From 7aeb2fc97971671ada5712c5fbe5b327cb585ec5 Mon Sep 17 00:00:00 2001 From: Philipp Tessenow Date: Mon, 22 Jul 2013 10:54:27 +0200 Subject: [PATCH] fix #1405: fake invalid credentials when a blocked user tries to login --- app/controllers/account_controller.rb | 3 ++- doc/CHANGELOG.md | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 5ca77aca43..76f4b27c30 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -174,7 +174,8 @@ class AccountController < ApplicationController user = User.find_by_login(username) if user and user.check_password?(password) if not user.active? - inactive_account + return inactive_account if user.registered? + invalid_credentials elsif user.force_password_change return if redirect_if_password_change_not_allowed(user) render_force_password_change diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index 858c8e412b..c5b9447568 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,5 +1,6 @@ # Changelog +* `#1405` Incorrect message when trying to login with a permanently blocked account * `#1409` Changing pagination limit on members view looses members tab * `#1371` Changing pagination per_page_param does not change page * `#1314` Always set last activity timestamp and check session expiry if ttl-setting is enabled