emk / mephisto
watch download tarball
public
Forks38Right
Watchers162Right
Fork of technoweenie/mephisto
Description: User-friendly blogging with multisite support and asset managment
Homepage: http://mephistoblog.com/
Clone URL: git://github.com/emk/mephisto.git 
multisite: Fix broken article versions
Spyridon Vasileiadis (author)
Sun Mar 15 06:53:26 -0700 2009
emk (committer)
Sun Mar 15 06:56:38 -0700 2009
commit  0535b5ff99d45c94e6cb5d54d8ddaf24081840bd
tree    a89976f39245db9125dfb1dc3f21c0430d87953a
parent  c05e9ee1c3e6580b0bff72051c294cc955581001
mephisto / RAILS-2.2-TODO.txt
100644 69 lines (53 sloc) 2.436 kb
raw blame history 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

This is a list of issues that we need to fix before making a Mephisto
release based on Rails 2.2.
 
/ Try to upgrade to gem version of coderay
/ Fix TZInfo to work again
/ Security audit--see below
/ Fix script/generate
 
  Figure out why Mephisto won't work unless tzinfo is installed
  Fix two intermittent comment failures in mephisto_controller_spec
  Follow up on courtenay's BlueCloth patch
  Add notes about db:create and Unicode to install notes
 
  Make sure we know what's up with plugins
  We need to review our TODO comments
 
== Fixing JavaScripts
 
Our JavaScripts are actually pretty broken, and have been for a while.
 
  Update to latest Prototype
  Fix admin/articles
  Fix admin/assets
  Test other controllers for breakage
 
== Security
 
Here's a list of remaining security work:
 
  Admin only
    For now, we'll assume that users with access to /admin don't try XSS
    Filter file names for uploads
    Can we block file uploads into public?  What about caching?
    Review mass assignment in admin controllers
    Only allow global admin functions on site 1 (or admin domain?)
    Can we isolate articles, etc., from admin to prevent XSS?
    Review http://guides.rubyonrails.org/security.html another time
 
  Later
    Improve password changing
    Can we use SafeERB for Liquid templates?
    Expire sessions after a while?
    Do we need to upgrade to an industrial-strength HTML sanitizer?
    Require the user to enter the old password when changing it
      This will break our password reset system--need a major fix
    Require password to change e-mail address?
    Detect mass assignment failures in unit tests - not really security issue
 
== Mass assignment protection
 
# We need to modify this and put somewhere appropriate.
ActiveRecord::Base.class_eval do
  # Raise an error if mass-assignment occurs during unit tests.  Taken from:
  # http://almosteffortless.com/2008/11/27/raising-protected-attribute-assignme
  def log_protected_attribute_removal(*attributes)
    raise "Can't mass-assign these protected attributes: #{attributes.join(', '
  end
end
 
== After next release
 
  Handle inactive users with named scopes, not acts_as_versioned
  Clean out the issue tracker
    http://ar-code.lighthouseapp.com/projects/34-mephisto
  rake rails:update:javascripts
    (complicated because mephisto/application.js depends on older versions)
  Fix sidebar tabs to do something sensible with unsaved articles