spec · 57af1231f2e99ab525d8c1fda2e0888e41a873a5 · Forest Godfrey / gitlab-ce

Merge branch 'devise_paranoid_mode' into 'master' · ba79d1e5

authored Dec 10, 2015

Enable Devise paranoid mode and ensure the returned message is the same
every time. This will prevent user enumeration (low impact). 

Prior to this change a user could type an email in the password reset
field and if the email didn't exist it returned an error. If the email
was valid it returned a message saying the forgot password link had been
emailed. After this change the user will receive a message that if the
email is in our database the reset link will be emailed. 

I also changed the throttle mechanism so it still works the same but
now returns the exact same message as above. Previously it would say
'You've already sent a request. Wait a few minutes'. This also allows
user enumeration, although it requires a double-check.

Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624

See merge request !2044

ba79d1e5

Name	Last commit	Last update
..
benchmarks		Loading commit data...
controllers		Loading commit data...
factories		Loading commit data...
features		Loading commit data...
finders		Loading commit data...
fixtures		Loading commit data...
helpers		Loading commit data...
javascripts		Loading commit data...
lib		Loading commit data...
mailers		Loading commit data...
models		Loading commit data...
requests		Loading commit data...
routing		Loading commit data...
services		Loading commit data...
support		Loading commit data...
tasks/gitlab		Loading commit data...
views/help		Loading commit data...
workers		Loading commit data...
factories.rb		Loading commit data...
factories_spec.rb		Loading commit data...
rails_helper.rb		Loading commit data...
spec_helper.rb		Loading commit data...
teaspoon_env.rb		Loading commit data...