clearance 1.14.2 → 1.15.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of clearance might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile.lock +42 -40
- data/NEWS.md +9 -0
- data/app/controllers/clearance/passwords_controller.rb +10 -2
- data/lib/clearance/version.rb +1 -1
- data/spec/controllers/passwords_controller_spec.rb +15 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7bb2bb2c93d7a915a585bf008496f66e69f272fe
|
|
4
|
+
data.tar.gz: 9e9a73d70582de69577f96be2b8115bedd60ce75
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4c21a76171c25a1b76e621349d8a63cee76dd81d0c16963488879f02580f3b94899ca5208a48eeb61eb61170e8eb56f5a273f061fbcaf36ee6e06886a30bbd7a
|
|
7
|
+
data.tar.gz: 883d40555e789e06157a31527d1275b5f6b2100f85542a65d345a587364d5fdf6c1962bba1f0befe91f5ccdf0a6cd5cc50175839e1c0dc0cf34b0e7c9d5cb782
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
clearance (1.
|
|
4
|
+
clearance (1.15.0)
|
|
5
5
|
bcrypt
|
|
6
6
|
email_validator (~> 1.4)
|
|
7
7
|
rails (>= 3.1)
|
|
@@ -9,36 +9,36 @@ PATH
|
|
|
9
9
|
GEM
|
|
10
10
|
remote: https://rubygems.org/
|
|
11
11
|
specs:
|
|
12
|
-
actionmailer (4.2.
|
|
13
|
-
actionpack (= 4.2.
|
|
14
|
-
actionview (= 4.2.
|
|
15
|
-
activejob (= 4.2.
|
|
12
|
+
actionmailer (4.2.7.1)
|
|
13
|
+
actionpack (= 4.2.7.1)
|
|
14
|
+
actionview (= 4.2.7.1)
|
|
15
|
+
activejob (= 4.2.7.1)
|
|
16
16
|
mail (~> 2.5, >= 2.5.4)
|
|
17
17
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
|
18
|
-
actionpack (4.2.
|
|
19
|
-
actionview (= 4.2.
|
|
20
|
-
activesupport (= 4.2.
|
|
18
|
+
actionpack (4.2.7.1)
|
|
19
|
+
actionview (= 4.2.7.1)
|
|
20
|
+
activesupport (= 4.2.7.1)
|
|
21
21
|
rack (~> 1.6)
|
|
22
22
|
rack-test (~> 0.6.2)
|
|
23
23
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
|
24
24
|
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
|
25
|
-
actionview (4.2.
|
|
26
|
-
activesupport (= 4.2.
|
|
25
|
+
actionview (4.2.7.1)
|
|
26
|
+
activesupport (= 4.2.7.1)
|
|
27
27
|
builder (~> 3.1)
|
|
28
28
|
erubis (~> 2.7.0)
|
|
29
29
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
|
30
30
|
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
|
31
|
-
activejob (4.2.
|
|
32
|
-
activesupport (= 4.2.
|
|
31
|
+
activejob (4.2.7.1)
|
|
32
|
+
activesupport (= 4.2.7.1)
|
|
33
33
|
globalid (>= 0.3.0)
|
|
34
|
-
activemodel (4.2.
|
|
35
|
-
activesupport (= 4.2.
|
|
34
|
+
activemodel (4.2.7.1)
|
|
35
|
+
activesupport (= 4.2.7.1)
|
|
36
36
|
builder (~> 3.1)
|
|
37
|
-
activerecord (4.2.
|
|
38
|
-
activemodel (= 4.2.
|
|
39
|
-
activesupport (= 4.2.
|
|
37
|
+
activerecord (4.2.7.1)
|
|
38
|
+
activemodel (= 4.2.7.1)
|
|
39
|
+
activesupport (= 4.2.7.1)
|
|
40
40
|
arel (~> 6.0)
|
|
41
|
-
activesupport (4.2.
|
|
41
|
+
activesupport (4.2.7.1)
|
|
42
42
|
i18n (~> 0.7)
|
|
43
43
|
json (~> 1.7, >= 1.7.7)
|
|
44
44
|
minitest (~> 5.1)
|
|
@@ -75,7 +75,7 @@ GEM
|
|
|
75
75
|
factory_girl_rails (4.7.0)
|
|
76
76
|
factory_girl (~> 4.7.0)
|
|
77
77
|
railties (>= 3.0.0)
|
|
78
|
-
globalid (0.3.
|
|
78
|
+
globalid (0.3.7)
|
|
79
79
|
activesupport (>= 4.1.0)
|
|
80
80
|
i18n (0.7.0)
|
|
81
81
|
json (1.8.3)
|
|
@@ -84,13 +84,15 @@ GEM
|
|
|
84
84
|
mail (2.6.4)
|
|
85
85
|
mime-types (>= 1.16, < 4)
|
|
86
86
|
method_source (0.8.2)
|
|
87
|
-
mime-types (3.
|
|
87
|
+
mime-types (3.1)
|
|
88
88
|
mime-types-data (~> 3.2015)
|
|
89
|
-
mime-types-data (3.2016.
|
|
90
|
-
mini_portile2 (2.
|
|
91
|
-
minitest (5.
|
|
92
|
-
nokogiri (1.6.
|
|
93
|
-
mini_portile2 (~> 2.
|
|
89
|
+
mime-types-data (3.2016.0521)
|
|
90
|
+
mini_portile2 (2.1.0)
|
|
91
|
+
minitest (5.9.1)
|
|
92
|
+
nokogiri (1.6.8)
|
|
93
|
+
mini_portile2 (~> 2.1.0)
|
|
94
|
+
pkg-config (~> 1.1.7)
|
|
95
|
+
pkg-config (1.1.7)
|
|
94
96
|
pry (0.10.3)
|
|
95
97
|
coderay (~> 1.1.0)
|
|
96
98
|
method_source (~> 0.8.1)
|
|
@@ -98,16 +100,16 @@ GEM
|
|
|
98
100
|
rack (1.6.4)
|
|
99
101
|
rack-test (0.6.3)
|
|
100
102
|
rack (>= 1.0)
|
|
101
|
-
rails (4.2.
|
|
102
|
-
actionmailer (= 4.2.
|
|
103
|
-
actionpack (= 4.2.
|
|
104
|
-
actionview (= 4.2.
|
|
105
|
-
activejob (= 4.2.
|
|
106
|
-
activemodel (= 4.2.
|
|
107
|
-
activerecord (= 4.2.
|
|
108
|
-
activesupport (= 4.2.
|
|
103
|
+
rails (4.2.7.1)
|
|
104
|
+
actionmailer (= 4.2.7.1)
|
|
105
|
+
actionpack (= 4.2.7.1)
|
|
106
|
+
actionview (= 4.2.7.1)
|
|
107
|
+
activejob (= 4.2.7.1)
|
|
108
|
+
activemodel (= 4.2.7.1)
|
|
109
|
+
activerecord (= 4.2.7.1)
|
|
110
|
+
activesupport (= 4.2.7.1)
|
|
109
111
|
bundler (>= 1.3.0, < 2.0)
|
|
110
|
-
railties (= 4.2.
|
|
112
|
+
railties (= 4.2.7.1)
|
|
111
113
|
sprockets-rails
|
|
112
114
|
rails-deprecated_sanitizer (1.0.3)
|
|
113
115
|
activesupport (>= 4.2.0.alpha)
|
|
@@ -117,12 +119,12 @@ GEM
|
|
|
117
119
|
rails-deprecated_sanitizer (>= 1.0.1)
|
|
118
120
|
rails-html-sanitizer (1.0.3)
|
|
119
121
|
loofah (~> 2.0)
|
|
120
|
-
railties (4.2.
|
|
121
|
-
actionpack (= 4.2.
|
|
122
|
-
activesupport (= 4.2.
|
|
122
|
+
railties (4.2.7.1)
|
|
123
|
+
actionpack (= 4.2.7.1)
|
|
124
|
+
activesupport (= 4.2.7.1)
|
|
123
125
|
rake (>= 0.8.7)
|
|
124
126
|
thor (>= 0.18.1, < 2.0)
|
|
125
|
-
rake (11.
|
|
127
|
+
rake (11.3.0)
|
|
126
128
|
rspec-core (3.4.4)
|
|
127
129
|
rspec-support (~> 3.4.0)
|
|
128
130
|
rspec-expectations (3.4.0)
|
|
@@ -143,10 +145,10 @@ GEM
|
|
|
143
145
|
shoulda-matchers (2.8.0)
|
|
144
146
|
activesupport (>= 3.0.0)
|
|
145
147
|
slop (3.6.0)
|
|
146
|
-
sprockets (3.
|
|
148
|
+
sprockets (3.7.0)
|
|
147
149
|
concurrent-ruby (~> 1.0)
|
|
148
150
|
rack (> 1, < 3)
|
|
149
|
-
sprockets-rails (3.0
|
|
151
|
+
sprockets-rails (3.2.0)
|
|
150
152
|
actionpack (>= 4.0)
|
|
151
153
|
activesupport (>= 4.0)
|
|
152
154
|
sprockets (>= 3.0.0)
|
data/NEWS.md
CHANGED
|
@@ -3,6 +3,15 @@
|
|
|
3
3
|
The noteworthy changes for each Clearance version are included here. For a
|
|
4
4
|
complete changelog, see the git history for each version via the version links.
|
|
5
5
|
|
|
6
|
+
## [1.15.0] - September 26, 2016
|
|
7
|
+
|
|
8
|
+
### Security
|
|
9
|
+
- Prevent possible password reset token leak to external sites linked to on the
|
|
10
|
+
password reset page. See [PR #707] for more information.
|
|
11
|
+
|
|
12
|
+
[PR #707]: https://github.com/thoughtbot/clearance/pull/707
|
|
13
|
+
[1.15.0]: https://github.com/thoughtbot/clearance/compare/v1.14.2...v1.15.0
|
|
14
|
+
|
|
6
15
|
## [1.14.2] - August 10, 2016
|
|
7
16
|
|
|
8
17
|
### Fixed
|
|
@@ -29,7 +29,13 @@ class Clearance::PasswordsController < Clearance::BaseController
|
|
|
29
29
|
|
|
30
30
|
def edit
|
|
31
31
|
@user = find_user_for_edit
|
|
32
|
-
|
|
32
|
+
|
|
33
|
+
if params[:token]
|
|
34
|
+
session[:password_reset_token] = params[:token]
|
|
35
|
+
redirect_to edit_user_password_url(@user)
|
|
36
|
+
else
|
|
37
|
+
render template: 'passwords/edit'
|
|
38
|
+
end
|
|
33
39
|
end
|
|
34
40
|
|
|
35
41
|
def new
|
|
@@ -42,6 +48,7 @@ class Clearance::PasswordsController < Clearance::BaseController
|
|
|
42
48
|
if @user.update_password password_reset_params
|
|
43
49
|
sign_in @user
|
|
44
50
|
redirect_to url_after_update
|
|
51
|
+
session[:password_reset_token] = nil
|
|
45
52
|
else
|
|
46
53
|
flash_failure_after_update
|
|
47
54
|
render template: 'passwords/edit'
|
|
@@ -71,9 +78,10 @@ class Clearance::PasswordsController < Clearance::BaseController
|
|
|
71
78
|
|
|
72
79
|
def find_user_by_id_and_confirmation_token
|
|
73
80
|
user_param = Clearance.configuration.user_id_parameter
|
|
81
|
+
token = session[:password_reset_token] || params[:token]
|
|
74
82
|
|
|
75
83
|
Clearance.configuration.user_model.
|
|
76
|
-
find_by_id_and_confirmation_token params[user_param],
|
|
84
|
+
find_by_id_and_confirmation_token params[user_param], token.to_s
|
|
77
85
|
end
|
|
78
86
|
|
|
79
87
|
def find_user_for_create
|
data/lib/clearance/version.rb
CHANGED
|
@@ -57,12 +57,25 @@ describe Clearance::PasswordsController do
|
|
|
57
57
|
end
|
|
58
58
|
|
|
59
59
|
describe "#edit" do
|
|
60
|
-
context "valid id and token are supplied" do
|
|
61
|
-
it "
|
|
60
|
+
context "valid id and token are supplied in url" do
|
|
61
|
+
it "redirects to the edit page with token now removed from url" do
|
|
62
62
|
user = create(:user, :with_forgotten_password)
|
|
63
63
|
|
|
64
64
|
get :edit, user_id: user, token: user.confirmation_token
|
|
65
65
|
|
|
66
|
+
expect(response).to be_redirect
|
|
67
|
+
expect(response).to redirect_to edit_user_password_url(user)
|
|
68
|
+
expect(session[:password_reset_token]).to eq user.confirmation_token
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
context "valid id in url and valid token in session" do
|
|
73
|
+
it "renders the password reset form" do
|
|
74
|
+
user = create(:user, :with_forgotten_password)
|
|
75
|
+
|
|
76
|
+
request.session[:password_reset_token] = user.confirmation_token
|
|
77
|
+
get :edit, user_id: user
|
|
78
|
+
|
|
66
79
|
expect(response).to be_success
|
|
67
80
|
expect(response).to render_template(:edit)
|
|
68
81
|
expect(assigns(:user)).to eq user
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: clearance
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.15.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Croak
|
|
@@ -25,7 +25,7 @@ authors:
|
|
|
25
25
|
autorequire:
|
|
26
26
|
bindir: bin
|
|
27
27
|
cert_chain: []
|
|
28
|
-
date: 2016-
|
|
28
|
+
date: 2016-09-27 00:00:00.000000000 Z
|
|
29
29
|
dependencies:
|
|
30
30
|
- !ruby/object:Gem::Dependency
|
|
31
31
|
name: bcrypt
|