diff options
| author | Mayra Cabrera <mcabrera@gitlab.com> | 2018-05-29 18:41:33 +0000 |
|---|---|---|
| committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-05-29 18:41:33 +0000 |
| commit | 33f4f161a1a417c17fc4c6d18e4dc01c33945ab5 (patch) | |
| tree | cef725cc18d86e75a8b06bdc9781cd6d9ced6521 | |
| parent | 046cc6011a4a5e10950d1d9d69ea500aba905e7b (diff) | |
| parent | 8417f74f23a75020a14f39d939c4dd1cc5419d07 (diff) | |
| download | gitlab-ce-33f4f161a1a417c17fc4c6d18e4dc01c33945ab5.tar.gz | |
Merge branch 'security-users-can-update-their-password-without-entering-current-password' into 'master'
[Master] No longer allow password change without previous password being provided
See merge request gitlab/gitlabhq!2383
3 files changed, 18 insertions, 2 deletions
diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb index ac71f72e624..9f5ad23a20f 100644 --- a/app/controllers/profiles_controller.rb +++ b/app/controllers/profiles_controller.rb @@ -93,8 +93,6 @@ class ProfilesController < Profiles::ApplicationController :linkedin, :location, :name, - :password, - :password_confirmation, :public_email, :skype, :twitter, diff --git a/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml b/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml new file mode 100644 index 00000000000..824fbd41ab8 --- /dev/null +++ b/changelogs/unreleased/security-users-can-update-their-password-without-entering-current-password.yml @@ -0,0 +1,5 @@ +--- +title: Prevent user passwords from being changed without providing the previous password +merge_request: +author: +type: security diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb index c621eb69171..4530a301d4d 100644 --- a/spec/controllers/profiles_controller_spec.rb +++ b/spec/controllers/profiles_controller_spec.rb @@ -3,6 +3,19 @@ require('spec_helper') describe ProfilesController, :request_store do let(:user) { create(:user) } + describe 'POST update' do + it 'does not update password' do + sign_in(user) + + expect do + post :update, + user: { password: 'hello12345', password_confirmation: 'hello12345' } + end.not_to change { user.reload.encrypted_password } + + expect(response.status).to eq(302) + end + end + describe 'PUT update' do it 'allows an email update from a user without an external email address' do sign_in(user) |