prevents users enumeration attacks by not giving any info about the validity of the email

2024-11-28 09:24:24 +01:00 · 2022-07-29 16:02:58 +02:00 · 2022-07-29 16:02:58 +02:00 · 98c7da492d
commit 98c7da492d
parent acbd327f6d
6 changed files with 13 additions and 19 deletions
--- a/app/controllers/confirmations_controller.rb
+++ b/app/controllers/confirmations_controller.rb
@ -2,6 +2,17 @@

 # Devise controller to handle validation of email addresses
 class ConfirmationsController < Devise::ConfirmationsController
+  
+  # POST /resource/confirmation
+  def create
+    self.resource = resource_class.send_confirmation_instructions(resource_params)
+    yield resource if block_given?
+
+    if successfully_sent?(resource)
+      respond_with({}, location: after_resending_confirmation_instructions_path_for(resource_name))
+    end
+  end
+
  # The path used after confirmation.
  def after_confirmation_path_for(_resource_name, resource)
    signed_in_root_path(resource)
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@ -9,8 +9,6 @@ class PasswordsController < Devise::PasswordsController

    if successfully_sent?(resource)
      respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name))
-    else
-      head 404
    end
  end

--- a/app/frontend/src/javascript/controllers/application.js
+++ b/app/frontend/src/javascript/controllers/application.js
@ -504,14 +504,8 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
              controller: ['$scope', '$uibModalInstance', '$http', function ($scope, $uibModalInstance, $http) {
                $scope.user = { email: '' };
                $scope.sendReset = function () {
-                  $scope.alerts = [];
                  return $http.post('/users/password.json', { user: $scope.user }).then(function () {
                    $uibModalInstance.close();
-                  }).catch(function () {
-                    $scope.alerts.push({
-                      msg: _t('app.public.common.your_email_address_is_unknown'),
-                      type: 'danger'
-                    });
                  });
                };
              }]
@ -526,14 +520,8 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
              controller: ['$scope', '$uibModalInstance', '$http', function ($scope, $uibModalInstance, $http) {
                $scope.user = { email: '' };
                $scope.submitConfirmationNewForm = function () {
-                  $scope.alerts = [];
                  return $http.post('/users/confirmation.json', { user: $scope.user }).then(function () {
                    $uibModalInstance.close();
-                  }).catch(function (res) {
-                    $scope.alerts.push({
-                      msg: res.data.errors.email[0],
-                      type: 'danger'
-                    });
                  });
                };
              }]
--- a/app/frontend/templates/shared/ConfirmationNewModal.html
+++ b/app/frontend/templates/shared/ConfirmationNewModal.html
@ -4,7 +4,6 @@
    <h1 translate>{{ 'app.public.common.confirm_my_account' }}</h1>
  </div>
  <div class="modal-body">
-    <uib-alert ng-repeat="alert in alerts" type="{{alert.type}}" close="closeAlert($index)">{{alert.msg}}</uib-alert>
    <div class="panel panel-default bg-light">
      <div class="panel-body">
        <p translate>{{ 'app.public.common.you_will_receive_confirmation_instructions_by_email' }}</p>
--- a/app/frontend/templates/shared/passwordNewModal.html
+++ b/app/frontend/templates/shared/passwordNewModal.html
@ -4,7 +4,6 @@
      <h1 translate>{{ 'app.public.common.password_forgotten' }}</h1>
    </div>
    <div class="modal-body">
-      <uib-alert ng-repeat="alert in alerts" type="{{alert.type}}" close="closeAlert($index)">{{alert.msg}}</uib-alert>
      <div class="panel panel-default bg-light">
        <div class="panel-body">
          <form name="passwordNewForm" class="form-horizontal" ng-keydown="passwordNewForm.$valid && $event.which == 13 && sendReset()">
--- a/config/locales/app.public.en.yml
+++ b/config/locales/app.public.en.yml
@ -101,7 +101,7 @@ en:
        used_for_reservation: "This data will be used in case of change on one of your bookings"
        used_for_profile: "This data will only be displayed on your profile"
        public_profile: "You will have a public profile and other users will be able to associate you in their projects"
-        you_will_receive_confirmation_instructions_by_email_detailed: "You will receive an email with instructions about how to confirm your account in a few minutes."
+        you_will_receive_confirmation_instructions_by_email_detailed: "If your e-mail address is valid, you will receive an email with instructions about how to confirm your account in a few minutes."
        #password modification modal
        change_your_password: "Change your password"
        your_new_password: "Your new password"
@ -117,8 +117,7 @@ en:
        #confirmation modal
        you_will_receive_confirmation_instructions_by_email: "You will receive confirmation instructions by email."
        #forgotten password modal
-        your_email_address_is_unknown: "Your e-mail address is unknown."
-        you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "You will receive in a moment, an e-mail with instructions to reset your password."
+        you_will_receive_in_a_moment_an_email_with_instructions_to_reset_your_password: "If your e-mail address is valid, you will receive in a moment an e-mail with instructions to reset your password."
        #Fab-manager's version
        version: "Version:"
        upgrade_fabmanager: "Upgrade Fab-manager"