Permalink
Browse files

Cleanup some views that were never used and close a gaping security hole

  • Loading branch information...
1 parent 5a1c7b0 commit 9c6157795bae4fa17bcc0d3ecaac4638d086c880 @courtenay courtenay committed Aug 5, 2009
@@ -26,15 +26,6 @@ def show
end
end
- def new
- @post = Post.new
-
- respond_to do |format|
- format.html # new.html.erb
- format.xml { render :xml => @post }
- end
- end
-
def edit
respond_to do |format|
format.html # edit.html.erb
@@ -47,7 +38,7 @@ def create
respond_to do |format|
if @post.new_record?
- format.html { render :action => "new" }
+ format.html { redirect_to forum_topic_path(@forum, @topic) }
format.xml { render :xml => @post.errors, :status => :unprocessable_entity }
else
flash[:notice] = 'Post was successfully created.'
@@ -82,14 +73,19 @@ def destroy
protected
def find_parents
if params[:user_id]
- @parent = @user = User.find_by_permalink(params[:user_id])
+ @parent = @user = User.find(params[:user_id])
elsif params[:forum_id]
@parent = @forum = Forum.find_by_permalink(params[:forum_id])
@parent = @topic = @forum.topics.find_by_permalink(params[:topic_id]) if params[:topic_id]
end
end
-
+
def find_post
- @post = @topic.posts.find(params[:id])
+ post = @topic.posts.find(params[:id])
+ if post.user == current_user || current_user.admin?
+ @post = post
+ else
+ raise ActiveRecord::RecordNotFound
+ end
end
-end
+end
@@ -20,8 +20,9 @@ def create
cookies.delete :auth_token
@user = current_site.users.build(params[:user])
@user.save if @user.valid?
+ @user.register! if @user.valid?
unless @user.new_record?
- @user.register!
+
redirect_back_or_default('/login')
flash[:notice] = "Thanks for signing up! Please click the link in your email to activate your account"
else
View
@@ -65,7 +65,7 @@ def update_cached_post_fields(post)
self.class.update_all(['last_updated_at = ?, last_user_id = ?, last_post_id = ?, posts_count = ?',
remaining_post.created_at, remaining_post.user_id, remaining_post.id, posts.count], ['id = ?', id])
else
- self.destroy
+ destroy
end
end
@@ -5,7 +5,12 @@ class User
after_create :set_first_user_as_activated
def set_first_user_as_activated
- register! && activate! if site.nil? or site.users.size <= 1
+ puts "set first user as activated"
+ register! && activate! if is_first_user?
+ end
+
+ def is_first_user?
+ site.nil? or site.users.size <= 1
end
# Returns true if the user has just been activated.
@@ -35,6 +35,7 @@ def self.authenticate(login, password)
end
def do_activation
+ puts "do activation"
self.deleted_at = nil
self.activation_code = Digest::SHA1.hexdigest( Time.now.to_s.split(//).sort_by {rand}.join )
@@ -47,6 +48,7 @@ def do_delete
end
def do_activate
+ puts "do activate"
@activated = true
self.activated_at = Time.now.utc
self.deleted_at = nil
@@ -45,7 +45,7 @@
<h1><%=h @user.display_name %> </h1>
<p class="subtitle">
- <%= feed_icon_tag @user.display_name, formatted_user_posts_path(:user_id => @user, :format => :rss) %>
+ <%= feed_icon_tag @user.display_name, user_posts_path(:user_id => @user, :format => :rss) %>
<span>
<%= '{count} topics'[(count=@user.topics.size)==1 ? :topic_count : :topics_count, number_with_delimiter(count)] %>,
<%= '{count} posts'[(count=@user.posts.size)==1 ? :post_count : :posts_count, number_with_delimiter(count)] %>
View
@@ -5,7 +5,7 @@
# ENV['RAILS_ENV'] ||= 'production'
# Specifies gem version of Rails to use when vendor/rails is not present
-RAILS_GEM_VERSION = '2.3.2' unless defined? RAILS_GEM_VERSION
+RAILS_GEM_VERSION = '2.3.3' unless defined? RAILS_GEM_VERSION
# Bootstrap the Rails environment, frameworks, and default configuration
require File.join(File.dirname(__FILE__), 'boot')
View
@@ -9,7 +9,7 @@
#
# It's strongly recommended to check this file into your version control system.
-ActiveRecord::Schema.define(:version => 20081213180202) do
+ActiveRecord::Schema.define(:version => 20090317123901) do
create_table "forums", :force => true do |t|
t.integer "site_id"
@@ -41,6 +41,25 @@
t.boolean "active", :default => true
end
+ create_table "open_id_authentication_associations", :force => true do |t|
+ t.binary "server_url"
+ t.string "handle"
+ t.binary "secret"
+ t.integer "issued"
+ t.integer "lifetime"
+ t.string "assoc_type"
+ end
+
+ create_table "open_id_authentication_nonces", :force => true do |t|
+ t.string "nonce"
+ t.integer "created"
+ end
+
+ create_table "open_id_authentication_settings", :force => true do |t|
+ t.string "setting"
+ t.binary "value"
+ end
+
create_table "posts", :force => true do |t|
t.integer "user_id"
t.integer "topic_id"
@@ -1,2 +1,2 @@
-TODO
+# TODO
@@ -132,31 +132,6 @@ def self.included(base)
end
end
-describe PostsController, "GET #new" do
- include PostsControllerParentObjects
- define_models
- act! { get :new, :forum_id => @forum.to_param, :topic_id => @topic.to_param }
- before do
- @post = Post.new
- end
-
- it_assigns :forum, :topic, :parent => lambda { @topic }
-
- it "assigns @post" do
- act!
- assigns[:post].should be_new_record
- end
-
- it_renders :template, :new, :pending => true
-
- describe PostsController, "(xml)" do
- define_models
- act! { get :new, :forum_id => @forum.to_param, :topic_id => @topic.to_param, :format => 'xml' }
- it_assigns :forum, :topic, :parent => lambda { @topic }
- it_renders :xml, :post
- end
-end
-
describe PostsController, "GET #edit" do
include PostsControllerParentObjects
act! { get :edit, :forum_id => @forum.to_param, :topic_id => @topic.to_param, :id => @post.to_param }
@@ -185,7 +160,7 @@ def self.included(base)
act! { post :create, :forum_id => @forum.to_param, :topic_id => @topic.to_param, :post => {:body => ''} }
it_assigns :post, :forum, :topic, :parent => lambda { @topic }
- it_renders :template, :new, :pending => true
+ it_redirects_to { forum_topic_url(@forum, @topic) }
end
describe PostsController, "(successful creation, xml)" do
@@ -51,6 +51,7 @@
act! { get :new }
before do
+ @controller.stub!(:admin_required).and_return(true)
login_as :default
end
@@ -95,6 +96,7 @@
before do
login_as :default
@attributes = {:name => 'yow'}
+ @controller.stub!(:admin_required).and_return(true)
end
describe SitesController, "(successful creation)" do
@@ -71,7 +71,8 @@
end
it "sends an email to the user on create" do
- pending "Email functionality has not been written"
+ create_user :login => "admin", :email => "admin@example.com"
+ puts "sending emails"
lambda{ create_user }.should change(ActionMailer::Base.deliveries, :size).by(1)
end
@@ -133,15 +134,15 @@ def create_user(options = {})
it "sets admin" do
user = users(:default)
user.admin.should be_false
- put :make_admin, :id => users(:default).to_param, :user => { :admin => "1" }
+ put :make_admin, :id => users(:default).id, :user => { :admin => "1" }
user.reload.admin.should be_true
end
it "unsets admin" do
user = users(:default)
user.update_attribute :admin, true
user.admin.should be_true
- put :make_admin, :id => users(:default).to_param, :user => { }
+ put :make_admin, :id => users(:default).id, :user => { }
user.reload.admin.should be_false
end
end
@@ -156,7 +157,7 @@ def create_user(options = {})
describe UsersController, "(successful save)" do
define_models
- act! { put :update, :id => @user.to_param, :user => @attributes }
+ act! { put :update, :id => @user.id, :user => @attributes }
before do
@user.stub!(:save).and_return(true)
@@ -169,7 +170,7 @@ def create_user(options = {})
define_models :stubbed
%w(display_name openid_url website bio).each do |field|
it "should update #{field}" do
- put :update, :id => @user.to_param, :user => { field, "test" }
+ put :update, :id => @user.id, :user => { field, "test" }
assigns(:user).attributes[field].should == "test"
end
end
@@ -178,7 +179,7 @@ def create_user(options = {})
describe UsersController, "(successful save, xml)" do
define_models
- act! { put :update, :id => @user.to_param, :user => @attributes, :format => 'xml' }
+ act! { put :update, :id => @user.id, :user => @attributes, :format => 'xml' }
before do
@user.stub!(:save).and_return(true)
@@ -190,15 +191,15 @@ def create_user(options = {})
describe UsersController, "(unsuccessful save)" do
define_models
- act! { put :update, :id => @user.to_param, :user => {:email => ''} }
+ act! { put :update, :id => @user.id, :user => {:email => ''} }
it_assigns :user
it_renders :template, :edit
end
describe UsersController, "(unsuccessful save, xml)" do
define_models
- act! { put :update, :id => @user.to_param, :user => {:email => ''}, :format => 'xml' }
+ act! { put :update, :id => @user.id, :user => {:email => ''}, :format => 'xml' }
it_assigns :user
it_renders :xml, :status => :unprocessable_entity do
View
@@ -14,9 +14,9 @@
end
it 'logs in with openid' do
- u = User.new(:openid_url => 'http://foo', :email => 'zoe@girl.com')
+ u = sites(:default).users.new(:openid_url => 'http://foo', :email => 'zoe@girl.com')
u.login = 'zoegirl'
- assert_valid u
+ assert u.valid?, u.errors.inspect
end
it 'increments User.count' do

0 comments on commit 9c61577

Please sign in to comment.