Merge pull request #2115 from latortuga/1994-paranoid-locking

Add failing test for Issue #1994
2012-10-26 02:22:49 -07:00 · 2012-10-26 02:22:49 -07:00 · 8ee1591868
parent 18c377e0d7 00a01c2bc4
commit 8ee1591868
3 changed files with 33 additions and 1 deletions
--- a/lib/devise/models/lockable.rb
+++ b/lib/devise/models/lockable.rb
@ -105,7 +105,11 @@ module Devise
      end

      def unauthenticated_message
-        if lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
+        # If set to paranoid mode, do not show the locked message because it
+        # leaks the existence of an account.
+        if Devise.paranoid
+          super
+        elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
          :locked
        else
          super
--- a/test/integration/lockable_test.rb
+++ b/test/integration/lockable_test.rb
@ -221,4 +221,22 @@ class LockTest < ActionController::IntegrationTest
    end
  end

+  test "in paranoid mode, when locking a user that exists it should not say that the user was locked" do
+    swap Devise, :paranoid => true, :maximum_attempts => 1 do
+      user = create_user(:locked => false)
+
+      visit new_user_session_path
+      fill_in 'email', :with => user.email
+      fill_in 'password', :with => "abadpassword"
+      click_button 'Sign in'
+
+      fill_in 'email', :with => user.email
+      fill_in 'password', :with => "abadpassword"
+      click_button 'Sign in'
+
+      assert_current_url "/users/sign_in"
+      assert_not_contain "locked"
+    end
+  end
+
 end
--- a/test/models/lockable_test.rb
+++ b/test/models/lockable_test.rb
@ -260,4 +260,14 @@ class LockableTest < ActiveSupport::TestCase
      end
    end
  end
+
+  test 'should not return a locked unauthenticated message if in paranoid mode' do
+    swap Devise, :paranoid => :true do
+      user = create_user
+      user.failed_attempts = Devise.maximum_attempts + 1
+      user.lock_access!
+
+      assert_equal :invalid, user.unauthenticated_message
+    end
+  end
 end