Reputation: 357
Michael Hartl Chap 12 Password Reset redirects to homepage
When the reset password link is sent through email, it does not seem to work. Clicking on it results in a redirect to the homepage due to:
Filter chain halted as :valid_user rendered or redirected
Here is valid_user
# Confirms a valid user.
def valid_user
unless (@user && @user.activated? &&
@user.authenticated?(:reset, params[:id]))
redirect_to root_url
end
end
PasswordsResetsController
class PasswordResetsController < ApplicationController
before_action :get_user, only: [:edit, :update]
before_action :valid_user, only: [:edit, :update]
before_action :check_expiration, only: [:edit, :update] # Case (1)
def new
end
def create
@user = User.find_by(email: params[:password_reset][:email].downcase)
if @user
@user.create_reset_digest
@user.send_password_reset_email
flash[:info] = "Email sent with password reset instructions"
redirect_to root_url
else
flash.now[:danger] = "Email address not found"
render 'new'
end
end
def edit
end
def update
if params[:user][:password].empty? # Case (3)
@user.errors.add(:password, "can't be empty")
render 'edit'
elsif @user.update_attributes(user_params) # Case (4)
log_in @user
flash[:success] = "Password has been reset."
redirect_to @user
else
render 'edit' # Case (2)
end
end
private
def user_params
params.require(:user).permit(:password, :password_confirmation)
end
# Before filters
def get_user
@user = User.find_by(email: params[:email])
end
# Confirms a valid user.
def valid_user
unless (@user && @user.activated? &&
@user.authenticated?(:reset, params[:id]))
redirect_to root_url
end
end
# Checks expiration of reset token.
def check_expiration
if @user.password_reset_expired?
flash[:danger] = "Password reset has expired."
redirect_to new_password_reset_url
end
end
end
User.rb
class User < ActiveRecord::Base
attr_accessor :remember_token, :activation_token, :reset_token
before_save :downcase_email
before_create :create_activation_digest
validates :name, presence: true, length: { maximum: 50 }
VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
validates :email, presence: true, length: { maximum: 255 },
format: { with: VALID_EMAIL_REGEX },
uniqueness: { case_sensitive: false }
validates :username, presence: true, length: { maximum: 50 }
has_secure_password
validates :password, presence: true, length: { minimum: 6 }, allow_nil: true
# Returns the hash digest of the given string.
def User.digest(string)
cost = ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST :
BCrypt::Engine.cost
BCrypt::Password.create(string, cost: cost)
end
# Returns a random token.
def User.new_token
SecureRandom.urlsafe_base64
end
# Remembers a user in the database for use in persistent sessions.
def remember
self.remember_token = User.new_token
update_attribute(:remember_digest, User.digest(remember_token))
end
# Returns true if the given token matches the digest.
def authenticated?(attribute, token)
digest = send("#{attribute}_digest")
return false if digest.nil?
BCrypt::Password.new(digest).is_password?(token)
end
# Forgets a user.
def forget
update_attribute(:remember_digest, nil)
end
# Activates an account.
def activate
update_attribute(:activated, true)
update_attribute(:activated_at, Time.zone.now)
end
# Sends activation email.
def send_activation_email
UserMailer.account_activation(self).deliver_now
end
# Sets the password reset attributes.
def create_reset_digest
self.reset_token = User.new_token
update_attribute(:reset_digest, User.digest(reset_token))
update_attribute(:reset_sent_at, Time.zone.now)
end
# Sends password reset email.
def send_password_reset_email
UserMailer.password_reset(self).deliver_now
end
# Returns true if a password reset has expired.
def password_reset_expired?
reset_sent_at < 2.hours.ago
end
private
# Converts email to all lower-case.
def downcase_email
self.email = email.downcase
end
# Creates and assigns the activation token and digest.
def create_activation_digest
self.activation_token = User.new_token
self.activation_digest = User.digest(activation_token)
end
end
I can't seem to figure out why it is doing this. When I remove the authenticated? portion of the code in valid_user method, it is still redirecting to homepage.
Upvotes: 1
Views: 229
Answers (2)
Reputation: 357
The problem was that I was testing this using a user I created and did not go through the "activation" method because of the way I created the user. I tested with a user going through the sign up process on the website and it works.
Upvotes: 2
Reputation: 3406
I assume you have before_filter :valid_user in your application_controller.rb. If so, try adding a condition to valid_user that prevents checking for authentication and activation. For example, you could adjust the following method to suit your needs:
def valid_user
unless controller_name == "password_resets"
unless (@user && @user.activated? &&
@user.authenticated?(:reset, params[:id]))
redirect_to root_url
end
end
end
If you have before_filter :valid_user in your password_resets_controller.rb, you could just remove it, since the use case includes: the user will not be authenticated while trying to reset his/her password.
Upvotes: 1
Related Questions
- Michael Hartl's Rails Tutorial: Figure 12.11: The password reset form
- Rails redirects different url after failing reset password
- Unable to redirect to password reset form - The Rails Tutorial by Michael Hartle
- Devise Reset Password Link Redirecting to Homepage Only in Production
- Michael Hartl Reset Password Error
- Password Reset Redirect Test Failing in M.Hartl's Ruby on Rails Tutorial
- Password Reset Test failing in M.Hartl's Ruby on Rails Tutorial (3rd edition), Chapter 10 (10.54)
- Devise reset password link
- Adding password reset functionality to Rails app after Hartl tutorial
- Reset password link asks user to sign in