Permalink
Browse files

Fixed the 'made some methods public' kludge

  • Loading branch information...
1 parent 5a4e2b6 commit 875781d5b4ee55120753d3a04044d8039486899e Philip (flip) Kromer committed May 20, 2008
Showing with 5 additions and 10 deletions.
  1. +3 −10 CHANGELOG
  2. +2 −0 README
View
@@ -52,16 +52,9 @@ h3. authenticated_system
* added uniform logout! methods
* format.any (as found in access_denied) doesn't work until
http://dev.rubyonrails.org/changeset/8987 lands.
-* cookies are now refreshed each time we cross the logged out/in barrier
- http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
- http://palisade.plynt.com/issues/2004Jul/safe-auth-practices/
-
-* !!!! Possibly stupid !!!
- Made current_user and logged_in? be public methods. I did this for the worst
- possible reason -- so that I could write story steps that call it directly.
- However, they're already globally public methods in principle through their
- exposure as helper methods. But if there's a less kludgy fix please educate
- me.
+* cookies are now refreshed each time we cross the logged out/in barrier, as
+ "best":http://palisade.plynt.com/issues/2004Jul/safe-auth-practices/
+ "practice":http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
h3. Other
View
@@ -52,12 +52,14 @@ authentication code. The flexible code for resource testing in stories was
extended from "Ben Mabey's.":http://www.benmabey.com/2008/02/04/rspec-plain-text-stories-webrat-chunky-bacon/
h3. Modularize to match security design patterns:
+
* Authentication (currently: password, browser cookie token, HTTP basic)
* Trust metric (email validation)
* Authorization (stateful roles)
* Leave a flexible framework that will play nicely with other access control / policy definition / trust metric plugins
h3. Other
+
* Added a few helper methods for linking to user pages
* Uniform handling of logout, remember_token
* Stricter email, login field validation

0 comments on commit 875781d

Please sign in to comment.