diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-26 10:42:37 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-26 10:42:37 +0300 |
commit | 298c1357ebb07519eb968d318c375bd81ca69d2f (patch) | |
tree | 3a89645be6320296eeb45aaa71a7cc27272c09b8 /app | |
parent | f3853daceca5061e41d0351d0dff2938ba374bfa (diff) | |
parent | 0c21854764464bd110b505d689b3fa112936944f (diff) |
Merge branch 'security-sarcila-fix-weak-session-management-12-1' into '12-1-stable'
Clear reset_password_tokens when login (email or username) change
See merge request gitlab/gitlabhq!3347
Diffstat (limited to 'app')
-rw-r--r-- | app/models/user.rb | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index 0fd3daa3383..58509976135 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -630,6 +630,13 @@ class User < ApplicationRecord end end + # will_save_change_to_attribute? is used by Devise to check if it is necessary + # to clear any existing reset_password_tokens before updating an authentication_key + # and login in our case is a virtual attribute to allow login by username or email. + def will_save_change_to_login? + will_save_change_to_username? || will_save_change_to_email? + end + def unique_email if !emails.exists?(email: email) && Email.exists?(email: email) errors.add(:email, _('has already been taken')) |