From 292bca0546c59b9816c696371cd9bbf04ba19fb2 Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Wed, 30 Sep 2015 15:38:21 -0400 Subject: Only allow password reset emails once per minute Addresses internal https://dev.gitlab.org/gitlab/gitlabhq/issues/2611 --- app/controllers/passwords_controller.rb | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) (limited to 'app/controllers/passwords_controller.rb') diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb index edf43935f3c..a2d152addc9 100644 --- a/app/controllers/passwords_controller.rb +++ b/app/controllers/passwords_controller.rb @@ -2,18 +2,19 @@ class PasswordsController < Devise::PasswordsController def create email = resource_params[:email] - resource_found = resource_class.find_by_email(email) - if resource_found && resource_found.ldap_user? + self.resource = resource_class.find_by_email(email) + + if resource && resource.ldap_user? flash[:alert] = "Cannot reset password for LDAP user." respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name)) and return end - self.resource = resource_class.send_reset_password_instructions(resource_params) - if successfully_sent?(resource) - respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name)) - else - respond_with(resource) + unless can_send_reset_email? + flash[:alert] = "Instructions about how to reset your password have already been sent recently. Please wait a few minutes to try again." + respond_with({}, location: new_password_path(resource_name)) and return end + + super end def edit @@ -35,4 +36,11 @@ class PasswordsController < Devise::PasswordsController end end end + + private + + def can_send_reset_email? + resource && (resource.reset_password_sent_at.blank? || + resource.reset_password_sent_at < 1.minute.ago) + end end -- cgit v1.2.1