password reset: Validate token before affecting user session.

Thanks to /u/largenocream for reporting this.
2026-01-25 06:48:01 -05:00 · 2013-11-20 14:13:25 -08:00
parent 00df060e47
commit bb8f4b1b57
1 changed files with 6 additions and 5 deletions
--- a/r2/r2/controllers/front.py
+++ b/r2/r2/controllers/front.py
@@ -1245,17 +1245,18 @@ class FormsController(RedditController):
        to verify their identity before allowing them to update their
        password."""

-        #if another user is logged-in, log them out
-        if c.user_is_loggedin:
-            self.logout()
-            return self.redirect(request.path)
-
        done = False
        if not key and request.referer:
            referer_path = request.referer.split(g.domain)[-1]
            done = referer_path.startswith(request.fullpath)
        elif not token:
            return self.redirect("/password?expired=true")
+        else:
+            #if another user is logged-in, log them out
+            if c.user_is_loggedin:
+                self.logout()
+                return self.redirect(request.path)
+
        return BoringPage(_("reset password"),
                          content=ResetPassword(key=key, done=done)).render()