From bb8f4b1b57274ca7723c8a0ffee6fcfccf5f7ff8 Mon Sep 17 00:00:00 2001
From: Max Goodman <max@reddit.com>
Date: Wed, 20 Nov 2013 14:13:25 -0800
Subject: [PATCH] password reset: Validate token before affecting user session.

Thanks to /u/largenocream for reporting this.
---
 r2/r2/controllers/front.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/r2/r2/controllers/front.py b/r2/r2/controllers/front.py
index 51cb4482e..c94e01579 100755
--- a/r2/r2/controllers/front.py
+++ b/r2/r2/controllers/front.py
@@ -1245,17 +1245,18 @@ class FormsController(RedditController):
         to verify their identity before allowing them to update their
         password."""
 
-        #if another user is logged-in, log them out
-        if c.user_is_loggedin:
-            self.logout()
-            return self.redirect(request.path)
-
         done = False
         if not key and request.referer:
             referer_path = request.referer.split(g.domain)[-1]
             done = referer_path.startswith(request.fullpath)
         elif not token:
             return self.redirect("/password?expired=true")
+        else:
+            #if another user is logged-in, log them out
+            if c.user_is_loggedin:
+                self.logout()
+                return self.redirect(request.path)
+
         return BoringPage(_("reset password"),
                           content=ResetPassword(key=key, done=done)).render()