You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As documented in lib/devise/models/authenticatable.rb,
# Finally, notice that Devise also queries for users in other scenarios
# besides authentication, for example when retrieving an user to send
# an e-mail for password reset. In such cases, find_for_authentication
# is not called.
However, that makes it possible for a user to actually bypass custom find_for_authentication and successfully sign-in when it would have been explicitly prohibited otherwise.
Most common scenario is a website allowing subdomain-based authentication, leading users for domain foo.example.com to be able to sign-in into bla.example.com by reseting their password on bla.example.com.
The text was updated successfully, but these errors were encountered:
Hello @toots, thanks for your report.
Can you provide us a sample application that reproduces the issue in isolation?
That would help us find the issue.
I'm closing this issue because it has not had recent activity.
If you're still facing this on the latest version, please open a new one with all the information requested in the template.
As documented in
lib/devise/models/authenticatable.rb
,However, that makes it possible for a user to actually bypass custom
find_for_authentication
and successfully sign-in when it would have been explicitly prohibited otherwise.Most common scenario is a website allowing subdomain-based authentication, leading users for domain
foo.example.com
to be able to sign-in intobla.example.com
by reseting their password onbla.example.com
.The text was updated successfully, but these errors were encountered: