Release v2.2.8

CHANGELOG.rdoc

@@ -1,3 +1,15 @@
+== 2.2.8
+
+Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
+
+* bug fix
+  * Avoid e-mail enumeration on sign in when in paranoid mode
+
+== 2.2.7
+
+* bug fix
+  * Do not confirm account after reset password
+
 == 2.2.6
 
 * bug fix

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (2.2.6)
+    devise (2.2.8)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (~> 3.1)
@@ -38,7 +38,7 @@ GEM
       i18n (= 0.6.1)
       multi_json (~> 1.0)
     arel (3.0.2)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
     builder (3.0.4)
     erubis (2.7.0)
     faraday (0.8.7)

gemfiles/Gemfile.rails-3.1.x.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise (2.2.6)
+    devise (2.2.8)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (~> 3.1)
@@ -39,7 +39,7 @@ GEM
     activesupport (3.1.12)
       multi_json (~> 1.0)
     arel (2.2.3)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
     builder (3.0.4)
     columnize (0.3.6)
     erubis (2.7.0)

lib/devise/models/confirmable.rb

@@ -215,11 +215,6 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
-        def after_password_reset
-          super
-          confirm! unless confirmed?
-        end
-
         def postpone_email_change_until_confirmation
           @reconfirmation_required = true
           self.unconfirmed_email = self.email

lib/devise/strategies/database_authenticatable.rb

@@ -5,13 +5,16 @@ module Devise
     # Default strategy for signing in a user, based on his email and password in the database.
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
-        resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
-        return fail(:not_found_in_database) unless resource
+        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        encrypted = false
 
-        if validate(resource){ resource.valid_password?(password) }
+        if validate(resource){ encrypted = true; resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
         end
+
+        mapping.to.new.password = password if !encrypted && Devise.paranoid
+        fail(:not_found_in_database) unless resource
       end
     end
   end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.2.6".freeze
+  VERSION = "2.2.8".freeze
 end

test/controllers/passwords_controller_test.rb

@@ -7,7 +7,7 @@ class PasswordsControllerTest < ActionController::TestCase
   def setup
     request.env["devise.mapping"] = Devise.mappings[:user]
 
-    @user = create_user
+    @user = create_user.tap(&:confirm!)
     @user.send_reset_password_instructions
   end
 

test/integration/recoverable_test.rb

@@ -229,15 +229,6 @@ class PasswordTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
-    user = create_user(:confirm => false)
-    request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token
-
-    assert warden.authenticated?(:user)
-    assert user.reload.confirmed?
-  end
-
   test 'reset password request with valid E-Mail in XML format should return valid response' do
     create_user
     post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}