mirror of
https://github.com/heartcombo/devise.git
synced 2026-01-12 00:08:34 -05:00
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0a0681c663 | ||
|
|
96c456a72f | ||
|
|
6a7011e84b | ||
|
|
ceda14210d |
@@ -1,3 +1,10 @@
|
||||
== 3.1.2
|
||||
|
||||
Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
|
||||
|
||||
* bug fix
|
||||
* Avoid e-mail enumeration on sign in when in paranoid mode
|
||||
|
||||
== 3.1.1
|
||||
|
||||
* bug fix
|
||||
|
||||
@@ -12,7 +12,7 @@ GIT
|
||||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
devise (3.1.1)
|
||||
devise (3.1.2)
|
||||
bcrypt-ruby (~> 3.0)
|
||||
orm_adapter (~> 0.1)
|
||||
railties (>= 3.2.6, < 5)
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
PATH
|
||||
remote: ..
|
||||
specs:
|
||||
devise (3.1.1)
|
||||
devise (3.1.2)
|
||||
bcrypt-ruby (~> 3.0)
|
||||
orm_adapter (~> 0.1)
|
||||
railties (>= 3.2.6, < 5)
|
||||
@@ -39,7 +39,7 @@ GEM
|
||||
i18n (~> 0.6, >= 0.6.4)
|
||||
multi_json (~> 1.0)
|
||||
arel (3.0.2)
|
||||
atomic (1.1.13)
|
||||
atomic (1.1.14)
|
||||
bcrypt-ruby (3.1.2)
|
||||
builder (3.0.4)
|
||||
erubis (2.7.0)
|
||||
@@ -125,7 +125,7 @@ GEM
|
||||
tilt (~> 1.1, != 1.3.0)
|
||||
sqlite3 (1.3.7)
|
||||
thor (0.18.1)
|
||||
thread_safe (0.1.2)
|
||||
thread_safe (0.1.3)
|
||||
atomic
|
||||
tilt (1.4.1)
|
||||
treetop (1.4.14)
|
||||
|
||||
@@ -47,19 +47,25 @@ module Devise
|
||||
end
|
||||
|
||||
def sign_in
|
||||
default_params.permit self.for(:sign_in)
|
||||
permit self.for(:sign_in)
|
||||
end
|
||||
|
||||
def sign_up
|
||||
default_params.permit self.for(:sign_up)
|
||||
permit self.for(:sign_up)
|
||||
end
|
||||
|
||||
def account_update
|
||||
default_params.permit self.for(:account_update)
|
||||
permit self.for(:account_update)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
# TODO: We do need to flatten so it works with strong_parameters
|
||||
# gem. We should drop it once we move to Rails 4 only support.
|
||||
def permit(keys)
|
||||
default_params.permit(*Array(keys))
|
||||
end
|
||||
|
||||
# Change for(kind) to return the values in the @permitted
|
||||
# hash, allowing the developer to customize at runtime.
|
||||
def default_for(kind)
|
||||
|
||||
@@ -5,13 +5,16 @@ module Devise
|
||||
# Default strategy for signing in a user, based on his email and password in the database.
|
||||
class DatabaseAuthenticatable < Authenticatable
|
||||
def authenticate!
|
||||
resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
|
||||
return fail(:not_found_in_database) unless resource
|
||||
resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
|
||||
encrypted = false
|
||||
|
||||
if validate(resource){ resource.valid_password?(password) }
|
||||
if validate(resource){ encrypted = true; resource.valid_password?(password) }
|
||||
resource.after_database_authentication
|
||||
success!(resource)
|
||||
end
|
||||
|
||||
mapping.to.new.password = password if !encrypted && Devise.paranoid
|
||||
fail(:not_found_in_database) unless resource
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
module Devise
|
||||
VERSION = "3.1.1".freeze
|
||||
VERSION = "3.1.2".freeze
|
||||
end
|
||||
|
||||
@@ -68,5 +68,14 @@ if defined?(ActionController::StrongParameters)
|
||||
sanitizer.sanitize(:unknown)
|
||||
end
|
||||
end
|
||||
|
||||
test 'passes parameters to filter as arguments to sanitizer' do
|
||||
params = {user: stub}
|
||||
sanitizer = Devise::ParameterSanitizer.new(User, :user, params)
|
||||
|
||||
params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))
|
||||
|
||||
sanitizer.sanitize(:sign_in)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user