Add User#will_save_change_to_login? to clear reset_password_tokens

Devise checks before updating any of the authentication_keys if it needs to clear the reset_password_tokens. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/42733 (Weak authentication and session management)
author: Sebastian Arcila Valenzuela <sarcila@gitlab.com> 2019-08-12 15:41:05 +0200
committer: Sebastian Arcila Valenzuela <sarcila@gitlab.com> 2019-08-21 13:05:55 +0200
commit: 5012c622405e63655256735d266168450ad1d159 (patch)
tree: ae42c0fb467ab91c73fd559a9bc56426b9574508 /app/models
parent: d9f9904c60b1fee162d22ece4b8875fafd04b7e6 (diff)
download: gitlab-ce-5012c622405e63655256735d266168450ad1d159.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/app/models/user.rb b/app/models/user.rb
index 6131a8dc710..909f5f3873d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -643,6 +643,13 @@ class User < ApplicationRecord
     end
   end
 
+  # will_save_change_to_attribute? is used by Devise to check if it is necessary
+  # to clear any existing reset_password_tokens before updating an authentication_key
+  # and login in our case is a virtual attribute to allow login by username or email.
+  def will_save_change_to_login?
+    will_save_change_to_username? || will_save_change_to_email?
+  end
+
   def unique_email
     if !emails.exists?(email: email) && Email.exists?(email: email)
       errors.add(:email, _('has already been taken'))
author	Sebastian Arcila Valenzuela <sarcila@gitlab.com>	2019-08-12 15:41:05 +0200
committer	Sebastian Arcila Valenzuela <sarcila@gitlab.com>	2019-08-21 13:05:55 +0200
commit	5012c622405e63655256735d266168450ad1d159 (patch)
tree	ae42c0fb467ab91c73fd559a9bc56426b9574508 /app/models
parent	d9f9904c60b1fee162d22ece4b8875fafd04b7e6 (diff)
download	gitlab-ce-5012c622405e63655256735d266168450ad1d159.tar.gz