Avoid user enumeration with devise paranoid mode (#1527)

author: Yann GUERN <y.guern@rock-hosting.com> 2017-04-11 14:21:15 +0200
committer: Eugen <eugen@zeonfederated.com> 2017-04-11 14:21:15 +0200
commit: a85d4473aa2a6a619fcee851c642dca576e622f6 (patch)
tree: e829221acf96a6619f7e1b7812969ad4b1eb2f69
parent: c9b92259515a3eb16a9709c3c1e505f5fe3a33bc (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index ede6640bb..3c23e7b2e 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -74,7 +74,8 @@ Devise.setup do |config|
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
-  # config.paranoid = true
+  # See : https://github.com/plataformatec/devise/wiki/How-To:-Using-paranoid-mode,-avoid-user-enumeration-on-registerable
+  config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
   # particular strategies by setting this option.
author	Yann GUERN <y.guern@rock-hosting.com>	2017-04-11 14:21:15 +0200
committer	Eugen <eugen@zeonfederated.com>	2017-04-11 14:21:15 +0200
commit	a85d4473aa2a6a619fcee851c642dca576e622f6 (patch)
tree	e829221acf96a6619f7e1b7812969ad4b1eb2f69
parent	c9b92259515a3eb16a9709c3c1e505f5fe3a33bc (diff)