Fix sub-second timing comparison error for Devise confirmation period

On databases such as MySQL, it's possible to get into a timing comparison error if the value of `Confirmable#confirmation_sent_at` is within a second of `0.days.ago`. This is possible mostly in specs that test this behavior and most likely not happening in practice. The result of this error causes a user to be deemed active when it should be inactive. To prevent this error, we explicitly check the configuration setting to be `0.days.ago`. Closes gitlab-org/gitlab-ee#2362

Fix sub-second timing comparison error for Devise confirmation period
c175c30d · Stan Hu · 8b9cd3c0 · c175c30d
Commit c175c30d authored May 07, 2017 by Stan Hu
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

user.rb app/models/user.rb +9 -0

No files found.
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1000,6 +1000,15 @@ class User < ActiveRecord::Base
    devise_mailer.send(notification, self, *args).deliver_later
  end

+  # This works around a bug in Devise 4.2.0 that erroneously causes a user to
+  # be considered active in MySQL specs due to a sub-second comparison
+  # issue. For more details, see: https://gitlab.com/gitlab-org/gitlab-ee/issues/2362#note_29004709
+  def confirmation_period_valid?
+    return false if self.class.allow_unconfirmed_access_for == 0.days
+
+    super
+  end
+
  def ensure_external_user_rights
    return unless external?