diff options
Diffstat (limited to 'app/models/user.rb')
| -rw-r--r-- | app/models/user.rb | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index 5f9674d2d..36594137d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -112,7 +112,7 @@ class User < Principal before_create :set_mail_notification before_save :generate_password_if_needed, :update_hashed_password before_destroy :remove_references_before_destroy - after_save :update_notified_project_ids + after_save :update_notified_project_ids, :destroy_tokens scope :in_group, lambda {|group| group_id = group.is_a?(Group) ? group.id : group.to_i @@ -681,6 +681,18 @@ class User < Principal end end + # Delete all outstanding password reset tokens on password or email change. + # Delete the autologin tokens on password change to prohibit session leakage. + # This helps to keep the account secure in case the associated email account + # was compromised. + def destroy_tokens + tokens = [] + tokens |= ['recovery', 'autologin'] if changes.has_key?('hashed_password') + tokens |= ['recovery'] if changes.has_key?('mail') + + Token.delete_all(['user_id = ? AND action IN (?)', self.id, tokens]) if tokens.any? + end + # Removes references that are not handled by associations # Things that are not deleted are reassociated with the anonymous user def remove_references_before_destroy |