From d052a7b796317b3efcb3f678441afb04377a7c0e Mon Sep 17 00:00:00 2001
From: Luis Ramos <luisramos0@gmail.com>
Date: Fri, 31 Jul 2020 09:08:48 +0100
Subject: [PATCH] Verify the user is confirmed before returning a reset
 password token

Co-authored-by: Maikel <maikel@email.org.au>
---
 app/controllers/user_confirmations_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/user_confirmations_controller.rb b/app/controllers/user_confirmations_controller.rb
index f4d1ef3925..0915447bc5 100644
--- a/app/controllers/user_confirmations_controller.rb
+++ b/app/controllers/user_confirmations_controller.rb
@@ -44,7 +44,7 @@ class UserConfirmationsController < DeviseController
         'not_confirmed'
       end
 
-    if resource.reset_password_token.present?
+    if result == 'confirmed' && resource.reset_password_token.present?
       raw_reset_password_token = resource.regenerate_reset_password_token
       return spree.edit_spree_user_password_path(
         reset_password_token: raw_reset_password_token