Patch #17717 ยป 0001-Delete-tokens-on-mail-or-password-change.patch
| app/models/user.rb | ||
|---|---|---|
| 112 | 112 |
before_create :set_mail_notification |
| 113 | 113 |
before_save :generate_password_if_needed, :update_hashed_password |
| 114 | 114 |
before_destroy :remove_references_before_destroy |
| 115 |
after_save :update_notified_project_ids |
|
| 115 |
after_save :update_notified_project_ids, :destroy_tokens
|
|
| 116 | 116 |
scope :in_group, lambda {|group|
|
| 117 | 117 |
group_id = group.is_a?(Group) ? group.id : group.to_i |
| ... | ... | |
| 677 | 677 |
end |
| 678 | 678 |
end |
| 679 |
# Delete all outstanding password reset tokens on password or email change. |
|
| 680 |
# Delete the autologin tokens on password change to prohibit session leakage. |
|
| 681 |
# This helps to keep keep the account secure in case the associated email |
|
| 682 |
# account was compromised. |
|
| 683 |
def destroy_tokens |
|
| 684 |
tokens = [] |
|
| 685 |
tokens |= ['recovery', 'autologin'] if changes.has_key?('hashed_password')
|
|
| 686 |
tokens |= ['recovery'] if changes.has_key?('mail')
|
|
| 687 | ||
| 688 |
Token.delete_all(['user_id = ? AND action IN (?)', self.id, tokens]) if tokens.any? |
|
| 689 |
end |
|
| 690 | ||
| 679 | 691 |
# Removes references that are not handled by associations |
| 680 | 692 |
# Things that are not deleted are reassociated with the anonymous user |
| 681 | 693 |
def remove_references_before_destroy |
| test/unit/user_test.rb | ||
|---|---|---|
| 403 | 403 |
end |
| 404 | 404 |
end |
| 405 |
def test_password_change_should_destroy_tokens |
|
| 406 |
recovery_token = Token.create!(:user_id => 2, :action => 'recovery') |
|
| 407 |
autologin_token = Token.create!(:user_id => 2, :action => 'autologin') |
|
| 408 | ||
| 409 |
user = User.find(2) |
|
| 410 |
user.password, user.password_confirmation = "a new password", "a new password" |
|
| 411 |
assert user.save |
|
| 412 | ||
| 413 |
assert_nil Token.find_by_id(recovery_token.id) |
|
| 414 |
assert_nil Token.find_by_id(autologin_token.id) |
|
| 415 |
end |
|
| 416 | ||
| 417 |
def test_mail_change_should_destroy_tokens |
|
| 418 |
recovery_token = Token.create!(:user_id => 2, :action => 'recovery') |
|
| 419 |
autologin_token = Token.create!(:user_id => 2, :action => 'autologin') |
|
| 420 | ||
| 421 |
user = User.find(2) |
|
| 422 |
user.mail = "user@somwehere.com" |
|
| 423 |
assert user.save |
|
| 424 | ||
| 425 |
assert_nil Token.find_by_id(recovery_token.id) |
|
| 426 |
assert_equal autologin_token, Token.find_by_id(autologin_token.id) |
|
| 427 |
end |
|
| 428 | ||
| 429 | ||
| 405 | 430 |
def test_validate_login_presence |
| 406 | 431 |
@admin.login = "" |
| 407 | 432 |
assert !@admin.save |