ba79d1e5b8
Enable Devise paranoid mode and ensure the returned message is the same every time. This will prevent user enumeration (low impact). Prior to this change a user could type an email in the password reset field and if the email didn't exist it returned an error. If the email was valid it returned a message saying the forgot password link had been emailed. After this change the user will receive a message that if the email is in our database the reset link will be emailed. I also changed the throttle mechanism so it still works the same but now returns the exact same message as above. Previously it would say 'You've already sent a request. Wait a few minutes'. This also allows user enumeration, although it requires a double-check. Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624 See merge request !2044 |
||
|---|---|---|
| .. | ||
| admin | ||
| atom | ||
| ci | ||
| issues | ||
| merge_requests | ||
| profiles | ||
| security | ||
| builds_spec.rb | ||
| ci_settings_spec.rb | ||
| ci_web_hooks_spec.rb | ||
| commits_spec.rb | ||
| gitlab_flavored_markdown_spec.rb | ||
| groups_spec.rb | ||
| help_pages_spec.rb | ||
| issues_spec.rb | ||
| login_spec.rb | ||
| markdown_spec.rb | ||
| notes_on_merge_requests_spec.rb | ||
| password_reset_spec.rb | ||
| profile_spec.rb | ||
| projects_spec.rb | ||
| runners_spec.rb | ||
| search_spec.rb | ||
| task_lists_spec.rb | ||
| triggers_spec.rb | ||
| users_spec.rb | ||
| variables_spec.rb | ||