Don't log in / log out in the password reset flow.

This prevents using valid password reset tokens to force a logout CSRF,
as reported by Mathias Karlsson.

r2/r2/controllers/api.py

@@ -2761,8 +2761,13 @@ class ApiController(RedditController, OAuth2ResourceController):
         g.log.warning("%s did a password reset for %s via %s",
                       request.ip, user.name, token._id)
 
-        self._login(jquery, user)
-        jquery.redirect('/')
+        # if the token is for the current user, their cookies will be
+        # invalidated and they'll have to log in again.
+        if not c.user_is_loggedin or c.user._fullname == token.user_id:
+            jquery.redirect('/login')
+
+        form.set_html(".status", _("password updated"))
+
 
 
     @noresponse(VUser())

r2/r2/controllers/front.py

@@ -1288,11 +1288,6 @@ class FormsController(RedditController):
             done = referer_path.startswith(request.fullpath)
         elif not token:
             return self.redirect("/password?expired=true")
-        else:
-            #if another user is logged-in, log them out
-            if c.user_is_loggedin:
-                self.logout()
-                return self.redirect(request.path)
 
         token_user = Account._by_fullname(token.user_id, data=True)