AtHeartEngineer/devise
1
1
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2026-01-08 15:23:55 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5043 from maestrano/increment-failed-attempts-concurency

Browse Source 
Backport CVE-2019-5421 fix to 3.x
This commit is contained in:
Leonardo Tegon
2019-03-26 11:33:35 -03:00
committed by GitHub
parent bddf051bfb 36690f33a4
commit fb48336709
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/devise/models/lockable.rb
View File

@@ -99,8 +99,8 @@ module Devise
if super && !access_locked? if super && !access_locked?
true true
else else
self.failed_attempts ||= 0 self.class.increment_counter(:failed_attempts, id)
self.failed_attempts += 1 reload
if attempts_exceeded? if attempts_exceeded?
lock_access! unless access_locked? lock_access! unless access_locked?
else else

11
test/models/lockable_test.rb
View File

@@ -37,6 +37,17 @@ class LockableTest < ActiveSupport::TestCase
end end
end end
test "should read failed_attempts from database when incrementing" do
user = create_user
initial_failed_attempts = user.failed_attempts
same_user = User.find(user.id)
user.valid_for_authentication?{ false }
same_user.valid_for_authentication?{ false }
assert_equal initial_failed_attempts + 2, user.reload.failed_attempts
end
test 'should be valid for authentication with a unlocked user' do test 'should be valid for authentication with a unlocked user' do
user = create_user user = create_user
user.lock_access! user.lock_access!