Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2026-03-04 03:50:17 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Applied Luke's session patch (ticket 244) in which the user.id only is stored in the session object, rather than the whole user object. This improves security and also makes the session much smaller and less fragile.

Browse source 
I made a small change to the signup method, because the previous method had broken at some point, and was no longer preventing non-admin users from signing others up. I suspect that this had to do with the cross-database differences in the way that booleans are handled, so I changed the method to use ActiveRecord to find the logged in user (thus automatically translating appropriately between 1/0 and 't'/'f').

The tests concerning users and login also broke with the changes in this patch, so I fixed those, and added some of the new Integration tests.

                                                   


git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@215 a4c988fc-2ded-0310-b66e-134b36920a42
This commit is contained in:
bsag 2006-04-08 17:46:41 +00:00
parent 654bec2239
commit 49cde85039
17 changed files with 194 additions and 131 deletions
Download patch file Download diff file Expand all files Collapse all files

13
tracks/app/controllers/context_controller.rb
View file

@ -31,7 +31,7 @@ class ContextController < ApplicationController
# Creates a new context via Ajax helpers
#
def new_context
context = @session['user'].contexts.build
context = @user.contexts.build
context.attributes = @params['context']
context.name = deurlize(context.name)
@ -177,7 +177,6 @@ class ContextController < ApplicationController
protected
def check_user_set_context
@user = @session['user']
if @params["name"]
@context = Context.find_by_name_and_user_id(deurlize(@params["name"]), @user.id)
elsif @params['id']
@ -189,35 +188,33 @@ class ContextController < ApplicationController
return @context
else
@context = nil # Should be nil anyway.
flash["warning"] = "Item and session user mis-match: #{@context.user_id} and #{@session['user'].id}!"
flash["warning"] = "Item and session user mis-match: #{@context.user_id} and #{@user.id}!"
render_text ""
end
end
def check_user_matches_context_user(id)
@user = @session['user']
@context = Context.find_by_id_and_user_id(id, @user.id)
if @user == @context.user
return @context
else
@context = nil
flash["warning"] = "Project and session user mis-match: #{@context.user_id} and #{@session['user'].id}!"
flash["warning"] = "Project and session user mis-match: #{@context.user_id} and #{@user.id}!"
render_text ""
end
end
def check_user_return_item
item = Todo.find( @params['id'] )
if @session['user'] == item.user
if @user == item.user
return item
else
flash["warning"] = "Item and session user mis-match: #{item.user.name} and #{@session['user'].name}!"
flash["warning"] = "Item and session user mis-match: #{item.user.name} and #{@user.name}!"
render_text ""
end
end
def init
@user = @session['user']
@projects = @user.projects.collect { |x| x.done? ? nil:x }.compact
@contexts = @user.contexts
@todos = @user.todos