github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-16 02:28:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: expire all existing sessions if user changes passwords

Browse Source
This commit is contained in:
Sam Saffron 2015-06-06 03:09:02 +10:00 committed by Robin Ward
parent ec88c08f24
commit 3151192626
2 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/models/user.rb
View File

@ -320,7 +320,10 @@ class User < ActiveRecord::Base
def password=(password) def password=(password)
# special case for passwordless accounts # special case for passwordless accounts
@raw_password = password unless password.blank? unless password.blank?
@raw_password = password
self.auth_token = nil
end
end end
def password def password

18
spec/models/user_spec.rb
View File

@ -509,18 +509,24 @@ describe User do
end end
describe 'passwords' do describe 'passwords' do
before do
it "should not have an active account with a good password" do
@user = Fabricate.build(:user, active: false) @user = Fabricate.build(:user, active: false)
@user.password = "ilovepasta" @user.password = "ilovepasta"
@user.save! @user.save!
end
it "should have a valid password after the initial save" do @user.auth_token = SecureRandom.hex(16)
expect(@user.confirm_password?("ilovepasta")).to eq(true) @user.save!
end
it "should not have an active account after initial save" do
expect(@user.active).to eq(false) expect(@user.active).to eq(false)
expect(@user.confirm_password?("ilovepasta")).to eq(true)
old_token = @user.auth_token
@user.password = "passwordT"
@user.save!
# must expire old token on password change
expect(@user.auth_token).to_not eq(old_token)
end end
end end