From c175c30da76da5e976ac6351a11568b5d0b23d12 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Sun, 7 May 2017 22:11:09 -0700
Subject: Fix sub-second timing comparison error for Devise confirmation period

On databases such as MySQL, it's possible to get into a timing comparison
error if the value of `Confirmable#confirmation_sent_at` is within a second
of `0.days.ago`. This is possible mostly in specs that test this behavior
and most likely not happening in practice. The result of this error causes
a user to be deemed active when it should be inactive. To prevent this
error, we explicitly check the configuration setting to be `0.days.ago`.

Closes gitlab-org/gitlab-ee#2362
---
 app/models/user.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/app/models/user.rb b/app/models/user.rb
index accaa91b805..4e5f94683b8 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1000,6 +1000,15 @@ class User < ActiveRecord::Base
     devise_mailer.send(notification, self, *args).deliver_later
   end
 
+  # This works around a bug in Devise 4.2.0 that erroneously causes a user to
+  # be considered active in MySQL specs due to a sub-second comparison
+  # issue. For more details, see: https://gitlab.com/gitlab-org/gitlab-ee/issues/2362#note_29004709
+  def confirmation_period_valid?
+    return false if self.class.allow_unconfirmed_access_for == 0.days
+
+    super
+  end
+
   def ensure_external_user_rights
     return unless external?
 
-- 
cgit v1.2.3