ba79d1e5b8
Enable Devise paranoid mode and ensure the returned message is the same every time. This will prevent user enumeration (low impact). Prior to this change a user could type an email in the password reset field and if the email didn't exist it returned an error. If the email was valid it returned a message saying the forgot password link had been emailed. After this change the user will receive a message that if the email is in our database the reset link will be emailed. I also changed the throttle mechanism so it still works the same but now returns the exact same message as above. Previously it would say 'You've already sent a request. Wait a few minutes'. This also allows user enumeration, although it requires a double-check. Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624 See merge request !2044 |
||
---|---|---|
.. | ||
benchmarks | ||
controllers | ||
factories | ||
features | ||
finders | ||
fixtures | ||
helpers | ||
javascripts | ||
lib | ||
mailers | ||
models | ||
requests | ||
routing | ||
services | ||
support | ||
tasks/gitlab | ||
views/help | ||
workers | ||
factories.rb | ||
factories_spec.rb | ||
rails_helper.rb | ||
spec_helper.rb | ||
teaspoon_env.rb |