devise 3.1.1 → 3.1.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

@@ -1,3 +1,10 @@
1
+ == 3.1.2
2
+
3
+ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
4
+
5
+ * bug fix
6
+ * Avoid e-mail enumeration on sign in when in paranoid mode
7
+
1
8
  == 3.1.1
2
9
 
3
10
  * bug fix
@@ -12,7 +12,7 @@ GIT
12
12
  PATH
13
13
  remote: .
14
14
  specs:
15
- devise (3.1.1)
15
+ devise (3.1.2)
16
16
  bcrypt-ruby (~> 3.0)
17
17
  orm_adapter (~> 0.1)
18
18
  railties (>= 3.2.6, < 5)
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ..
3
3
  specs:
4
- devise (3.1.1)
4
+ devise (3.1.2)
5
5
  bcrypt-ruby (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -39,7 +39,7 @@ GEM
39
39
  i18n (~> 0.6, >= 0.6.4)
40
40
  multi_json (~> 1.0)
41
41
  arel (3.0.2)
42
- atomic (1.1.13)
42
+ atomic (1.1.14)
43
43
  bcrypt-ruby (3.1.2)
44
44
  builder (3.0.4)
45
45
  erubis (2.7.0)
@@ -125,7 +125,7 @@ GEM
125
125
  tilt (~> 1.1, != 1.3.0)
126
126
  sqlite3 (1.3.7)
127
127
  thor (0.18.1)
128
- thread_safe (0.1.2)
128
+ thread_safe (0.1.3)
129
129
  atomic
130
130
  tilt (1.4.1)
131
131
  treetop (1.4.14)
@@ -47,19 +47,25 @@ module Devise
47
47
  end
48
48
 
49
49
  def sign_in
50
- default_params.permit self.for(:sign_in)
50
+ permit self.for(:sign_in)
51
51
  end
52
52
 
53
53
  def sign_up
54
- default_params.permit self.for(:sign_up)
54
+ permit self.for(:sign_up)
55
55
  end
56
56
 
57
57
  def account_update
58
- default_params.permit self.for(:account_update)
58
+ permit self.for(:account_update)
59
59
  end
60
60
 
61
61
  private
62
62
 
63
+ # TODO: We do need to flatten so it works with strong_parameters
64
+ # gem. We should drop it once we move to Rails 4 only support.
65
+ def permit(keys)
66
+ default_params.permit(*Array(keys))
67
+ end
68
+
63
69
  # Change for(kind) to return the values in the @permitted
64
70
  # hash, allowing the developer to customize at runtime.
65
71
  def default_for(kind)
@@ -5,13 +5,16 @@ module Devise
5
5
  # Default strategy for signing in a user, based on his email and password in the database.
6
6
  class DatabaseAuthenticatable < Authenticatable
7
7
  def authenticate!
8
- resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
9
- return fail(:not_found_in_database) unless resource
8
+ resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
9
+ encrypted = false
10
10
 
11
- if validate(resource){ resource.valid_password?(password) }
11
+ if validate(resource){ encrypted = true; resource.valid_password?(password) }
12
12
  resource.after_database_authentication
13
13
  success!(resource)
14
14
  end
15
+
16
+ mapping.to.new.password = password if !encrypted && Devise.paranoid
17
+ fail(:not_found_in_database) unless resource
15
18
  end
16
19
  end
17
20
  end
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.1.1".freeze
2
+ VERSION = "3.1.2".freeze
3
3
  end
@@ -68,5 +68,14 @@ if defined?(ActionController::StrongParameters)
68
68
  sanitizer.sanitize(:unknown)
69
69
  end
70
70
  end
71
+
72
+ test 'passes parameters to filter as arguments to sanitizer' do
73
+ params = {user: stub}
74
+ sanitizer = Devise::ParameterSanitizer.new(User, :user, params)
75
+
76
+ params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))
77
+
78
+ sanitizer.sanitize(:sign_in)
79
+ end
71
80
  end
72
81
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.1
4
+ version: 3.1.2
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2013-10-01 00:00:00.000000000 Z
13
+ date: 2013-11-13 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: warden