From e890528aacd74420e445793b532271996e700577 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 3 Aug 2009 23:42:29 +0000
Subject: [PATCH] Rework password reset system to do away with the second email
 and instead just allow the user (providing they possess a valid token from
 the first email) to enter a new password on the site.

---
 app/controllers/user_controller.rb            | 33 ++++++++++---------
 app/models/notifier.rb                        |  8 +----
 .../notifier/reset_password.text.html.erb     |  3 --
 .../notifier/reset_password.text.plain.erb    |  3 --
 app/views/user/reset_password.html.erb        | 14 ++++++++
 config/locales/en.yml                         | 18 ++++------
 6 files changed, 40 insertions(+), 39 deletions(-)
 delete mode 100644 app/views/notifier/reset_password.text.html.erb
 delete mode 100644 app/views/notifier/reset_password.text.plain.erb
 create mode 100644 app/views/user/reset_password.html.erb
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index c3ab012e3..6d69b5120 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -95,9 +95,9 @@ class UserController < ApplicationController
       if user
         token = user.tokens.create
         Notifier.deliver_lost_password(user, token)
-        flash[:notice] = t 'user.lost_password.notice email on way'
+        @notice = t 'user.lost_password.notice email on way'
       else
-        flash[:notice] = t 'user.lost_password.notice email cannot find'
+        @notice = t 'user.lost_password.notice email cannot find'
       end
     end
   end
@@ -105,25 +105,28 @@ class UserController < ApplicationController
   def reset_password
     @title = t 'user.reset_password.title'
 
-    if params['token']
+    if params[:token]
       token = UserToken.find_by_token(params[:token])
+
       if token
-        pass = OSM::make_token(8)
-        user = token.user
-        user.pass_crypt = pass
-        user.pass_crypt_confirmation = pass
-        user.active = true
-        user.email_valid = true
-        user.save!
-        token.destroy
-        Notifier.deliver_reset_password(user, pass)
-        flash[:notice] = t 'user.reset_password.flash changed check mail'
+        if params[:user]
+          @user = token.user
+          @user.pass_crypt = params[:user][:pass_crypt]
+          @user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
+          @user.active = true
+          @user.email_valid = true
+
+          if @user.save
+            token.destroy
+            flash[:notice] = t 'user.reset_password.flash changed'
+            redirect_to :action => 'login'
+          end
+        end
       else
         flash[:notice] = t 'user.reset_password.flash token bad'
+        redirect_to :action => 'lost_password'
       end
     end
-
-    redirect_to :action => 'login'
   end
 
   def new
diff --git a/app/models/notifier.rb b/app/models/notifier.rb
index ba4530e99..35b521e1f 100644
--- a/app/models/notifier.rb
+++ b/app/models/notifier.rb
@@ -22,13 +22,7 @@ class Notifier < ActionMailer::Base
     subject I18n.t('notifier.lost_password.subject')
     body :url => url_for(:host => SERVER_URL,
                          :controller => "user", :action => "reset_password",
-                         :email => user.email, :token => token.token)
-  end
-
-  def reset_password(user, pass)
-    common_headers user
-    subject I18n.t('notifier.reset_password.subject')
-    body :pass => pass
+                         :token => token.token)
   end
 
   def gpx_success(trace, possible_points)
diff --git a/app/views/notifier/reset_password.text.html.erb b/app/views/notifier/reset_password.text.html.erb
deleted file mode 100644
index 39ea35b5e..000000000
--- a/app/views/notifier/reset_password.text.html.erb
+++ /dev/null
@@ -1,3 +0,0 @@
-<p><%= t 'notifier.reset_password_html.greeting' %></p>
-
-<p><%= t 'notifier.reset_password_html.reset', :new_password => @pass %></p>
diff --git a/app/views/notifier/reset_password.text.plain.erb b/app/views/notifier/reset_password.text.plain.erb
deleted file mode 100644
index aab4d137b..000000000
--- a/app/views/notifier/reset_password.text.plain.erb
+++ /dev/null
@@ -1,3 +0,0 @@
-<%= t 'notifier.reset_password_plain.greeting' %>
-
-<%= t 'notifier.reset_password_plain.reset', :new_password => @pass %>
diff --git a/app/views/user/reset_password.html.erb b/app/views/user/reset_password.html.erb
new file mode 100644
index 000000000..458a6084c
--- /dev/null
+++ b/app/views/user/reset_password.html.erb
@@ -0,0 +1,14 @@
+<h1><%= t 'user.reset_password.heading' %></h1>
+
+<%= error_messages_for :user %>
+
+<% form_tag do %>
+<%= hidden_field_tag(:token, params[:token]) %>
+<table id="loginForm">
+  <tr><td class="fieldName"><%= t 'user.reset_password.password' %></td><td><%= password_field(:user, :pass_crypt,{:size => 30, :maxlength => 255, :tabindex => 4}) %></td></tr>
+  <tr><td class="fieldName"><%= t 'user.reset_password.confirm password' %></td><td><%= password_field(:user, :pass_crypt_confirmation,{:size => 30, :maxlength => 255, :tabindex => 5}) %></td></tr>
+  
+  <tr><td colspan=2>&nbsp;<!--vertical spacer--></td></tr>
+  <tr><td></td><td align=right><input type="submit" value="<%= t'user.reset_password.reset' %>" tabindex="6"></td></tr>
+</table>
+<% end %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 3b049b12a..9283fcb57 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -533,14 +533,6 @@ en:
       greeting: "Hi,"
       hopefully_you: "Someone (possibly you) has asked for the password to be reset on this email address's openstreetmap.org account."
       click_the_link: "If this is you, please click the link below to reset your password."
-    reset_password:
-      subject: "[OpenStreetMap] Password reset"
-    reset_password_plain:
-      greeting: "Hi,"
-      reset: "Your password has been reset to {{new_password}}"
-    reset_password_html:
-      greeting: "Hi,"
-      reset: "Your password has been reset to {{new_password}}"
   message:
     inbox:
       title: "Inbox"
@@ -796,15 +788,19 @@ en:
       account not active: "Sorry, your account is not active yet.<br>Please click on the link in the account confirmation email to activate your account."
       auth failure: "Sorry, couldn't log in with those details."
     lost_password:
-      title: "lost password"
+      title: "Lost password"
       heading: "Forgotten Password?"
       email address: "Email Address:"
       new password button: "Send me a new password"
       notice email on way: "Sorry you lost it :-( but an email is on its way so you can reset it soon."
       notice email cannot find: "Couldn't find that email address, sorry."
     reset_password:
-      title: "reset password"
-      flash changed check mail: "Your password has been changed and is on its way to your mailbox :-)"
+      title: "Reset password"
+      heading: "Reset Password"
+      password: "Password: "
+      confirm password: "Confirm Password: "
+      reset: "Reset Password"
+      flash changed: "Your password has been changed."
       flash token bad: "Didn't find that token, check the URL maybe?"
     new:
       title: "Create account"
-- 
2.43.2


<%= t 'user.reset_password.password' %>	<%= password_field(:user, :pass_crypt,{:size => 30, :maxlength => 255, :tabindex => 4}) %>
<%= t 'user.reset_password.confirm password' %>	<%= password_field(:user, :pass_crypt_confirmation,{:size => 30, :maxlength => 255, :tabindex => 5}) %>