From 607659939d1113c2840e7b36eced7d6f0c6c637f Mon Sep 17 00:00:00 2001 From: Benjamin Neff Date: Sun, 28 Apr 2019 18:38:46 +0200 Subject: [PATCH] Enable paranoid mode for devise fixes #8001 closes #8003 --- Changelog.md | 1 + app/views/devise/passwords/new.haml | 4 ---- config/initializers/devise.rb | 2 +- config/locales/devise/devise.en.yml | 1 - features/desktop/change_password.feature | 4 ++-- features/mobile/change_password.feature | 4 ++-- spec/controllers/passwords_controller_spec.rb | 2 +- 7 files changed, 7 insertions(+), 11 deletions(-) diff --git a/Changelog.md b/Changelog.md index 3f44db66b..e4ab25b92 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # 0.7.11.0 ## Refactor +* Enable paranoid mode for devise [#8003](https://github.com/diaspora/diaspora/pull/8003) ## Bug fixes diff --git a/app/views/devise/passwords/new.haml b/app/views/devise/passwords/new.haml index 9a5683b63..c62fe9aaa 100644 --- a/app/views/devise/passwords/new.haml +++ b/app/views/devise/passwords/new.haml @@ -9,10 +9,6 @@ = AppConfig.settings.pod_name = form_for(resource, as: resource_name, url: password_path(resource_name), html: {class: "form-horizontal block-form"}, autocomplete: 'off') do |f| - - unless resource.errors.empty? - %legend - %i - = t('devise.passwords.new.no_account') # this is an error message and should not be displayed as a legend %fieldset %label#emailLabel.sr-only{for: "user_email"} = t("devise.passwords.new.email") diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 38a1eafad..327cef80e 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -97,7 +97,7 @@ Devise.setup do |config| # It will change confirmation, password recovery and other workflows # to behave the same regardless if the e-mail provided was right or wrong. # Does not affect registerable. - # config.paranoid = true + config.paranoid = true # By default Devise will store the user in session. You can skip storage for # particular strategies by setting this option. diff --git a/config/locales/devise/devise.en.yml b/config/locales/devise/devise.en.yml index 45f35a238..47f78cf2d 100644 --- a/config/locales/devise/devise.en.yml +++ b/config/locales/devise/devise.en.yml @@ -66,7 +66,6 @@ en: confirm_password: Confirm password new: forgot_password: Forgot your password? - no_account: No account with this email exists reset_password: Reset password email: Email address send_password_instructions: Send me reset password instructions diff --git a/features/desktop/change_password.feature b/features/desktop/change_password.feature index 7b30014ec..695193249 100644 --- a/features/desktop/change_password.feature +++ b/features/desktop/change_password.feature @@ -25,7 +25,7 @@ Feature: Change password Given I am on forgot password page When I fill out forgot password form with "forgetful@users.net" And I submit forgot password form - Then I should see "You will receive an email with instructions" + Then I should see "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." When I follow the "Change my password" link from the last sent email When I fill out the password reset form with "supersecret" and "supersecret" And I submit the password reset form @@ -49,4 +49,4 @@ Feature: Change password Given I am on forgot password page When I fill out forgot password form with "notanemail" And I submit forgot password form - Then I should see "No account with this email exists" + Then I should see "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." diff --git a/features/mobile/change_password.feature b/features/mobile/change_password.feature index f3bcdb445..8f7c0c060 100644 --- a/features/mobile/change_password.feature +++ b/features/mobile/change_password.feature @@ -27,7 +27,7 @@ Feature: Change password And I am on forgot password page When I fill out forgot password form with "forgetful@users.net" And I submit forgot password form - Then I should see "You will receive an email with instructions" + Then I should see "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." When I follow the "Change my password" link from the last sent email And I fill out the password reset form with "supersecret" and "supersecret" And I submit the password reset form @@ -52,4 +52,4 @@ Feature: Change password Given I am on forgot password page When I fill out forgot password form with "notanemail" And I submit forgot password form - Then I should see "No account with this email exists" + Then I should see "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." diff --git a/spec/controllers/passwords_controller_spec.rb b/spec/controllers/passwords_controller_spec.rb index 870907904..289fcd975 100644 --- a/spec/controllers/passwords_controller_spec.rb +++ b/spec/controllers/passwords_controller_spec.rb @@ -13,7 +13,7 @@ describe Devise::PasswordsController, type: :controller do context "when there is no such user" do it "succeeds" do post :create, params: {user: {email: "foo@example.com"}} - expect(response).to be_success + expect(response).to redirect_to(new_user_session_path) end it "doesn't send email" do