This repository has been archived by the owner on Jul 21, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 274
CHANGELOG
mrflip edited this page Aug 17, 2010
·
4 revisions
- recently_activated? belongs only if stateful
- Gave migration a 40-char limit on remember_token & an index on users by login
- Much stricter login and email validation
- put length constraints in migration too
- password in 6, 40
- use uniform logout function
- use uniform remember_cookie functions
- avoid calling logged_in? which will auto-log-you-in (safe in the face of
logout! call, but idiot-proof) - Moved reset_session into only the “now logged in” branch
- wherever it goes, it has to be in front of the current_user= call
- See more in README-Tradeoffs.txt
- made a place to take action on failed login attempt
- recycle login and remember_me setting on failed login
- nil’ed out the password field in ‘new’ view
- use uniform logout function
- use uniform remember_cookie functions
- Moved reset_session into only the “now logged in” branch
- wherever it goes, it has to be in front of the current_user= call
- See more in README-Tradeoffs.txt
- made the implicit login only happen for non-activationed sites
- On a failed signup, kick you back to the signin screen (but strip out the password & confirmation)
- more descriptive error messages in activate()
- link_to_user, link_to_current_user, link_to_signin_with_IP
- if_authorized(action, resource, &block) view function (with appropriate
warning)
- Made authorized? take optional arguments action=nil, resource=nil, *args
This makes its signature better match traditional approaches to access control
eg Reference Monitor in Security Patterns) - authorized? should be a helper too
- added uniform logout! methods
- format.any (as found in access_denied) doesn’t work until
http://dev.rubyonrails.org/changeset/8987 lands. - cookies are now refreshed each time we cross the logged out/in barrier
http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
http://palisade.plynt.com/issues/2004Jul/safe-auth-practices/
- !!!! Possibly stupid !!!
Made current_user and logged_in? be public methods. I did this for the worst
possible reason — so that I could write story steps that call it directly.
However, they’re already globally public methods in principle through their
exposure as helper methods. But if there’s a less kludgy fix please educate
me.
- Used escapes <%= %> in email templates (among other reasons, so courtenay’s
‘dumbass’ test doesn’t complain) - Added site key to generator, users.yml.
- Made site key generation idempotent in the most crude and hackish way
- 100% coverage apart from the stateful code. (needed some access_control
checks, and the http_auth stuff) - Stories!