Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 69 lines (53 sloc) 2.78 kb
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
1 h1. Internal Changes to code
53f3f3b * login in /\w+\.\-_@/ This allows (most) email addresses and is saf…
Philip (flip) Kromer authored
2
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
3 As always, this is just a copy-and-pasted version of the CHANGELOG file in the source code tree.
c0a15f4 Backported changes to model and model_controller:
Philip (flip) Kromer authored
4
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
5 h2. Changes for the May, 2008 version of restful-authentication
e1fc61d cleaned up CHANGELOG entries
Philip (flip) Kromer authored
6
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
7 h3. Changes to user model
8
9 * recently_activated? belongs only if stateful
10 * Gave migration a 40-char limit on remember_token & an index on users by login
11 * **Much** stricter login and email validation
12 * put length constraints in migration too
13 * password in 6, 40
14 * salt and remember_token now much less predictability
15
16 h3. Changes to session_controller
2c84070 * use uniform logout function
Philip (flip) Kromer authored
17
18 * use uniform logout function
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
19 * use uniform remember_cookie functions
2c84070 * use uniform logout function
Philip (flip) Kromer authored
20 * avoid calling logged_in? which will auto-log-you-in (safe in the face of
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
21 logout! call, but idiot-proof)
22 * Moved reset_session into only the "now logged in" branch
23 ** wherever it goes, it has to be in front of the current_user= call
24 ** See more in README-Tradeoffs.txt
2c84070 * use uniform logout function
Philip (flip) Kromer authored
25 * made a place to take action on failed login attempt
26 * recycle login and remember_me setting on failed login
27 * nil'ed out the password field in 'new' view
28
25c1508 * use uniform logout function
Philip (flip) Kromer authored
29 h3. Changes to users_controller
30
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
31 * use uniform logout function
32 * use uniform remember_cookie functions
33 * Moved reset_session into only the "now logged in" branch
34 ** wherever it goes, it has to be in front of the current_user= call
35 ** See more in README-Tradeoffs.txt
d4319fc * Made authorized? take optional arguments action=nil, resource=nil, …
Philip (flip) Kromer authored
36 * made the implicit login only happen for non-activationed sites
37 * On a failed signup, kick you back to the signin screen (but strip out the password & confirmation)
25c1508 * use uniform logout function
Philip (flip) Kromer authored
38 * more descriptive error messages in activate()
39
2c84070 * use uniform logout function
Philip (flip) Kromer authored
40 h3. users_helper
41
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
42 * link_to_user, link_to_current_user, link_to_signin_with_IP
2c84070 * use uniform logout function
Philip (flip) Kromer authored
43 * if_authorized(action, resource, &block) view function (with appropriate
44 warning)
45
d4319fc * Made authorized? take optional arguments action=nil, resource=nil, …
Philip (flip) Kromer authored
46 h3. authenticated_system
c0a15f4 Backported changes to model and model_controller:
Philip (flip) Kromer authored
47
d4319fc * Made authorized? take optional arguments action=nil, resource=nil, …
Philip (flip) Kromer authored
48 * Made authorized? take optional arguments action=nil, resource=nil, *args
49 This makes its signature better match traditional approaches to access control
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
50 eg Reference Monitor in "Security Patterns":http://www.securitypatterns.org/patterns.html)
d4319fc * Made authorized? take optional arguments action=nil, resource=nil, …
Philip (flip) Kromer authored
51 * authorized? should be a helper too
52 * added uniform logout! methods
53 * format.any (as found in access_denied) doesn't work until
54 http://dev.rubyonrails.org/changeset/8987 lands.
875781d Fixed the 'made some methods public' kludge
Philip (flip) Kromer authored
55 * cookies are now refreshed each time we cross the logged out/in barrier, as
56 "best":http://palisade.plynt.com/issues/2004Jul/safe-auth-practices/
57 "practice":http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
790f5f6 Made current_user and logged_in? be public methods. !!!! Possibly st…
Philip (flip) Kromer authored
58
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
59 h3. Other
215673b Minor changes to make specs and stories pass. About to start adding …
Philip (flip) Kromer authored
60
61 * Used escapes <%= %> in email templates (among other reasons, so courtenay's
62 "'dumbass' test":http://tinyurl.com/684g9t doesn't complain)
68cbb44 Organized README, CHANGELOG and notes/;
Philip (flip) Kromer authored
63 * Added site key to generator, users.yml.
64 * Made site key generation idempotent in the most crude and hackish way
65 * 100% coverage apart from the stateful code. (needed some access_control
66 checks, and the http_auth stuff)
67 * Stories!
53f3f3b * login in /\w+\.\-_@/ This allows (most) email addresses and is saf…
Philip (flip) Kromer authored
68
Something went wrong with that request. Please try again.