devise 3.0.3 → 3.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (6) hide show
  1. data/CHANGELOG.rdoc +7 -0
  2. data/Gemfile.lock +2 -2
  3. data/gemfiles/Gemfile.rails-3.2.x.lock +2 -2
  4. data/lib/devise/strategies/database_authenticatable.rb +6 -3
  5. data/lib/devise/version.rb +1 -1
  6. metadata +2 -2
data/CHANGELOG.rdoc CHANGED
@@ -1,3 +1,10 @@
1
+ == 3.0.4
2
+
3
+ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
4
+
5
+ * bug fix
6
+ * Avoid e-mail enumeration on sign in when in paranoid mode
7
+
1
8
  == 3.0.3
2
9
 
3
10
  * bug fix
data/Gemfile.lock CHANGED
@@ -12,7 +12,7 @@ GIT
12
12
  PATH
13
13
  remote: .
14
14
  specs:
15
- devise (3.0.3)
15
+ devise (3.0.4)
16
16
  bcrypt-ruby (~> 3.0)
17
17
  orm_adapter (~> 0.1)
18
18
  railties (>= 3.2.6, < 5)
@@ -47,7 +47,7 @@ GEM
47
47
  tzinfo (~> 0.3.37)
48
48
  arel (4.0.0)
49
49
  atomic (1.1.10)
50
- bcrypt-ruby (3.1.1)
50
+ bcrypt-ruby (3.1.2)
51
51
  builder (3.1.4)
52
52
  erubis (2.7.0)
53
53
  faraday (0.8.7)
data/gemfiles/Gemfile.rails-3.2.x.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ..
3
3
  specs:
4
- devise (3.0.3)
4
+ devise (3.0.4)
5
5
  bcrypt-ruby (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -38,7 +38,7 @@ GEM
38
38
  i18n (= 0.6.1)
39
39
  multi_json (~> 1.0)
40
40
  arel (3.0.2)
41
- bcrypt-ruby (3.1.1)
41
+ bcrypt-ruby (3.1.2)
42
42
  builder (3.0.4)
43
43
  erubis (2.7.0)
44
44
  faraday (0.8.7)
data/lib/devise/strategies/database_authenticatable.rb CHANGED
@@ -5,13 +5,16 @@ module Devise
5
5
  # Default strategy for signing in a user, based on his email and password in the database.
6
6
  class DatabaseAuthenticatable < Authenticatable
7
7
  def authenticate!
8
- resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
9
- return fail(:not_found_in_database) unless resource
8
+ resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
9
+ encrypted = false
10
10
 
11
- if validate(resource){ resource.valid_password?(password) }
11
+ if validate(resource){ encrypted = true; resource.valid_password?(password) }
12
12
  resource.after_database_authentication
13
13
  success!(resource)
14
14
  end
15
+
16
+ mapping.to.new.password = password if !encrypted && Devise.paranoid
17
+ fail(:not_found_in_database) unless resource
15
18
  end
16
19
  end
17
20
  end
data/lib/devise/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.0.3".freeze
2
+ VERSION = "3.0.4".freeze
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.3
4
+ version: 3.0.4
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2013-08-18 00:00:00.000000000 Z
13
+ date: 2013-11-13 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: warden