Skip to content
This repository has been archived by the owner on Jul 21, 2020. It is now read-only.

CHANGELOG

Jump to bottom
mrflip edited this page Aug 17, 2010 · 4 revisions

Changes for the May, 2008 version of restful-authentication

Changes to user model

  • recently_activated? belongs only if stateful
  • Gave migration a 40-char limit on remember_token & an index on users by login
  • Much stricter login and email validation
  • put length constraints in migration too
  • password in 6, 40

Changes to session_controller

  • use uniform logout function
  • use uniform remember_cookie functions
  • avoid calling logged_in? which will auto-log-you-in (safe in the face of
    logout! call, but idiot-proof
  • Moved reset_session into only the “now logged in” branch
    • wherever it goes, it has to be in front of the current_user= call
    • See more in README-Tradeoffs.txt
  • made a place to take action on failed login attempt
  • recycle login and remember_me setting on failed login
  • nil’ed out the password field in ‘new’ view

Changes to users_controller

  • use uniform logout function
  • use uniform remember_cookie functions
  • Moved reset_session into only the “now logged in” branch
    • wherever it goes, it has to be in front of the current_user= call
    • See more in README-Tradeoffs.txt
  • made the implicit login only happen for non-activationed sites
  • On a failed signup, kick you back to the signin screen (but strip out the password & confirmation)
  • more descriptive error messages in activate()

users_helper

  • link_to_user, link_to_current_user, link_to_signin_with_IP
  • if_authorized(action, resource, &block) view function (with appropriate
    warning)

authenticated_system

  • Made authorized? take optional arguments action=nil, resource=nil, *args
    This makes its signature better match traditional approaches to access control
    eg Reference Monitor in \Security Patterns\)
  • authorized? should be a helper too
  • added uniform logout! methods
  • format.any (as found in access_denied) doesn’t work until
    http://dev.rubyonrails.org/changeset/8987 lands.
  • cookies are now refreshed each time we cross the logged out/in barrier
    http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
    http://palisade.plynt.com/issues/2004Jul/safe-auth-practices/
  • !!!! Possibly stupid !!!
    Made current_user and logged_in? be public methods. I did this for the worst
    possible reason — so that I could write story steps that call it directly.
    However, they’re already globally public methods in principle through their
    exposure as helper methods. But if there’s a less kludgy fix please educate
    me.

Other

  • Used escapes <%= %> in email templates (among other reasons, so courtenay’s
    ‘dumbass’ test doesn’t complain)
  • Added site key to generator, users.yml.
  • Made site key generation idempotent in the most crude and hackish way
  • 100% coverage apart from the stateful code. (needed some access_control
    checks, and the http_auth stuff)
  • Stories!
Clone this wiki locally