devise 3.0.3 → 3.0.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

@@ -1,3 +1,10 @@
1
+ == 3.0.4
2
+
3
+ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
4
+
5
+ * bug fix
6
+ * Avoid e-mail enumeration on sign in when in paranoid mode
7
+
1
8
  == 3.0.3
2
9
 
3
10
  * bug fix
@@ -12,7 +12,7 @@ GIT
12
12
  PATH
13
13
  remote: .
14
14
  specs:
15
- devise (3.0.3)
15
+ devise (3.0.4)
16
16
  bcrypt-ruby (~> 3.0)
17
17
  orm_adapter (~> 0.1)
18
18
  railties (>= 3.2.6, < 5)
@@ -47,7 +47,7 @@ GEM
47
47
  tzinfo (~> 0.3.37)
48
48
  arel (4.0.0)
49
49
  atomic (1.1.10)
50
- bcrypt-ruby (3.1.1)
50
+ bcrypt-ruby (3.1.2)
51
51
  builder (3.1.4)
52
52
  erubis (2.7.0)
53
53
  faraday (0.8.7)
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ..
3
3
  specs:
4
- devise (3.0.3)
4
+ devise (3.0.4)
5
5
  bcrypt-ruby (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -38,7 +38,7 @@ GEM
38
38
  i18n (= 0.6.1)
39
39
  multi_json (~> 1.0)
40
40
  arel (3.0.2)
41
- bcrypt-ruby (3.1.1)
41
+ bcrypt-ruby (3.1.2)
42
42
  builder (3.0.4)
43
43
  erubis (2.7.0)
44
44
  faraday (0.8.7)
@@ -5,13 +5,16 @@ module Devise
5
5
  # Default strategy for signing in a user, based on his email and password in the database.
6
6
  class DatabaseAuthenticatable < Authenticatable
7
7
  def authenticate!
8
- resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
9
- return fail(:not_found_in_database) unless resource
8
+ resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
9
+ encrypted = false
10
10
 
11
- if validate(resource){ resource.valid_password?(password) }
11
+ if validate(resource){ encrypted = true; resource.valid_password?(password) }
12
12
  resource.after_database_authentication
13
13
  success!(resource)
14
14
  end
15
+
16
+ mapping.to.new.password = password if !encrypted && Devise.paranoid
17
+ fail(:not_found_in_database) unless resource
15
18
  end
16
19
  end
17
20
  end
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.0.3".freeze
2
+ VERSION = "3.0.4".freeze
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.3
4
+ version: 3.0.4
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2013-08-18 00:00:00.000000000 Z
13
+ date: 2013-11-13 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: warden