Mailing encrypted password to user

Presumably this is to allow a user access to an account after they've
forgotten their password. It would be much safer to generate a new random
password for them and send that to the email address you have on file, not
one they specify when the password is requested. You could also disable the
account until they click a confirmation link in an email.

Gareth

Gareth Howells wrote:
> Presumably this is to allow a user access to an account after they've
> forgotten their password. It would be much safer to generate a new
> random
> password for them and send that to the email address you have on file,
> not
> one they specify when the password is requested. You could also disable
> the
> account until they click a confirmation link in an email.
>
> Gareth

But in this scenario, I can reset anybody's password and disable account
just by giving his email address. And the target will have to activate
everytime.

Create a random token and mail them a link containing that. Only when
they use that link you let them specify a new password or create one
for them.

Sincerely,
Isak

If you've left the default route along in config/routes.rb That url
should get mapped to

   :controller => UsersController, :action => :reset_password, :id => "abc123"

So in your reset_password method you refer to the code as params[:id]

If you want to you can create an explicit named route with:

  map.reset_password '/user/reset_password/:activation_code',
:controller => 'user', :action => 'reset_password'