diff options
author | Filipa Lacerda <filipa@gitlab.com> | 2018-05-09 14:34:43 +0000 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-05-25 10:43:56 -0500 |
commit | 8a93917b7e2f61d38d1dc7f6fc14a11c3ad7b73a (patch) | |
tree | 1888080ab1392d7823d2ff4c6a86c16a10444457 | |
parent | 21a8d61d5ca820e61ab9c8dcef48a7169683077e (diff) | |
download | gitlab-ce-8a93917b7e2f61d38d1dc7f6fc14a11c3ad7b73a.tar.gz |
Merge branch 'security-10-8-users-can-update-their-password-without-entering-current-password' into 'security-10-8'
[10.8] No longer allow password change without previous password being provided
See merge request gitlab/gitlabhq!2388
-rw-r--r-- | app/controllers/profiles_controller.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-10-8.yml | 5 | ||||
-rw-r--r-- | spec/controllers/profiles_controller_spec.rb | 13 |
3 files changed, 18 insertions, 2 deletions
diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb index ac71f72e624..9f5ad23a20f 100644 --- a/app/controllers/profiles_controller.rb +++ b/app/controllers/profiles_controller.rb @@ -93,8 +93,6 @@ class ProfilesController < Profiles::ApplicationController :linkedin, :location, :name, - :password, - :password_confirmation, :public_email, :skype, :twitter, diff --git a/changelogs/unreleased/security-10-8.yml b/changelogs/unreleased/security-10-8.yml new file mode 100644 index 00000000000..824fbd41ab8 --- /dev/null +++ b/changelogs/unreleased/security-10-8.yml @@ -0,0 +1,5 @@ +--- +title: Prevent user passwords from being changed without providing the previous password +merge_request: +author: +type: security diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb index c621eb69171..35b42be2e3d 100644 --- a/spec/controllers/profiles_controller_spec.rb +++ b/spec/controllers/profiles_controller_spec.rb @@ -3,6 +3,19 @@ require('spec_helper') describe ProfilesController, :request_store do let(:user) { create(:user) } + describe 'POST update' do + it 'does not update password' do + sign_in(user) + + expect do + post :update, + user: { password: 'hello12345', password_confirmation: 'hello12345' } + end.not_to change { user.reload.encrypted_password } + + expect(response.status).to eq(302) + end + end + describe 'PUT update' do it 'allows an email update from a user without an external email address' do sign_in(user) |