devise 3.0.3 → 3.0.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (6) hide show
  1. data/CHANGELOG.rdoc +7 -0
  2. data/Gemfile.lock +2 -2
  3. data/gemfiles/Gemfile.rails-3.2.x.lock +2 -2
  4. data/lib/devise/strategies/database_authenticatable.rb +6 -3
  5. data/lib/devise/version.rb +1 -1
  6. metadata +2 -2
data/CHANGELOG.rdoc CHANGED
@@ -1,3 +1,10 @@
1
+ == 3.0.4
2
+
3
+ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
4
+
5
+ * bug fix
6
+ * Avoid e-mail enumeration on sign in when in paranoid mode
7
+
1
8
  == 3.0.3
2
9
 
3
10
  * bug fix
data/Gemfile.lock CHANGED
@@ -12,7 +12,7 @@ GIT
12
12
  PATH
13
13
  remote: .
14
14
  specs:
15
- devise (3.0.3)
15
+ devise (3.0.4)
16
16
  bcrypt-ruby (~> 3.0)
17
17
  orm_adapter (~> 0.1)
18
18
  railties (>= 3.2.6, < 5)
@@ -47,7 +47,7 @@ GEM
47
47
  tzinfo (~> 0.3.37)
48
48
  arel (4.0.0)
49
49
  atomic (1.1.10)
50
- bcrypt-ruby (3.1.1)
50
+ bcrypt-ruby (3.1.2)
51
51
  builder (3.1.4)
52
52
  erubis (2.7.0)
53
53
  faraday (0.8.7)
data/gemfiles/Gemfile.rails-3.2.x.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ..
3
3
  specs:
4
- devise (3.0.3)
4
+ devise (3.0.4)
5
5
  bcrypt-ruby (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -38,7 +38,7 @@ GEM
38
38
  i18n (= 0.6.1)
39
39
  multi_json (~> 1.0)
40
40
  arel (3.0.2)
41
- bcrypt-ruby (3.1.1)
41
+ bcrypt-ruby (3.1.2)
42
42
  builder (3.0.4)
43
43
  erubis (2.7.0)
44
44
  faraday (0.8.7)
data/lib/devise/strategies/database_authenticatable.rb CHANGED
@@ -5,13 +5,16 @@ module Devise
5
5
  # Default strategy for signing in a user, based on his email and password in the database.
6
6
  class DatabaseAuthenticatable < Authenticatable
7
7
  def authenticate!
8
- resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
9
- return fail(:not_found_in_database) unless resource
8
+ resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
9
+ encrypted = false
10
10
 
11
- if validate(resource){ resource.valid_password?(password) }
11
+ if validate(resource){ encrypted = true; resource.valid_password?(password) }
12
12
  resource.after_database_authentication
13
13
  success!(resource)
14
14
  end
15
+
16
+ mapping.to.new.password = password if !encrypted && Devise.paranoid
17
+ fail(:not_found_in_database) unless resource
15
18
  end
16
19
  end
17
20
  end
data/lib/devise/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.0.3".freeze
2
+ VERSION = "3.0.4".freeze
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.3
4
+ version: 3.0.4
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2013-08-18 00:00:00.000000000 Z
13
+ date: 2013-11-13 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: warden