Use devise paranoid mode and ensure the same message is returned every time (!2044) · Merge requests · GitLab.org / GitLab FOSS

Drew Blessing requested to merge dblessing/gitlab-ce:devise_paranoid_mode into master Dec 09, 2015

Enable devise paranoid mode and ensure the returned message is the same every time. This will prevent user enumeration (low impact).

Prior to this change a user could type an email in the password reset field and if the email didn't exist it returned an error. If the email was valid it returned a message saying the forgot password link had been emailed. After this change the user will receive a message that if the email is in our database the reset link will be emailed.

I also changed the throttle mechanism so it still works the same but now returns the exact same message as above. Previously it would say 'You've already sent a request. Wait a few minutes'. This also allows user enumeration, although it requires a double-check.

Admin message

Admin message

Use devise paranoid mode and ensure the same message is returned every time

Merge request reports