Update code copied from Devise

This was changed upstream to fix a vulnerability

Update code copied from Devise
This was changed upstream to fix a vulnerability
240b1657 · Heinrich Lee Yu · b7652b57 · 240b1657 · 240b1657
Commit 240b1657 authored Nov 05, 2019 by Heinrich Lee Yu
Showing with 7 additions and 3 deletions

app/models/user.rb app/models/user.rb +2 -3

changelogs/unreleased/27433-fix-vulnerable-code-copied-from-devise.yml ...released/27433-fix-vulnerable-code-copied-from-devise.yml +5 -0

No files found.
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1420,14 +1420,13 @@ class User < ApplicationRecord
  # flow means we don't call that automatically (and can't conveniently do so).
  #
  # See:
-  #   <https://github.com/plataformatec/devise/blob/v4.0.0/lib/devise/models/lockable.rb#L92>
+  #   <https://github.com/plataformatec/devise/blob/v4.7.1/lib/devise/models/lockable.rb#L104>
  #
  # rubocop: disable CodeReuse/ServiceClass
  def increment_failed_attempts!
    return if ::Gitlab::Database.read_only?
-    self.failed_attempts ||= 0
+    increment_failed_attempts
-    self.failed_attempts += 1
    if attempts_exceeded?
      lock_access! unless access_locked?

--- a/changelogs/unreleased/27433-fix-vulnerable-code-copied-from-devise.yml
+++ b/changelogs/unreleased/27433-fix-vulnerable-code-copied-from-devise.yml
+---
+title: Update incrementing of failed logins to be thread-safe
+merge_request: 19614
+author:
+type: security