recovery password: not safety #15
Description
if we start using it as you described, then anybody can start checking urls like "http://example.com/password_resets/zAk3O7mRnjTdPfaLkePU/edit" and if you have many users on your system then it is more possible to find url for changing pass to somebody else.
The simplest solution: add required field 'email' to app/views/password_resets/edit.html.erb and check it before changing.
Or better add ?email=text@example.com to link in email. And check for it in load_user_using_perishable_token