From ff75341c757c76ddcab863cac7ab77254dcd230d Mon Sep 17 00:00:00 2001
From: Gregory Bataille <gbataille.dev@gmail.com>
Date: Fri, 8 Jun 2012 10:08:35 +0200
Subject: [PATCH] Redirect to sign in page when trying to access password#edit
 without a reset_password_token (i.e. not coming from a reset password email)

---
 app/controllers/devise/passwords_controller.rb | 9 +++++++++
 config/locales/en.yml                          | 1 +
 test/integration/recoverable_test.rb           | 6 ++++++
 3 files changed, 16 insertions(+)

diff --git a/app/controllers/devise/passwords_controller.rb b/app/controllers/devise/passwords_controller.rb
index ba960e87..46b323d2 100644
--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@@ -1,5 +1,7 @@
 class Devise::PasswordsController < DeviseController
   prepend_before_filter :require_no_authentication
+  # Render the #edit only if coming from a reset password email link
+  append_before_filter :assert_reset_token_passed, :only => :edit
 
   # GET /resource/password/new
   def new
@@ -44,4 +46,11 @@ class Devise::PasswordsController < DeviseController
       new_session_path(resource_name)
     end
 
+    # Check if a reset_password_token is provided in the request
+    def assert_reset_token_passed
+      if params[:reset_password_token].blank?
+        set_flash_message(:error, :no_token)
+        redirect_to new_session_path(resource_name)
+      end
+    end
 end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index ad7dea83..7783a744 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -29,6 +29,7 @@ en:
       updated: 'Your password was changed successfully. You are now signed in.'
       updated_not_active: 'Your password was changed successfully.'
       send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
     confirmations:
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
       send_paranoid_instructions: 'If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes.'
diff --git a/test/integration/recoverable_test.rb b/test/integration/recoverable_test.rb
index 9790de5f..9dbadd0a 100644
--- a/test/integration/recoverable_test.rb
+++ b/test/integration/recoverable_test.rb
@@ -126,6 +126,12 @@ class PasswordTest < ActionController::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
+  test 'not authenticated user without a reset password token should not be able to visit the page' do
+    get edit_user_password_path
+    assert_response :redirect
+    assert_redirected_to "/users/sign_in"
+  end
+
   test 'not authenticated user with invalid reset password token should not be able to change his password' do
     user = create_user
     reset_password :reset_password_token => 'invalid_reset_password'