Merge branch 'security-sarcila-fix-weak-session-management-12-1' into '12-1-stable'

Clear reset_password_tokens when login (email or username) change See merge request gitlab/gitlabhq!3347
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-26 10:42:37 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-26 10:42:37 +0300
commit: 298c1357ebb07519eb968d318c375bd81ca69d2f (patch)
tree: 3a89645be6320296eeb45aaa71a7cc27272c09b8 /app
parent: f3853daceca5061e41d0351d0dff2938ba374bfa (diff)
parent: 0c21854764464bd110b505d689b3fa112936944f (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/app/models/user.rb b/app/models/user.rb
index 0fd3daa3383..58509976135 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -630,6 +630,13 @@ class User < ApplicationRecord
     end
   end
 
+  # will_save_change_to_attribute? is used by Devise to check if it is necessary
+  # to clear any existing reset_password_tokens before updating an authentication_key
+  # and login in our case is a virtual attribute to allow login by username or email.
+  def will_save_change_to_login?
+    will_save_change_to_username? || will_save_change_to_email?
+  end
+
   def unique_email
     if !emails.exists?(email: email) && Email.exists?(email: email)
       errors.add(:email, _('has already been taken'))
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-26 10:42:37 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-26 10:42:37 +0300
commit	298c1357ebb07519eb968d318c375bd81ca69d2f (patch)
tree	3a89645be6320296eeb45aaa71a7cc27272c09b8 /app
parent	f3853daceca5061e41d0351d0dff2938ba374bfa (diff)
parent	0c21854764464bd110b505d689b3fa112936944f (diff)