class PasswordResetsController < ApplicationController layout "frontend" before_action :load_organization_from_request, only: [:new, :create, :sent, :changed] before_action :load_user_and_organization, only: [:edit, :update] after_action :set_referrer_policy def new; end def create email = params[:email] if email.blank? @error = "Email cannot be blank" render :new return end @user = Carto::User.find_by_email(email) @user.try(:send_password_reset!) respond_to do |format| format.html { redirect_to CartoDB.path(self, "sent_password_reset") } format.js { head :ok } end end def edit; end def update # check if it's valid token if @user.password_reset_sent_at < 48.hours.ago redirect_to(new_password_reset_path, alert: "Password reset has expired") return end # form validation. Has to be done this way as it's non-standard pw = params[:carto_user][:password] pwc = params[:carto_user][:password_confirmation] if (pw.blank? || pwc.blank?) || (pw != pwc) @user.errors.add(:password, "Please ensure your passwords match") @user.errors.add(:password_confirmation, "Please ensure your passwords match") render :edit return end @user.valid_password?(:password, pw, pwc) return render :edit unless @user.errors.empty? @user.password = pw @user.password_confirmation = pwc if @user.save @user.update_attribute(:password_reset_token, nil) redirect_to build_url('changed') else render :edit end end def sent; end def changed; end private def load_organization_from_request @organization = Carto::Organization.where(name: CartoDB.extract_subdomain(request)).first end def load_user_and_organization @user = Carto::User.find_by_password_reset_token!(params[:id]) @organization = @user.organization end def build_url(view_name) organization_name = @user.organization.try(:name) base_url = CartoDB.base_url(organization_name) path = CartoDB.path(self, "#{view_name}_password_reset") "#{base_url}#{path}" end def set_referrer_policy headers['Referrer-Policy'] = 'origin' end end