Presumably this is to allow a user access to an account after they've forgotten their password. It would be much safer to generate a new random password for them and send that to the email address you have on file, not one they specify when the password is requested. You could also disable the account until they click a confirmation link in an email.
Gareth
Gareth Howells wrote: > Presumably this is to allow a user access to an account after they've > forgotten their password. It would be much safer to generate a new > random > password for them and send that to the email address you have on file, > not > one they specify when the password is requested. You could also disable > the > account until they click a confirmation link in an email. > > Gareth
But in this scenario, I can reset anybody's password and disable account just by giving his email address. And the target will have to activate everytime.
Create a random token and mail them a link containing that. Only when they use that link you let them specify a new password or create one for them.
Sincerely, Isak
If you've left the default route along in config/routes.rb That url should get mapped to
:controller => UsersController, :action => :reset_password, :id => "abc123"
So in your reset_password method you refer to the code as params[:id]
If you want to you can create an explicit named route with:
map.reset_password '/user/reset_password/:activation_code', :controller => 'user', :action => 'reset_password'
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks