CODEWITHSUNDEEP
ruby-on-railsdeviseconfirmation
Rubytastic
Rubytastic

Reputation: 15501

devise allows anyone to lookup a user by its email address! how to prevent this?

Devise allows user email lookups.

This is a certain privacy issue. The problem is if you ask for a new confirmation e-mail you can type in any email address you want and if its not found in the database you get a "not found" thus enabling anyone to check if a certain email is registered.

What could be a good way to fix this? I haven't posted this to the devise group but Im not sure if this is "Wanted" behavior.

Offending route : /users/confirmation

Its not an option for me to disable the confirmations module of devise. Anyone a good workaround to fix this?

Upvotes: 5

Views: 1628

Answers (2)

fidgital
fidgital

Reputation: 81

As Devise notes in the their docs, paranoid mode doesn't avoid user enumeration on registration. If you're using confirmable you can fix this by showing all users a notice to check their e-mail when they attempt to register.

class RegistrationsController < Devise::RegistrationsController

  def create
    super do |resource|
      handle_nonunique_email if resource.errors.added?(:email, :taken)
      return if performed?
    end
  end

  private

  def handle_nonunique_email
    resource.errors.delete(:email)

    if resource.errors.empty?
      user = User.find_by_email(resource.email)
      user.send_confirmation_instructions unless user.confirmed?
      respond_with resource, location: after_inactive_sign_up_path_for(resource)
    end
  end
end

I wrote more about this here.

Upvotes: 0

Rodrigo Flores
Rodrigo Flores

Reputation: 2461

Devise has a paranoid mode that helps you to avoid user enumeration. You can get more information on Devise wiki:

https://github.com/plataformatec/devise/wiki/How-To:-Using-paranoid-mode,-avoid-user-enumeration-on-registerable

Upvotes: 6

Related Questions