gitlab-org--gitlab-foss/app/controllers/passwords_controller.rb

class PasswordsController < Devise::PasswordsController
  skip_before_action :require_no_authentication, only: [:edit, :update]

  before_action :resource_from_email, only: [:create]
  before_action :check_password_authentication_available, only: [:create]
  before_action :throttle_reset,      only: [:create]

  def edit
    super
    reset_password_token = Devise.token_generator.digest(
      User,
      :reset_password_token,
      resource.reset_password_token
    )

    unless reset_password_token.nil?
      user = User.where(
        reset_password_token: reset_password_token
      ).first_or_initialize

      unless user.reset_password_period_valid?
        flash[:alert] = 'Your password reset token has expired.'
        redirect_to(new_user_password_url(user_email: user['email']))
      end
    end
  end

  def update
    super do |resource|
      if resource.valid? && resource.password_automatically_set?
        resource.update_attribute(:password_automatically_set, false)
      end
    end
  end

  protected

  def resource_from_email
    email = resource_params[:email]
    self.resource = resource_class.find_by_email(email)
  end

  def check_password_authentication_available
    if resource
      return if resource.allow_password_authentication?
    else
      return if Gitlab::CurrentSettings.password_authentication_enabled?
    end

    redirect_to after_sending_reset_password_instructions_path_for(resource_name),
      alert: "Password authentication is unavailable."
  end

  def throttle_reset
    return unless resource && resource.recently_sent_password_reset?

    # Throttle reset attempts, but return a normal message to
    # avoid user enumeration attack.
    redirect_to new_user_session_path,
      notice: I18n.t('devise.passwords.send_paranoid_instructions')
  end
end
Do not allow password reset for ldap user. 2014-03-18 07:25:49 -04:00			`class PasswordsController < Devise::PasswordsController`
Allow logged in user to change his password Users were unable to change their password through the "Reset password" link that was sent to their email if they were logged in. This is due to a default controller filter from Devise that requires the user to not be logged in in order to use this link. 2017-12-31 00:08:15 -05:00			`skip_before_action :require_no_authentication, only: [:edit, :update]`

Refactor PasswordsController to use before_actions 2015-10-01 21:47:27 -04:00			`before_action :resource_from_email, only: [:create]`
Allow password authentication to be disabled entirely 2017-11-23 08:16:14 -05:00			`before_action :check_password_authentication_available, only: [:create]`
Refactor PasswordsController to use before_actions 2015-10-01 21:47:27 -04:00			`before_action :throttle_reset, only: [:create]`
Handle password reset for users with 2FA enabled 2015-05-11 14:31:31 -04:00
Redirect if password reset token is expired Don't display the password editing form if the user's token is expired; redirect to the form that allows users to request a new password reset token. 2015-05-13 22:29:15 -04:00			`def edit`
			`super`
			`reset_password_token = Devise.token_generator.digest(`
			`User,`
			`:reset_password_token,`
			`resource.reset_password_token`
			`)`

			`unless reset_password_token.nil?`
			`user = User.where(`
			`reset_password_token: reset_password_token`
			`).first_or_initialize`

			`unless user.reset_password_period_valid?`
			`flash[:alert] = 'Your password reset token has expired.'`
Fill in email on the new password form 2015-05-13 23:57:16 -04:00			`redirect_to(new_user_password_url(user_email: user['email']))`
Redirect if password reset token is expired Don't display the password editing form if the user's token is expired; redirect to the form that allows users to request a new password reset token. 2015-05-13 22:29:15 -04:00			`end`
			`end`
			`end`
Only allow password reset emails once per minute Addresses internal https://dev.gitlab.org/gitlab/gitlabhq/issues/2611 2015-09-30 15:38:21 -04:00
Allow the initial admin to set a password Closes #1980 2016-03-02 17:48:49 -05:00			`def update`
			`super do \|resource\|`
Allow password authentication to be disabled entirely 2017-11-23 08:16:14 -05:00			`if resource.valid? && resource.password_automatically_set?`
Allow the initial admin to set a password Closes #1980 2016-03-02 17:48:49 -05:00			`resource.update_attribute(:password_automatically_set, false)`
			`end`
			`end`
			`end`

Refactor PasswordsController to use before_actions 2015-10-01 21:47:27 -04:00			`protected`

			`def resource_from_email`
			`email = resource_params[:email]`
			`self.resource = resource_class.find_by_email(email)`
			`end`

Allow password authentication to be disabled entirely 2017-11-23 08:16:14 -05:00			`def check_password_authentication_available`
			`if resource`
			`return if resource.allow_password_authentication?`
			`else`
use Gitlab::UserSettings directly as a singleton instead of including/extending it 2018-02-02 13:39:55 -05:00			`return if Gitlab::CurrentSettings.password_authentication_enabled?`
Allow password authentication to be disabled entirely 2017-11-23 08:16:14 -05:00			`end`
Refactor PasswordsController to use before_actions 2015-10-01 21:47:27 -04:00
			`redirect_to after_sending_reset_password_instructions_path_for(resource_name),`
Allow password authentication to be disabled entirely 2017-11-23 08:16:14 -05:00			`alert: "Password authentication is unavailable."`
Refactor PasswordsController to use before_actions 2015-10-01 21:47:27 -04:00			`end`

			`def throttle_reset`
			`return unless resource && resource.recently_sent_password_reset?`
Only allow password reset emails once per minute Addresses internal https://dev.gitlab.org/gitlab/gitlabhq/issues/2611 2015-09-30 15:38:21 -04:00
Use devise paranoid mode and ensure the same message is returned every time Skipped CI because it has already passed. Had to rebase due to CHANGELOG. 2015-12-09 12:45:26 -05:00			`# Throttle reset attempts, but return a normal message to`
			`# avoid user enumeration attack.`
			`redirect_to new_user_session_path,`
			`notice: I18n.t('devise.passwords.send_paranoid_instructions')`
Only allow password reset emails once per minute Addresses internal https://dev.gitlab.org/gitlab/gitlabhq/issues/2611 2015-09-30 15:38:21 -04:00			`end`
Do not allow password reset for ldap user. 2014-03-18 07:25:49 -04:00			`end`