commit: a85d4473aa2a6a619fcee851c642dca576e622f6
parent: c9b92259515a3eb16a9709c3c1e505f5fe3a33bc
Author: Yann GUERN <y.guern@rock-hosting.com>
Date: Tue, 11 Apr 2017 14:21:15 +0200
Avoid user enumeration with devise paranoid mode (#1527)
Diffstat:
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -74,7 +74,8 @@ Devise.setup do |config|
# It will change confirmation, password recovery and other workflows
# to behave the same regardless if the e-mail provided was right or wrong.
# Does not affect registerable.
- # config.paranoid = true
+ # See : https://github.com/plataformatec/devise/wiki/How-To:-Using-paranoid-mode,-avoid-user-enumeration-on-registerable
+ config.paranoid = true
# By default Devise will store the user in session. You can skip storage for
# particular strategies by setting this option.