CHANGELOG

Internal Changes to code

As always, this is just a copy-and-pasted version of the CHANGELOG file in the source code tree.

use uniform logout function
use uniform remember_cookie functions
avoid calling logged_in? which will auto-log-you-in (safe in the face of
logout! call, but idiot-proof)
Moved reset_session into only the “now logged in” branch
- wherever it goes, it has to be in front of the current_user= call
- See more in README-Tradeoffs.txt
made a place to take action on failed login attempt
recycle login and remember_me setting on failed login
nil’ed out the password field in ‘new’ view

use uniform logout function
use uniform remember_cookie functions
Moved reset_session into only the “now logged in” branch
- wherever it goes, it has to be in front of the current_user= call
- See more in README-Tradeoffs.txt
made the implicit login only happen for non-activationed sites
On a failed signup, kick you back to the signin screen (but strip out the password & confirmation)
more descriptive error messages in activate()

link_to_user, link_to_current_user, link_to_signin_with_IP
if_authorized(action, resource, &block) view function (with appropriate
warning)

Made authorized? take optional arguments action=nil, resource=nil, *args
This makes its signature better match traditional approaches to access control
eg Reference Monitor in Security Patterns)
authorized? should be a helper too
added uniform logout! methods
format.any (as found in access_denied) doesn’t work until
http://dev.rubyonrails.org/changeset/8987 lands.
cookies are now refreshed each time we cross the logged out/in barrier, as
best
practice

Used escapes <%= %> in email templates (among other reasons, so courtenay’s
‘dumbass’ test doesn’t complain)
Added site key to generator, users.yml.
Made site key generation idempotent in the most crude and hackish way
100% coverage apart from the stateful code. (needed some access_control
checks, and the http_auth stuff)
Stories!