You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if we start using it as you described, then anybody can start checking urls like "http://example.com/password_resets/zAk3O7mRnjTdPfaLkePU/edit" and if you have many users on your system then it is more possible to find url for changing pass to somebody else.
The simplest solution: add required field 'email' to app/views/password_resets/edit.html.erb and check it before changing.
Or better add ?email=[email protected] to link in email. And check for it in load_user_using_perishable_token
The text was updated successfully, but these errors were encountered:
if we start using it as you described, then anybody can start checking urls like "http://example.com/password_resets/zAk3O7mRnjTdPfaLkePU/edit" and if you have many users on your system then it is more possible to find url for changing pass to somebody else.
The simplest solution: add required field 'email' to app/views/password_resets/edit.html.erb and check it before changing.
Or better add ?email=[email protected] to link in email. And check for it in load_user_using_perishable_token
The text was updated successfully, but these errors were encountered: