FIX: only invalidate password reset links using javascript

2025-02-25 18:55:32 -06:00 · 2016-01-04 11:48:54 -05:00
parent 0ba1e8a76f
commit c7df6783a9
5 changed files with 54 additions and 2 deletions
--- a/app/models/email_token.rb
+++ b/app/models/email_token.rb
@@ -44,7 +44,7 @@ class EmailToken < ActiveRecord::Base
  def self.confirm(token)
    return unless valid_token_format?(token)

-    email_token = EmailToken.where("token = ? and expired = FALSE AND ((NOT confirmed AND created_at >= ?) OR (confirmed AND created_at >= ?))", token, EmailToken.valid_after, EmailToken.confirm_valid_after).includes(:user).first
+    email_token = confirmable(token)
    return if email_token.blank?

    user = email_token.user
@@ -59,12 +59,17 @@ class EmailToken < ActiveRecord::Base
        user.save!
      end
    end
+
    # redeem invite, if available
    return User.find_by(email: Email.downcase(user.email)) if Invite.redeem_from_email(user.email).present?
    user
  rescue ActiveRecord::RecordInvalid
    # If the user's email is already taken, just return nil (failure)
  end
+
+  def self.confirmable(token)
+    EmailToken.where("token = ? and expired = FALSE AND ((NOT confirmed AND created_at >= ?) OR (confirmed AND created_at >= ?))", token, EmailToken.valid_after, EmailToken.confirm_valid_after).includes(:user).first
+  end
 end

 # == Schema Information