recovery password: not safety

[yas375]

if we start using it as you described, then anybody can start checking urls like "http://example.com/password_resets/zAk3O7mRnjTdPfaLkePU/edit" and if you have many users on your system then it is more possible to find url for changing pass to somebody else.

The simplest solution: add required field 'email' to app/views/password_resets/edit.html.erb and check it before changing. Or better add [email protected] to link in email. And check for it in load_user_using_perishable_token