tmc-server/app/controllers/password_reset_keys_controller.rb at 05939b4a630a1e6fbfc354bd95008a54be7bcf08 · testmycode/tmc-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# frozen_string_literal: true

class PasswordResetKeysController < ApplicationController
  skip_authorization_check

  add_breadcrumb 'Forgot password', ->(*_a) { }, only: %i[new show]

  def new; end

  def create
    @email = params['email'].to_s.strip
    if @email.empty?
      return redirect_to(new_password_reset_key_path, alert: 'No e-mail address provided')
    end

    user = User.find_by('lower(email) = ?', @email.downcase)
    unless user
      return redirect_to(new_password_reset_key_path, alert: 'No such e-mail address registered')
    end

    key = ActionToken.generate_password_reset_key_for(user)
    PasswordResetKeyMailer.reset_link_email(user, key).deliver
  end

  def show
    find_key_and_user
  end

  def destroy
    find_key_and_user

    if params[:password] != params[:password_confirmation]
      flash.now[:alert] = 'Passwords did not match'
      return render action: :show, status: :forbidden
    end

    if params[:password].blank?
      flash.now[:alert] = 'Password may not be empty'
      return render action: :show, status: :forbidden
    end

    if @user.password_managed_by_courses_mooc_fi
      success = @user.update_password_via_courses_mooc_fi(nil, params[:password])
      if success
        @key.destroy
        flash[:success] = 'Your password has been reset.'
        redirect_to root_path
      else
        flash.now[:alert] = 'Failed to reset password.'
        render action: :show, status: :forbidden
      end
    else
      @user.password = params[:password]
      if @user.save
        @key.destroy
        flash[:success] = 'Your password has been reset.'
        redirect_to root_path
      else
        flash.now[:alert] = if @user.errors[:password]
          'Password ' + @user.errors[:password].join(', ')
        else
          'Failed to set password'
        end
        render action: :show, status: :forbidden
      end
    end
  end

  private
    def find_key_and_user
      token = params['token']
      @key = ActionToken.find_by(token: token)
      raise ActiveRecord::RecordNotFound, 'Invalid password reset key' if @key.nil? || @key.expired?
      @user = @key.user
    end
end