github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-04 07:06:47 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: don't allow re-using the current password during password reset

Browse Source
This commit is contained in:
Neil Lalonde
2016-08-24 12:27:09 -04:00
parent 79245a25a3
commit 7a81669c18
3 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/validators/password_validator.rb
View File

@ -14,6 +14,8 @@ class PasswordValidator < ActiveModel::EachValidator
record.errors.add(attribute, :same_as_username)
elsif record.email.present? && value == record.email
record.errors.add(attribute, :same_as_email)
elsif record.confirm_password?(value)
record.errors.add(attribute, :same_as_current)
elsif SiteSetting.block_common_passwords && CommonPasswords.common_password?(value)
record.errors.add(attribute, :common)
end