--- a/TODO.txt
+++ b/TODO.txt
@@ -1,5 +1,11 @@
 (in no particular order)
 
+>  If you do `git archive --format=tar --prefix=myproject/ HEAD | gzip >
+>  myproject.tar.gz`, when .gitattributes specifies files that have
+>  export-subst, it will expand keywords such as $Format:%cd$. Gitorious'
+>  "Download as gzipped tarball" apparently does not do this and I think
+>  it'd be pretty nice if it did.
+
 * Deal gracefully with markdown errors (and/or look into using the other markdown libary instead)
 * Don't generate graphs with big "No Data", text even if there's no data
 * Markdownify atom feed body for projects.atom
@@ -14,7 +20,6 @@
 * expire fragment caches for project+repos on deletion
 *a Tone down the "owner" of a repository, or implement a proper "mirror" project type.
 *b be able to mark a project as a "mirror"
-* reset password functionality
 * Nicer diff stats
 * more interesting project stats on frontpage
 * parse git submodule data and link to project if submodule is in gitorious

--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -36,4 +36,20 @@ class UsersController < ApplicationController
     end
     redirect_back_or_default('/')
   end
+  
+  def forgot_password
+  end
+    
+  def reset_password
+    if params[:user] && user = User.find_by_email(params[:user][:email])
+      # FIXME: should really be a two-step process: receive link, visiting it resets password
+      generated_password = user.reset_password!
+      Mailer.deliver_forgotten_password(user, generated_password)
+      flash[:notice] = "A new password has been sent to your email"
+      redirect_to(root_path)
+    else
+      flash[:error] = "Invalid email"
+      redirect_to forgot_password_users_path
+    end
+  end
 end

--- a/app/models/mailer.rb
+++ b/app/models/mailer.rb
@@ -32,6 +32,12 @@ class Mailer < ActionMailer::Base
     @body[:url] = url
   end
   
+  def forgotten_password(user, password)
+    setup_email(user)
+    @subject += "Your new password"
+    @body[:password] = password
+  end
+  
   protected
     def setup_email(user)
       @recipients  = "#{user.email}"

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -41,6 +41,13 @@ class User < ActiveRecord::Base
     Digest::SHA1.hexdigest("--#{salt}--#{password}--")
   end
   
+  def self.generate_random_password(password_size = 12)
+    characters = (("a".."z").to_a + ("0".."9").to_a) - %w[0 o i l 1]
+    (0...password_size).collect do |char|
+      characters[rand(characters.length)]
+    end.join
+  end
+  
   # Activates the user in the database.
   def activate
     @activated = true
@@ -92,6 +99,14 @@ class User < ActiveRecord::Base
     save(false)
   end
   
+  def reset_password!
+    generated = User.generate_random_password
+    self.password = generated
+    self.password_confirmation = generated
+    self.save!
+    generated
+  end
+  
   def can_write_to?(repository)
     !!committerships.find_by_repository_id(repository.id)
   end

--- /dev/null
+++ b/app/views/mailer/forgotten_password.rhtml
@@ -0,0 +1,9 @@
+Hello <%= @user.login -%>,
+
+Your new password is: <%= @password %>
+
+If you did not request a new password, then please do report this incident.
+
+Thank you
+
+http://<%= GitoriousConfig['gitorious_host'] %>
\ No newline at end of file

--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -20,8 +20,9 @@
   <p><%= submit_tag 'Log in' %></p>
 <% end -%>
 
-<% content_for(:submenu) do -%>
-  <ul>
-    <li><%= link_to "Register", new_user_path -%></li>
-  </ul>
-<% end -%>
\ No newline at end of file
+<p>
+  <small>
+    <%= link_to "Register", new_user_path -%> 
+    | <%= link_to "Forgotten your password?", forgot_password_users_path -%>
+  </small>
+</p>

--- /dev/null
+++ b/app/views/users/forgot_password.html.erb
@@ -0,0 +1,11 @@
+<h1>Forgot your password?</h1>
+
+
+<% form_for :user, :url => reset_password_users_path do |f| -%>
+  <p>
+    <%= f.label :email -%><br/>
+    <%= f.text_field :email, :class => "text" -%>
+  </p>
+
+  <p><%= f.submit 'Send me a new password' %></p>
+<% end -%>

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -24,7 +24,10 @@ ActionController::Routing::Routes.draw do |map|
     account.resources :keys
   end
   map.connect "users/activate/:activation_code", :controller => "users", :action => "activate"
-  map.resources :users, :requirements => {:id => /.+/}
+  map.resources :users, :requirements => {:id => /.+/}, :collection => { 
+    :forgot_password => :get,
+    :reset_password => :post,
+  }
   map.resource  :sessions
   map.with_options(:controller => "projects", :action => "category") do |project_cat|
     project_cat.projects_category "projects/category/:id"

--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -97,4 +97,31 @@ describe UsersController do
     assigns[:commits_last_week].kind_of?(Fixnum).should == true
     (assigns[:commits_last_week] >= 0).should == true
   end
+  
+  describe "#forgot_password" do
+    it "GETs the page fine for everyone" do
+      get :forgot_password
+      response.should be_success
+      response.should render_template("forgot_password")
+    end
+  end
+  
+  describe "#reset_password" do
+    it "redirects to forgot_password if nothing was found" do
+      post :reset_password, :user => {:email => "xxx"}
+      response.should redirect_to(forgot_password_users_path)
+      flash[:error].should match(/invalid email/i)
+    end
+    
+    it "sends a new password if email was found" do
+      u = users(:johan)
+      User.should_receive(:generate_random_password).and_return("secret")
+      Mailer.should_receive(:deliver_forgotten_password).with(u, "secret")
+      post :reset_password, :user => {:email => u.email}
+      response.should redirect_to(root_path)
+      flash[:notice].should == "A new password has been sent to your email"
+      
+      User.authenticate(u.email, "secret").should_not be_nil
+    end
+  end
 end

--- a/spec/models/mailer_spec.rb
+++ b/spec/models/mailer_spec.rb
@@ -57,5 +57,17 @@ describe Mailer do
     Mailer.deliver(mail)
     Mailer.deliveries.should == [mail]
   end
+  
+  it "sends forgotten_password" do
+    user = users(:johan)
+    mail = Mailer.create_forgotten_password(user, "newpassword")
+    
+    mail.to.should == [user.email]
+    mail.subject.should == "[Gitorious] Your new password"
+    mail.body.should match(/your new password is: newpassword/i)
+    
+    Mailer.deliver(mail)
+    Mailer.deliveries.should == [mail]
+  end
 
 end

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -141,6 +141,19 @@ describe User do
     }.should raise_error(ActiveRecord::RecordNotFound)
   end
   
+  it "generates some randomly password" do
+    User.generate_random_password.should match(/\w+/)
+    User.generate_random_password.length.should == 12
+    User.generate_random_password(16).length.should == 16
+    User.generate_random_password(5).length.should == 5
+  end
+  
+  it "resets a password to something" do
+    u = users(:johan)
+    password = u.reset_password!
+    User.authenticate(u.email, password).should_not be_nil
+  end
+  
   protected
     def create_user(options = {})
       u = User.new({