Merge branch 'rs-throttle-reset' into 'master'

Throttle "Forgot your password?" emails

Addresses internal https://dev.gitlab.org/gitlab/gitlabhq/issues/2611

See merge request !1476

1 files changed, 24 insertions, 16 deletions

diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index edf43935f3c..2025158d065 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -1,20 +1,7 @@
 class PasswordsController < Devise::PasswordsController
-
-  def create
-    email = resource_params[:email]
-    resource_found = resource_class.find_by_email(email)
-    if resource_found && resource_found.ldap_user?
-      flash[:alert] = "Cannot reset password for LDAP user."
-      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name)) and return
-    end
-
-    self.resource = resource_class.send_reset_password_instructions(resource_params)
-    if successfully_sent?(resource)
-      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
-    else
-      respond_with(resource)
-    end
-  end
+  before_action :resource_from_email, only: [:create]
+  before_action :prevent_ldap_reset,  only: [:create]
+  before_action :throttle_reset,      only: [:create]
 
   def edit
     super
@@ -35,4 +22,25 @@ class PasswordsController < Devise::PasswordsController
       end
     end
   end
+
+  protected
+
+  def resource_from_email
+    email = resource_params[:email]
+    self.resource = resource_class.find_by_email(email)
+  end
+
+  def prevent_ldap_reset
+    return unless resource && resource.ldap_user?
+
+    redirect_to after_sending_reset_password_instructions_path_for(resource_name),
+      alert: "Cannot reset password for LDAP user."
+  end
+
+  def throttle_reset
+    return unless resource && resource.recently_sent_password_reset?
+
+    redirect_to new_password_path(resource_name),
+      alert: I18n.t('devise.passwords.recently_reset')
+  end
 end