From abe22b19e9470c556b2bde7dd7313e2eff6dfcc8 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Wed, 11 Dec 2013 22:25:02 -0500
Subject: [PATCH] adding password rest method and changing some logic around

---
 app/controllers/application_controller.rb     | 14 +++---
 app/controllers/password_resets_controller.rb | 45 ++++++++++++++++---
 app/controllers/users_controller.rb           | 24 +---------
 .../forgot_password.html.erb                  |  0
 .../password_resets/reset_password.html.erb   |  5 ++-
 config/routes.rb                              |  8 ++--
 6 files changed, 56 insertions(+), 40 deletions(-)
 rename app/views/{users => password_resets}/forgot_password.html.erb (100%)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 9d5628d..7590751 100755
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,23 +2,23 @@ class ApplicationController < ActionController::Base
 
   before_filter :authenticated, :has_info
   helper_method :current_user, :is_admin?
-  
+
   # Our security guy keep talking about sea-surfing, cool story bro.
   # protect_from_forgery
-  
+
   private
 
   def current_user
     @current_user ||= User.find_by_user_id(session[:user_id].to_s)
   end
-  
+
   def authenticated
      path = request.fullpath.present? ? root_url(:url =>  request.fullpath) : root_url
      redirect_to path and reset_session if not current_user
   end
 
   def is_admin?
-    current_user.admin if current_user 
+    current_user.admin if current_user
   end
 
   def administrative
@@ -27,11 +27,11 @@ class ApplicationController < ActionController::Base
      redirect_to root_url
    end
   end
-  
+
   def has_info
     redirect = false
     if current_user
-      begin 
+      begin
       if !(current_user.retirement || current_user.paid_time_off.schedule || current_user.paid_time_off || current_user.work_info || current_user.performance)
         redirect = true
       end
@@ -41,5 +41,5 @@ class ApplicationController < ActionController::Base
     end
     redirect_to home_dashboard_index_path if redirect
   end
-  
+
 end
diff --git a/app/controllers/password_resets_controller.rb b/app/controllers/password_resets_controller.rb
index 792a226..533643a 100644
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@@ -1,25 +1,60 @@
 class PasswordResetsController < ApplicationController
-  skip_before_filter :authenticated, :only => [:reset_password]
+  skip_before_filter :authenticated
+
 
   def reset_password
-    token = params[:token] unless params[:token].nil?
+    user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil?
 
-    if token && is_valid?(token)
+    if user && params[:password] && params[:confirm_password] && params[:password] == params[:confirm_password]
+      user.password = params[:password]
+      user.save!
+      flash[:success] = "Your password has been reset please login"
+      redirect_to :login
+    else
+      flash[:error] = "Error resetting your password. Please try again."
+      redirect_to :login
+    end
+  end
+
+  def confirm_token
+    if !params[:token].nil? && is_valid?(params[:token])
       flash[:success] = "Password reset token confirmed! Please create a new password."
+      render :reset_password
     else
       flash[:error] = "Invalid password reset token. Please try again."
       redirect_to :login
     end
   end
 
+  def forgot_password
+    @user = User.find_by_email(params[:email]) unless params[:email].nil?
+
+    if @user && password_reset_mailer(@user)
+      flash[:success] = "Password reset email sent to #{params[:email]}"
+      redirect_to :login
+    else
+      flash[:error] = "There was an issue sending password reset email to #{params[:email]}".html_safe unless params[:email].nil?
+    end
+  end
+
   private
 
+  def password_reset_mailer(user)
+    token = generate_token(user.id, user.email)
+    UserMailer.forgot_password(user.email, token).deliver
+  end
+
+  def generate_token(id, email)
+    hash = Digest::MD5.hexdigest(email)
+    "#{id}-#{hash}"
+  end
+
   def is_valid?(token)
     if token =~ /(?<user_id>\d+)-(?<email_hash>[A-Z0-9]{32})/i
 
       # Fetch the user by their id, and hash their email address
-      user = User.find_by_id($~[:user_id])
-      email = Digest::MD5.hexdigest(user.email)
+      @user = User.find_by_id($~[:user_id])
+      email = Digest::MD5.hexdigest(@user.email)
 
       # Compare and validate our hashes
       return true if email == $~[:email_hash]
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 2f92c18..9a48c27 100755
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,18 +1,8 @@
 class UsersController < ApplicationController
 
   skip_before_filter :has_info
-  skip_before_filter :authenticated, :only => [:new, :create, :forgot_password]
+  skip_before_filter :authenticated, :only => [:new, :create]
 
-  def forgot_password
-    @user = User.find_by_email(params[:email]) unless params[:email].nil?
-
-    if @user && password_reset_mailer_setup(@user)
-      flash[:success] = "Password reset email sent to #{params[:email]}"
-      redirect_to :login
-    else
-      flash[:error] = "There was an issue sending password reset email to #{params[:email]}".html_safe unless params[:email].nil?
-    end
-  end
 
   def new
     @user = User.new
@@ -63,16 +53,4 @@ class UsersController < ApplicationController
     end
   end
 
-  private
-
-  def password_reset_mailer_setup(user)
-    token = generate_token(user.id, user.email)
-    UserMailer.forgot_password(user.email, token).deliver
-  end
-
-  def generate_token(id, email)
-    hash = Digest::MD5.hexdigest(email)
-    "#{id}-#{hash}"
-  end
-
 end
diff --git a/app/views/users/forgot_password.html.erb b/app/views/password_resets/forgot_password.html.erb
similarity index 100%
rename from app/views/users/forgot_password.html.erb
rename to app/views/password_resets/forgot_password.html.erb
diff --git a/app/views/password_resets/reset_password.html.erb b/app/views/password_resets/reset_password.html.erb
index 0cd2fe8..f931a33 100644
--- a/app/views/password_resets/reset_password.html.erb
+++ b/app/views/password_resets/reset_password.html.erb
@@ -10,7 +10,7 @@
         <!-- This form is just a placeholder with no working functionality -->
 
         <div class="signup">
-          <%= form_tag "reset_passwords", :class=> "signup-wrapper" do %>
+          <%= form_tag "password_resets", :class=> "signup-wrapper" do %>
 
           <div class="header">
             <h2>Create Password</h2>
@@ -18,6 +18,7 @@
           </div>
 
           <div class="content">
+            <%= hidden_field_tag 'user', Base64.encode64(Marshal.dump(@user)) %>
             <%= label_tag "Enter Password" %>
             <%= password_field_tag :password, params[:password], {:class => "input input-block-level"} %>
             <%= label_tag "Confirm Password" %>
@@ -35,4 +36,4 @@
       </div>
     </div>
   </div>
-</div>
\ No newline at end of file
+</div>
diff --git a/config/routes.rb b/config/routes.rb
index a9f6e25..9c21e1a 100755
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -3,8 +3,10 @@ Railsgoat::Application.routes.draw do
   get "login" => "sessions#new"
   get "signup" => "users#new"
   get "logout" => "sessions#destroy"
-  match "forgot_password" => "users#forgot_password"
-  match "password_resets" => "password_resets#reset_password"
+  match "forgot_password" => "password_resets#forgot_password"
+  get "password_resets" => "password_resets#confirm_token"
+  post "password_resets" => "password_resets#reset_password"
+
 
   resources :sessions do
   end
@@ -83,4 +85,4 @@ Railsgoat::Application.routes.draw do
 
   root :to => "sessions#new"
 
-end
\ No newline at end of file
+end