more rails 2.3 fixes, security fixes for controllers, reconcile topic…

…s_count, add 'follows' to replace 'mostly_listens_to'
eladmeidar · Mar 22, 2009 · 4ce831b · 4ce831b
1 parent cb94214
commit 4ce831b
Show file tree

Hide file tree

Showing 29 changed files with 74 additions and 42 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,7 +1,7 @@
 class ApplicationController < ActionController::Base  
   helper :all # all helpers, all the time
 
-  protect_from_forgery  :secret => ALONETONE.secret
+  protect_from_forgery
 
   include AuthenticatedSystem
   before_filter :set_tab, :ie6, :is_sudo
@@ -82,16 +82,16 @@ def find_user
   end
 
   def current_user_is_admin_or_owner?(user)
-    logged_in? && (current_user.id.to_s == user.id.to_s || current_user.admin?)
+    logged_in? && ((current_user.id == user.id) || current_user.admin?)
   end
 
   def current_user_is_admin_or_moderator_or_owner?(user)
     current_user_is_admin_or_owner? || moderator?
   end
 
   def find_asset
-    @asset = @user.assets.find_by_permalink(params[:permalink] || params[:id])
-    @asset = @user.assets.find(params[:id]) if !@asset && params[:id]
+    @asset = Asset.find_by_permalink(params[:permalink] || params[:id])
+    @asset = Asset.find(params[:id]) if !@asset && params[:id]
   end
 
   def find_playlists

diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb
@@ -209,7 +209,7 @@ def update
       end
     else
       if result
-        redirect_to user_track_url(current_user, @asset) 
+        redirect_to user_track_url(@asset.user.login, @asset.permalink) 
       else
         flash[:error] = "There was an issue with updating that track"
         render :action => "edit" 
@@ -251,7 +251,11 @@ def find_referer
 
   def authorized?
     # admin or the owner of the asset can edit/update/delete
-    params[:permalink].nil? || current_user_is_admin_or_owner?(@asset.user)
+    current_user_is_admin_or_owner?(@asset.user) || !dangerous_action?
+  end
+
+  def dangerous_action?
+    %w(destroy update edit mass_edit).include? action_name
   end
 
   def register_listen

diff --git a/app/controllers/playlists_controller.rb b/app/controllers/playlists_controller.rb
@@ -6,8 +6,8 @@ class PlaylistsController < ApplicationController
 
   before_filter :find_tracks, :only => [:show, :edit]
 
-  rescue_from ActiveRecord::RecordNotFound, :with => :not_found
-  rescue_from NoMethodError, :with => :user_not_found
+  #rescue_from ActiveRecord::RecordNotFound, :with => :not_found
+  #rescue_from NoMethodError, :with => :user_not_found
 
   # GET /playlists
   # GET /playlists.xml
@@ -81,6 +81,7 @@ def new
   def edit
     # allow them to add their own assets
     # TODO: this is bad form, should be relocated to assets/index and listens/index
+    # TODO: furthermore, ajax requests currently load all 3 instance vars :(
     @assets = @user.assets.paginate( :all, 
       :limit    => 10, 
       :per_page => 10, 
@@ -95,7 +96,7 @@ def edit
       :page     => params[:listens_page]
     )
 
-    @favorites = Track.favorites.paginate_all_by_user_id(@user.id,
+    @favorites = @user.favorites.tracks.paginate(:all,
       :limit => 10,
       :per_page  => 10,
       :page  =>  params[:favorites_page]

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -53,10 +53,10 @@ def show
         @listens = @user.listens.find(:all, :limit =>5)
         @track_plays = @user.track_plays.from_user.find(:all, :limit =>10) 
         @favorites = Track.favorites.find_all_by_user_id(@user.id, :limit => 5)
-        @mostly_listens_to = @user.mostly_listens_to
         @comments = @user.comments.public.find(:all, :limit => 5) unless display_private_comments_of?(@user)
         @comments = @user.comments.include_private.find(:all, :limit => 5) if display_private_comments_of?(@user)
-
+        @follows = @user.followees
+        @mostly_listens_to = @user.mostly_listens_to
         render
       end
       format.xml { @assets = @user.assets.find(:all, :order => 'created_at DESC', :limit => (params[:limit] || 10))}

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -60,7 +60,7 @@ def awesome_truncate(text, length = 30, truncate_string = "...")
   end
 
   def link_to_play(asset, referer=nil)
-    link_to ' ', formatted_user_track_path(asset.user.login, asset.permalink, :mp3, :referer => referer), :id=>"play-#{asset.unique_id}", :class => 'play_link', :title => 'click to play the mp3'
+    link_to ' ', user_track_path(asset.user.login, asset.permalink, :format => :mp3, :referer => referer), :id=>"play-#{asset.unique_id}", :class => 'play_link', :title => 'click to play the mp3'
   end
 
   def user_nav_item(text, link, options=nil)

diff --git a/app/helpers/users_helper.rb b/app/helpers/users_helper.rb
@@ -29,7 +29,7 @@ def user_location(user)
   def user_image_link(user, size = :large)
     link_to(image_tag(user.avatar(size),
       :class => (user.has_pic? ? '' : 'no_border'),
-      :alt => "#{user.name} on alonetone"), 
+      :alt => "#{user.name}"), 
       user_home_path(user), 
       :title => " #{user.name}
  #{user.assets_count > 0 ? pluralize(user.assets_count,'uploaded tracks') : ''} 

diff --git a/app/models/topic.rb b/app/models/topic.rb
@@ -87,8 +87,8 @@ def check_for_moved_forum
   def set_post_forum_id
     return unless @old_forum_id
     posts.update_all :forum_id => forum_id
-    Forum.update_all "posts_count = posts_count - #{posts_count}", ['id = ?', @old_forum_id]
-    Forum.update_all "posts_count = posts_count + #{posts_count}", ['id = ?', forum_id]
+    Forum.decrement_counter(:topics_count, @old_forum_id)
+    Forum.increment_counter(:topics_count, forum_id)
   end
 
   def count_user_posts_for_counter_cache

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -79,7 +79,7 @@ class User < ActiveRecord::Base
   has_many :followers, :through => :followings
 
   # musicians who this person follows
-  has_many :followees, :through => :follows, :source => :follower
+  has_many :followees, :through => :follows, :source => :user
 
   # The following attributes can be changed via mass assignment 
   attr_accessible :login, :email, :password, :password_confirmation, :website, :myspace,

diff --git a/app/models/user/posting.rb b/app/models/user/posting.rb
@@ -51,8 +51,9 @@ def self.index_from(records)
 
 protected
   def revise_topic(topic, attributes)
-    topic.forum_id = attributes[:forum_id] \
     if attributes[:forum_id]
+      topic.forum_id = attributes[:forum_id]
+    end
 
     topic.title = attributes[:title] \
     if attributes[:title]

diff --git a/app/views/assets/_asset_layout.html.erb b/app/views/assets/_asset_layout.html.erb
@@ -14,5 +14,5 @@
 </div>
 
 <div class="download-button button">
-  <%= link_to ' ', formatted_user_track_path(asset.user, asset.permalink, :mp3, :referer => 'download'), :class=> 'download button', :title => "right-click to download mp3" %>
+  <%= link_to ' ', user_track_path(asset.user, asset.permalink, :format => :mp3, :referer => 'download'), :class=> 'download button', :title => "right-click to download mp3" %>
 </div>
diff --git a/app/views/assets/_asset_tabs.html.erb b/app/views/assets/_asset_tabs.html.erb
@@ -19,7 +19,7 @@
                 <div class='min_height_50'>
                 <h3><%=h asset.name %></h3>
                 <%= awesome_truncate((asset.description), 260, 
-                  ('... '+link_to('(more)',user_track_path(asset.user, asset)))) %>
+                  ('... '+link_to('(more)',user_track_path(asset.user, asset.permalink)))) %>
                 <% if authorized_for(asset) && !asset.present?(:description) %>
                     <span class="hint">
                     <%= link_to 'Add a description now',edit_user_track_path(asset.user, asset),:class => :hint %> 

diff --git a/app/views/assets/_big_share.html.erb b/app/views/assets/_big_share.html.erb
@@ -4,12 +4,12 @@
         The link to this page (the song's "home"):<br/>
         <%= text_field_tag "home_#{id}", user_track_url(@asset.user, @asset.permalink), :size => 40,:class => 'tabbed_input' %> <br/>
         Direct download link:<br/>
-        <%= text_field_tag "link_#{id}", formatted_user_track_url(@asset.user, @asset.permalink, :mp3), :size => 40, :class => 'tabbed_input' %>
+        <%= text_field_tag "link_#{id}", user_track_url(@asset.user, @asset.permalink, :format => :mp3), :size => 40, :class => 'tabbed_input' %>
     </div>
 
     <div class="static_content ">
         <h3>Embedded Flash Player (for myspace, blog, etc)</h3>
-        <%= text_area_tag 'flash_player', "<embed src=\"#{FLASH_PLAYER}\" width=\"250\" height=\"20\" allowfullscreen=\"true\" allowscriptaccess=\"always\" flashvars=\"&file=#{formatted_user_track_url(@asset.user, @asset.permalink, :mp3)}&height=20&width=250&frontcolor=0x3C3C3C&backcolor=0xf3f3f3&lightcolor=0xFF944B&screencolor=0xFF944B&showdigits=false\" />", :rows => 4, :cols =>40 %>
+        <%= text_area_tag 'flash_player', "<embed src=\"#{FLASH_PLAYER}\" width=\"250\" height=\"20\" allowfullscreen=\"true\" allowscriptaccess=\"always\" flashvars=\"&file=#{user_track_url(@asset.user, @asset.permalink, :format => :mp3)}&height=20&width=250&frontcolor=0x3C3C3C&backcolor=0xf3f3f3&lightcolor=0xFF944B&screencolor=0xFF944B&showdigits=false\" />", :rows => 4, :cols =>40 %>
         (customize how it looks by visiting <%= link_to 'the setup wizard', 'http://www.jeroenwijering.com/?page=wizard&example=2'%>)
     </div>
 

diff --git a/app/views/assets/_edit.html.erb b/app/views/assets/_edit.html.erb
@@ -1,5 +1,5 @@
 <div class="track_options">
-<%= link_to " ", destroy_user_track_path(@user, @asset), :method => :delete, 
+<%= link_to " ", destroy_user_track_path(@user.login, @asset.permalink), :method => :delete, 
 :confirm => 'Are you sure? This will delete the song permanently, including all play history and comments.',
 :class => 'delete_green'%>
 </div>

diff --git a/app/views/features/show.html.erb b/app/views/features/show.html.erb
@@ -61,7 +61,7 @@
 
    <%= render :partial => 'featured_tracks'%>
 
-   <%= render :partial => 'users/mostly_listens_to' if @feature.featured_user.has_tracks? %>
+   <%= render :partial => 'users/follows' if @feature.featured_user.has_tracks? %>
    <h2 class="box">Comments</h2>
       <% @single_track = true %>
       <%= render :partial => 'shared/comment', :collection => @comments %>

diff --git a/app/views/forums/index.html.erb b/app/views/forums/index.html.erb
@@ -2,7 +2,7 @@
     
     <% content_for :extras do %>
         <%= topic_count %>, <%= post_count %>
-        <%= feed_icon_tag "Recent Posts", formatted_posts_path(:format => 'atom') %>
+        <%= feed_icon_tag "Recent Posts", posts_path(:format => 'atom') %>
     <% end %>
 
     

diff --git a/app/views/forums/show.html.erb b/app/views/forums/show.html.erb
@@ -11,7 +11,7 @@
     <% content_for :extras do %>
       <%= pluralize @forum.topics.size, 'topics' %>, 
       <%= pluralize @forum.posts.size, 'posts' %>
-      <%= feed_icon_tag @forum.name, formatted_forum_posts_path(@forum, :atom)%> 
+      <%= feed_icon_tag @forum.name, forum_posts_path(@forum, :format => :atom)%> 
     <% end %>
 
     <table border="0" cellspacing="0" cellpadding="0" class="wide topics">

diff --git a/app/views/pages/itunes.html.haml b/app/views/pages/itunes.html.haml
@@ -21,7 +21,7 @@
       = current_user.name + ':'
       %br
         %strong
-          = formatted_user_url(current_user, :rss)
+          = user_url(current_user, :format => :rss)
     - else
       = link_to 'log in', login_path
       and we'll show you which link you should submit.

diff --git a/app/views/playlists/show.xml.builder b/app/views/playlists/show.xml.builder
@@ -10,7 +10,7 @@ xml.playlist(:version => 1, :xmlns => "http://xspf.org/ns/0/") do
         xml.title(track.asset.name)
         xml.creator(track.asset.user.name)
         xml.image(@playlist.cover(:large))
-        xml.location(formatted_user_track_url(track.asset.user, track.asset.permalink, :mp3))
+        xml.location(user_track_url(track.asset.user, track.asset.permalink, :format => :mp3))
         xml.info(user_track_url(track.asset.user, track.asset.permalink))
       end
     end

diff --git a/app/views/shared/_asset.rss.builder b/app/views/shared/_asset.rss.builder
@@ -1,5 +1,5 @@
 xml.item do
-  url = formatted_user_track_url(asset.user, asset, :mp3, :referer => 'itunes')
+  url = user_track_url(asset.user, asset, :format => :mp3, :referer => 'itunes')
   xml.title  asset.name 
   xml.link  user_track_url(asset.user, asset)
   xml.guid url

diff --git a/app/views/topics/show.html.erb b/app/views/topics/show.html.erb
@@ -30,7 +30,7 @@
     <% content_for :extras do %>
       <%= pluralize @topic.posts.size, 'post' %>, 
       <%= pluralize @topic.voices.size, 'person' %> talking
-      <%= feed_icon_tag @topic.title, formatted_posts_path(:atom,:forum_id => @forum, :topic_id => @topic) %>
+      <%= feed_icon_tag @topic.title, posts_path(:format => :atom,:forum_id => @forum, :topic_id => @topic) %>
 
     <% end %>
 

diff --git a/app/views/users/_follows.html.erb b/app/views/users/_follows.html.erb
@@ -0,0 +1,19 @@
+<% if present?(@follows) %>
+  <h2 class="box">Follows</h2>
+  <div id="follows" class="box static_content clearfix">
+
+      <%= render :partial => 'shared/small_user', :collection => @follows %>
+
+      <div class="clear"></div>
+  </div>
+<% else %>
+  <h2 class="box">Listens to</h2>
+  <div id="follows" class="box static_content clearfix">
+
+      <%= render :partial => 'shared/small_user', :collection => @mostly_listens_to %>
+
+      <div class="clear"></div>
+  </div>
+<% end %>
+
+<div class="footer_box empty"></div>
diff --git a/app/views/users/_map.html.erb b/app/views/users/_map.html.erb
@@ -10,7 +10,7 @@
   function mapit() {
 
     var map = new google.maps.Map2(document.getElementById("map"));
-    var gx = new google.maps.GeoXml("<%= formatted_users_url(:rss) %>");
+    var gx = new google.maps.GeoXml("<%= users_url(:format => :rss) %>");
 
     map.setCenter(new google.maps.LatLng(37.4419, -122.1419), 2);
     map.addControl(new google.maps.SmallMapControl(),new GControlPosition(G_ANCHOR_BOTTOM_RIGHT, new GSize(10,10)));

diff --git a/app/views/users/_mostly_listens_to.html.erb b/app/views/users/_mostly_listens_to.html.erb
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
@@ -26,7 +26,7 @@
 
     	  <%= render :partial => 'favorites' if present?(@favorites) %>
     
-        <%= render :partial => 'mostly_listens_to' if @mostly_listens_to.size > 2 %>
+        <%= render :partial => 'follows' if present?(@mostly_listens_to) or present?(@follows)  %>
     	  
     	  <%= render :partial => 'listens' if @listens.size > 0 %>	
     		

diff --git a/app/views/users/show.xml.builder b/app/views/users/show.xml.builder
@@ -10,7 +10,7 @@ xml.playlist(:version => 1, :xmlns => "http://xspf.org/ns/0/") do
         xml.title(track.name)
         xml.creator(@user.name)
         xml.image(@user.avatar(:album))
-        xml.location(formatted_user_track_url(@user, track.permalink, :mp3))
+        xml.location(user_track_url(@user, track.permalink, :format => :mp3))
         xml.info(user_track_url(@user, track.permalink))
       end
     end

diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -24,4 +24,5 @@
 }
 
 config.action_mailer.smtp_settings   = ey_smtp_settings
-config.action_mailer.delivery_method = :smtp
+config.action_mailer.delivery_method = :smtp
+config.action_view.cache_template_loading = true
diff --git a/db/migrate/20090322145712_reconcile_forum_topic_counts.rb b/db/migrate/20090322145712_reconcile_forum_topic_counts.rb
@@ -0,0 +1,10 @@
+class ReconcileForumTopicCounts < ActiveRecord::Migration
+  def self.up
+    Forum.all.each do |forum|
+      Forum.update_all "topics_count = #{forum.topics.count}", ['id = ?', forum.id]
+    end
+  end
+
+  def self.down
+  end
+end
diff --git a/public/stylesheets/sass/alonetone.sass b/public/stylesheets/sass/alonetone.sass
@@ -494,7 +494,7 @@
     :margin-right 24px
   :height 60px
 
-#mostly_listens_to
+#follows
   :padding-bottom 0px
   :margin-bottom -10px
   :padding-right 0px

diff --git a/public/stylesheets/sass/tabs.sass b/public/stylesheets/sass/tabs.sass
@@ -152,6 +152,10 @@ div.tabs
         :top 7px
         :left 15px
         :height 100%
+        a
+          :width 50px
+          :height 50px
+          :overflow hidden
         a img
           :border 1px solid #9fa28d
           :height 50px