93d3 100644 (file)
@@ -77,6 +77,7 @@ class UserController < ApplicationController
       if @user.save
         flash[:notice] = t 'user.new.flash create success message', :email => @user.email
         Notifier.deliver_signup_confirm(@user, @user.tokens.create(:referer => params[:referer]))
+        session[:token] = @user.tokens.create.token
         redirect_to :action => 'login'
       else
         render :action => 'new'
@@ -264,14 +265,29 @@ class UserController < ApplicationController
           user.save!
           referer = token.referer
           token.destroy
-          session[:user] = user.id
 
-          unless referer.nil?
+          if session[:token] 
+            token = UserToken.find_by_token(session[:token])
+            session.delete(:token)
+          else
+            token = nil
+          end
+
+          if token.nil? or token.user != user
             flash[:notice] = t('user.confirm.success')
-            redirect_to referer
+            redirect_to :action => :login, :referer => referer
           else
-            flash[:notice] = t('user.confirm.success') + "<br /><br />" + t('user.confirm.before you start')
-            redirect_to :action => 'account', :display_name => user.display_name
+            token.destroy
+
+            session[:user] = user.id
+
+            if referer.nil?
+              flash[:notice] = t('user.confirm.success') + "<br /><br />" + t('user.confirm.before you start')
+              redirect_to :action => :account, :display_name => user.display_name
+            else
+              flash[:notice] = t('user.confirm.success')
+              redirect_to referer
+            end
           end
         end
       else