Only allow password reset emails once per minute

Addresses internal https://dev.gitlab.org/gitlab/gitlabhq/issues/2611

1 files changed, 15 insertions, 7 deletions

diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index edf43935f3c..a2d152addc9 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -2,18 +2,19 @@ class PasswordsController < Devise::PasswordsController
 
   def create
     email = resource_params[:email]
-    resource_found = resource_class.find_by_email(email)
-    if resource_found && resource_found.ldap_user?
+    self.resource = resource_class.find_by_email(email)
+
+    if resource && resource.ldap_user?
       flash[:alert] = "Cannot reset password for LDAP user."
       respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name)) and return
     end
 
-    self.resource = resource_class.send_reset_password_instructions(resource_params)
-    if successfully_sent?(resource)
-      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
-    else
-      respond_with(resource)
+    unless can_send_reset_email?
+      flash[:alert] = "Instructions about how to reset your password have already been sent recently. Please wait a few minutes to try again."
+      respond_with({}, location: new_password_path(resource_name)) and return
     end
+
+    super
   end
 
   def edit
@@ -35,4 +36,11 @@ class PasswordsController < Devise::PasswordsController
       end
     end
   end
+
+  private
+
+  def can_send_reset_email?
+    resource && (resource.reset_password_sent_at.blank? ||
+                 resource.reset_password_sent_at < 1.minute.ago)
+  end
 end