0001-Delete-tokens-on-mail-or-password-change.patch

Jan from Planio www.plan.io, 2014-08-20 16:20

Download (3.18 KB)

View differences:

app/models/user.rb
112 112
  before_create :set_mail_notification
113 113
  before_save   :generate_password_if_needed, :update_hashed_password
114 114
  before_destroy :remove_references_before_destroy
115
  after_save :update_notified_project_ids
115
  after_save :update_notified_project_ids, :destroy_tokens
116 116
  scope :in_group, lambda {|group|
117 117
    group_id = group.is_a?(Group) ? group.id : group.to_i
......
677 677
    end
678 678
  end
679
  # Delete all outstanding password reset tokens on password or email change.
680
  # Delete the autologin tokens on password change to prohibit session leakage.
681
  # This helps to keep keep the account secure in case the associated email
682
  # account was compromised.
683
  def destroy_tokens
684
    tokens  = []
685
    tokens |= ['recovery', 'autologin'] if changes.has_key?('hashed_password')
686
    tokens |= ['recovery'] if changes.has_key?('mail')
687

  
688
    Token.delete_all(['user_id = ? AND action IN (?)', self.id, tokens]) if tokens.any?
689
  end
690

  
679 691
  # Removes references that are not handled by associations
680 692
  # Things that are not deleted are reassociated with the anonymous user
681 693
  def remove_references_before_destroy
test/unit/user_test.rb
403 403
    end
404 404
  end
405
  def test_password_change_should_destroy_tokens
406
    recovery_token = Token.create!(:user_id => 2, :action => 'recovery')
407
    autologin_token = Token.create!(:user_id => 2, :action => 'autologin')
408

  
409
    user = User.find(2)
410
    user.password, user.password_confirmation = "a new password", "a new password"
411
    assert user.save
412

  
413
    assert_nil Token.find_by_id(recovery_token.id)
414
    assert_nil Token.find_by_id(autologin_token.id)
415
  end
416

  
417
  def test_mail_change_should_destroy_tokens
418
    recovery_token = Token.create!(:user_id => 2, :action => 'recovery')
419
    autologin_token = Token.create!(:user_id => 2, :action => 'autologin')
420

  
421
    user = User.find(2)
422
    user.mail = "user@somwehere.com"
423
    assert user.save
424

  
425
    assert_nil Token.find_by_id(recovery_token.id)
426
    assert_equal autologin_token, Token.find_by_id(autologin_token.id)
427
  end
428

  
429

  
405 430
  def test_validate_login_presence
406 431
    @admin.login = ""
407 432
    assert !@admin.save
408
-