diff options
| author | Drew Blessing <drew@gitlab.com> | 2015-12-09 20:45:26 +0300 |
|---|---|---|
| committer | Drew Blessing <drew@gitlab.com> | 2015-12-10 03:40:37 +0300 |
| commit | f4ec906e90b2f8dbf18b359b773e3b31f5da89ff (patch) | |
| tree | fd9d5a760e8100e643e49b6e26fe9d007d004b98 /app/controllers/passwords_controller.rb | |
| parent | 7b50965e9990bcb88f56b771d47514cbeb5316e5 (diff) | |
Use devise paranoid mode and ensure the same message is returned every time
Skipped CI because it has already passed. Had to rebase due to CHANGELOG.
Diffstat (limited to 'app/controllers/passwords_controller.rb')
| -rw-r--r-- | app/controllers/passwords_controller.rb | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb index 2025158d065..f74daff3bd0 100644 --- a/app/controllers/passwords_controller.rb +++ b/app/controllers/passwords_controller.rb @@ -40,7 +40,9 @@ class PasswordsController < Devise::PasswordsController def throttle_reset return unless resource && resource.recently_sent_password_reset? - redirect_to new_password_path(resource_name), - alert: I18n.t('devise.passwords.recently_reset') + # Throttle reset attempts, but return a normal message to + # avoid user enumeration attack. + redirect_to new_user_session_path, + notice: I18n.t('devise.passwords.send_paranoid_instructions') end end |