diff --git a/Changelog.md b/Changelog.md index 385f4732e..b7fb5abf0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -16,6 +16,7 @@ # 0.7.11.0 ## Refactor +* Enable paranoid mode for devise [#8003](https://github.com/diaspora/diaspora/pull/8003) ## Bug fixes diff --git a/app/assets/stylesheets/forms.scss b/app/assets/stylesheets/forms.scss index 2f0717bba..27be8a013 100644 --- a/app/assets/stylesheets/forms.scss +++ b/app/assets/stylesheets/forms.scss @@ -93,5 +93,10 @@ textarea { } ::placeholder { text-transform: uppercase; } + + p { + margin-top: .5rem; + text-align: center; + } } } diff --git a/app/views/devise/passwords/new.haml b/app/views/devise/passwords/new.haml index 9a5683b63..c62fe9aaa 100644 --- a/app/views/devise/passwords/new.haml +++ b/app/views/devise/passwords/new.haml @@ -9,10 +9,6 @@ = AppConfig.settings.pod_name = form_for(resource, as: resource_name, url: password_path(resource_name), html: {class: "form-horizontal block-form"}, autocomplete: 'off') do |f| - - unless resource.errors.empty? - %legend - %i - = t('devise.passwords.new.no_account') # this is an error message and should not be displayed as a legend %fieldset %label#emailLabel.sr-only{for: "user_email"} = t("devise.passwords.new.email") diff --git a/app/views/sessions/two_factor.html.haml b/app/views/sessions/two_factor.html.haml index 8e40dc411..f7fd7f592 100644 --- a/app/views/sessions/two_factor.html.haml +++ b/app/views/sessions/two_factor.html.haml @@ -15,7 +15,7 @@ %fieldset %label.sr-only#otp-label{for: "otp_attempt"} = t("two_factor_auth.input_token.label") - + %i.entypo-lock = f.text_field :otp_attempt, type: :text, placeholder: t("two_factor_auth.input_token.placeholder"), diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 38a1eafad..327cef80e 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -97,7 +97,7 @@ Devise.setup do |config| # It will change confirmation, password recovery and other workflows # to behave the same regardless if the e-mail provided was right or wrong. # Does not affect registerable. - # config.paranoid = true + config.paranoid = true # By default Devise will store the user in session. You can skip storage for # particular strategies by setting this option. diff --git a/config/locales/devise/devise.en.yml b/config/locales/devise/devise.en.yml index 45f35a238..47f78cf2d 100644 --- a/config/locales/devise/devise.en.yml +++ b/config/locales/devise/devise.en.yml @@ -66,7 +66,6 @@ en: confirm_password: Confirm password new: forgot_password: Forgot your password? - no_account: No account with this email exists reset_password: Reset password email: Email address send_password_instructions: Send me reset password instructions diff --git a/features/desktop/change_password.feature b/features/desktop/change_password.feature index 7b30014ec..695193249 100644 --- a/features/desktop/change_password.feature +++ b/features/desktop/change_password.feature @@ -25,7 +25,7 @@ Feature: Change password Given I am on forgot password page When I fill out forgot password form with "forgetful@users.net" And I submit forgot password form - Then I should see "You will receive an email with instructions" + Then I should see "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." When I follow the "Change my password" link from the last sent email When I fill out the password reset form with "supersecret" and "supersecret" And I submit the password reset form @@ -49,4 +49,4 @@ Feature: Change password Given I am on forgot password page When I fill out forgot password form with "notanemail" And I submit forgot password form - Then I should see "No account with this email exists" + Then I should see "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." diff --git a/features/mobile/change_password.feature b/features/mobile/change_password.feature index f3bcdb445..8f7c0c060 100644 --- a/features/mobile/change_password.feature +++ b/features/mobile/change_password.feature @@ -27,7 +27,7 @@ Feature: Change password And I am on forgot password page When I fill out forgot password form with "forgetful@users.net" And I submit forgot password form - Then I should see "You will receive an email with instructions" + Then I should see "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." When I follow the "Change my password" link from the last sent email And I fill out the password reset form with "supersecret" and "supersecret" And I submit the password reset form @@ -52,4 +52,4 @@ Feature: Change password Given I am on forgot password page When I fill out forgot password form with "notanemail" And I submit forgot password form - Then I should see "No account with this email exists" + Then I should see "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." diff --git a/spec/controllers/passwords_controller_spec.rb b/spec/controllers/passwords_controller_spec.rb index 870907904..289fcd975 100644 --- a/spec/controllers/passwords_controller_spec.rb +++ b/spec/controllers/passwords_controller_spec.rb @@ -13,7 +13,7 @@ describe Devise::PasswordsController, type: :controller do context "when there is no such user" do it "succeeds" do post :create, params: {user: {email: "foo@example.com"}} - expect(response).to be_success + expect(response).to redirect_to(new_user_session_path) end it "doesn't send email" do