Permalink
Browse files

Don't expose the existence of a user

When a user resets their password, don't expose the existence of
their email address in the instruction text. This is a security best
practice:

http://goo.gl/Ayb64
  • Loading branch information...
1 parent 9592586 commit 16bf897a6b5d9b926636704d1d2fbf6574e011b8 @aripollak aripollak committed with croaky Sep 29, 2012
@@ -9,11 +9,8 @@ def create
if user = find_user_for_create
user.forgot_password!
::ClearanceMailer.change_password(user).deliver
- render :template => 'passwords/create'
- else
- flash_failure_after_create
- render :template => 'passwords/new'
end
+ render :template => 'passwords/create'
end
def edit
@@ -62,12 +59,6 @@ def flash_failure_when_forbidden
:default => 'Please double check the URL or try submitting the form again.')
end
- def flash_failure_after_create
- flash.now[:notice] = translate(:unknown_email,
- :scope => [:clearance, :controllers, :passwords],
- :default => 'Unknown email.')
- end
-
def flash_failure_after_update
flash.now[:notice] = translate(:blank_password,
:scope => [:clearance, :controllers, :passwords],
@@ -6,7 +6,7 @@ Feature: Password reset
Scenario: User is not signed up
When I reset the password for "unknown.email@example.com"
- Then I am told email is unknown
+ Then instructions for changing my password are not emailed
Scenario: User is signed up and requests password reset
Given I signed up with "email@example.com"
@@ -54,6 +54,11 @@
click_button 'Reset password'
end
+Then /^instructions for changing my password are not emailed$/ do
+ page.should have_content('instructions for changing your password')
+ assert ActionMailer::Base.deliveries.empty?
+end
+
Then /^instructions for changing my password are emailed to "(.*)"$/ do |email|
page.should have_content('instructions for changing your password')
user = User.find_by_email!(email)
@@ -53,8 +53,7 @@
ActionMailer::Base.deliveries.should be_empty
end
- it { should set_the_flash.to(/unknown email/i).now }
- it { should render_template(:new) }
+ it { should render_template(:create) }
end
end
end

0 comments on commit 16bf897

Please sign in to comment.