From 0e504aac9b4a0dbeae37c4dcafb78e60b08e3773 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Mon, 15 Jul 2013 12:12:54 -0400
Subject: [PATCH] FIX: You can reset your password even if logins are required.

---
 app/controllers/users_controller.rb       |  8 +++++++-
 spec/controllers/users_controller_spec.rb | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 25590411945..69c028e9336 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -12,7 +12,13 @@ class UsersController < ApplicationController
   #  page is going to be empty, this means that server will see an invalid CSRF and blow the session
   #  once that happens you can't log in with social
   skip_before_filter :verify_authenticity_token, only: [:create]
-  skip_before_filter :redirect_to_login_if_required, only: [:check_username,:create,:get_honeypot_value,:activate_account,:send_activation_email,:authorize_email]
+  skip_before_filter :redirect_to_login_if_required, only: [:check_username,
+                                                            :create,
+                                                            :get_honeypot_value,
+                                                            :activate_account,
+                                                            :send_activation_email,
+                                                            :authorize_email,
+                                                            :password_reset]
 
   def show
     @user = fetch_user_from_params
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index a44ffef2064..463885bedb6 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -216,6 +216,17 @@ describe UsersController do
   describe '.password_reset' do
     let(:user) { Fabricate(:user) }
 
+    context "you can view it even if login is required" do
+      before do
+        SiteSetting.stubs(:login_required).returns(true)
+        get :password_reset, token: 'asdfasdf'
+      end
+
+      it "returns success" do
+        response.should be_success
+      end
+    end
+
     context 'invalid token' do
       before do
         EmailToken.expects(:confirm).with('asdfasdf').returns(nil)