From: Tom Hughes Date: Mon, 15 Nov 2010 21:41:32 +0000 (+0000) Subject: Protect against interception of confirmation emails X-Git-Tag: live~6300^2~43 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/7f3d37867b7f35e6003f20803d3779a302c3f505 Protect against interception of confirmation emails When processing an account confirmation email don't automatically log the user in unless their browser session has a token that matches the same user. Closes #3337. --- diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index c8603afec..19e8aeb7c 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -77,6 +77,7 @@ class UserController < ApplicationController if @user.save flash[:notice] = t 'user.new.flash create success message', :email => @user.email Notifier.deliver_signup_confirm(@user, @user.tokens.create(:referer => params[:referer])) + session[:token] = @user.tokens.create.token redirect_to :action => 'login' else render :action => 'new' @@ -264,14 +265,29 @@ class UserController < ApplicationController user.save! referer = token.referer token.destroy - session[:user] = user.id - unless referer.nil? + if session[:token] + token = UserToken.find_by_token(session[:token]) + session.delete(:token) + else + token = nil + end + + if token.nil? or token.user != user flash[:notice] = t('user.confirm.success') - redirect_to referer + redirect_to :action => :login, :referer => referer else - flash[:notice] = t('user.confirm.success') + "

" + t('user.confirm.before you start') - redirect_to :action => 'account', :display_name => user.display_name + token.destroy + + session[:user] = user.id + + if referer.nil? + flash[:notice] = t('user.confirm.success') + "

" + t('user.confirm.before you start') + redirect_to :action => :account, :display_name => user.display_name + else + flash[:notice] = t('user.confirm.success') + redirect_to referer + end end end else