Browse files

Add users and sessions

  • Loading branch information...
1 parent 9ea1dc7 commit fdf5bcd0e8d704fefed157a41ce829fa9a0ee3bd @guilleiguaran committed Sep 20, 2012
View
28 Gemfile
@@ -1,38 +1,24 @@
source 'https://rubygems.org'
-gem 'rails', '3.2.6'
-
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-
+gem 'rails', '3.2.8'
+gem 'strong_parameters', github: 'rails/strong_parameters'
gem 'sqlite3'
+gem 'rack', '1.4.0'
# Gems used only for assets and not required
# in production environments by default.
group :assets do
gem 'sass-rails', '~> 3.2.3'
gem 'coffee-rails', '~> 3.2.1'
-
- # See https://github.com/sstephenson/execjs#readme for more supported runtimes
- # gem 'therubyracer', :platforms => :ruby
-
+ gem 'therubyracer', :platforms => :ruby
gem 'uglifier', '>= 1.0.3'
end
gem 'jquery-rails'
# To use ActiveModel has_secure_password
-# gem 'bcrypt-ruby', '~> 3.0.0'
-
-# To use Jbuilder templates for JSON
-# gem 'jbuilder'
-
-# Use unicorn as the app server
-# gem 'unicorn'
-
-# Deploy with Capistrano
-# gem 'capistrano'
+gem 'bcrypt-ruby', '~> 3.0.0'
-# To use debugger
-# gem 'debugger'
+# Use puma as the app server
+gem 'puma'
View
74 Gemfile.lock
@@ -1,34 +1,44 @@
+GIT
+ remote: git://github.com/rails/strong_parameters.git
+ revision: 0a0f8426915853b9ff78dbfff6ab2d0b7b1167d8
+ specs:
+ strong_parameters (0.1.3)
+ actionpack (>= 3.2.0)
+ activemodel (>= 3.2.0)
+ railties (>= 3.2.0)
+
GEM
remote: https://rubygems.org/
specs:
- actionmailer (3.2.6)
- actionpack (= 3.2.6)
+ actionmailer (3.2.8)
+ actionpack (= 3.2.8)
mail (~> 2.4.4)
- actionpack (3.2.6)
- activemodel (= 3.2.6)
- activesupport (= 3.2.6)
+ actionpack (3.2.8)
+ activemodel (= 3.2.8)
+ activesupport (= 3.2.8)
builder (~> 3.0.0)
erubis (~> 2.7.0)
- journey (~> 1.0.1)
+ journey (~> 1.0.4)
rack (~> 1.4.0)
rack-cache (~> 1.2)
rack-test (~> 0.6.1)
sprockets (~> 2.1.3)
- activemodel (3.2.6)
- activesupport (= 3.2.6)
+ activemodel (3.2.8)
+ activesupport (= 3.2.8)
builder (~> 3.0.0)
- activerecord (3.2.6)
- activemodel (= 3.2.6)
- activesupport (= 3.2.6)
+ activerecord (3.2.8)
+ activemodel (= 3.2.8)
+ activesupport (= 3.2.8)
arel (~> 3.0.2)
tzinfo (~> 0.3.29)
- activeresource (3.2.6)
- activemodel (= 3.2.6)
- activesupport (= 3.2.6)
- activesupport (3.2.6)
+ activeresource (3.2.8)
+ activemodel (= 3.2.8)
+ activesupport (= 3.2.8)
+ activesupport (3.2.8)
i18n (~> 0.6)
multi_json (~> 1.0)
arel (3.0.2)
+ bcrypt-ruby (3.0.1)
builder (3.0.3)
coffee-rails (3.2.2)
coffee-script (>= 2.2.0)
@@ -47,31 +57,34 @@ GEM
railties (>= 3.1.0, < 5.0)
thor (~> 0.14)
json (1.7.5)
+ libv8 (3.3.10.4)
mail (2.4.4)
i18n (>= 0.4.0)
mime-types (~> 1.16)
treetop (~> 1.4.8)
mime-types (1.19)
multi_json (1.3.6)
polyglot (0.3.3)
- rack (1.4.1)
+ puma (1.6.3)
+ rack (~> 1.2)
+ rack (1.4.0)
rack-cache (1.2)
rack (>= 0.4)
rack-ssl (1.3.2)
rack
rack-test (0.6.1)
rack (>= 1.0)
- rails (3.2.6)
- actionmailer (= 3.2.6)
- actionpack (= 3.2.6)
- activerecord (= 3.2.6)
- activeresource (= 3.2.6)
- activesupport (= 3.2.6)
+ rails (3.2.8)
+ actionmailer (= 3.2.8)
+ actionpack (= 3.2.8)
+ activerecord (= 3.2.8)
+ activeresource (= 3.2.8)
+ activesupport (= 3.2.8)
bundler (~> 1.0)
- railties (= 3.2.6)
- railties (3.2.6)
- actionpack (= 3.2.6)
- activesupport (= 3.2.6)
+ railties (= 3.2.8)
+ railties (3.2.8)
+ actionpack (= 3.2.8)
+ activesupport (= 3.2.8)
rack-ssl (~> 1.3.2)
rake (>= 0.8.7)
rdoc (~> 3.4)
@@ -89,6 +102,8 @@ GEM
rack (~> 1.0)
tilt (~> 1.1, != 1.3.0)
sqlite3 (1.3.6)
+ therubyracer (0.10.2)
+ libv8 (~> 3.3.10)
thor (0.16.0)
tilt (1.3.3)
treetop (1.4.10)
@@ -103,9 +118,14 @@ PLATFORMS
ruby
DEPENDENCIES
+ bcrypt-ruby (~> 3.0.0)
coffee-rails (~> 3.2.1)
jquery-rails
- rails (= 3.2.6)
+ puma
+ rack (= 1.4.0)
+ rails (= 3.2.8)
sass-rails (~> 3.2.3)
sqlite3
+ strong_parameters!
+ therubyracer
uglifier (>= 1.0.3)
View
9 README.md
@@ -0,0 +1,9 @@
+Vulnerabilities:
+
+1. Parameters tampering
+ - Body paramas tampering
+ - Cookie tampering
+
+2. SQL Injection
+
+3. Sensitive info saved unencrypted
View
3 app/assets/javascripts/sessions.js.coffee
@@ -0,0 +1,3 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://jashkenas.github.com/coffee-script/
View
3 app/assets/javascripts/users.js.coffee
@@ -0,0 +1,3 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://jashkenas.github.com/coffee-script/
View
69 app/assets/stylesheets/scaffolds.css.scss
@@ -0,0 +1,69 @@
+body {
+ background-color: #fff;
+ color: #333;
+ font-family: verdana, arial, helvetica, sans-serif;
+ font-size: 13px;
+ line-height: 18px;
+}
+
+p, ol, ul, td {
+ font-family: verdana, arial, helvetica, sans-serif;
+ font-size: 13px;
+ line-height: 18px;
+}
+
+pre {
+ background-color: #eee;
+ padding: 10px;
+ font-size: 11px;
+}
+
+a {
+ color: #000;
+ &:visited {
+ color: #666;
+ }
+ &:hover {
+ color: #fff;
+ background-color: #000;
+ }
+}
+
+div {
+ &.field, &.actions {
+ margin-bottom: 10px;
+ }
+}
+
+#notice {
+ color: green;
+}
+
+.field_with_errors {
+ padding: 2px;
+ background-color: red;
+ display: table;
+}
+
+#error_explanation {
+ width: 450px;
+ border: 2px solid red;
+ padding: 7px;
+ padding-bottom: 0;
+ margin-bottom: 20px;
+ background-color: #f0f0f0;
+ h2 {
+ text-align: left;
+ font-weight: bold;
+ padding: 5px 5px 5px 15px;
+ font-size: 12px;
+ margin: -7px;
+ margin-bottom: 0px;
+ background-color: #c00;
+ color: #fff;
+ }
+ ul li {
+ font-size: 12px;
+ list-style: square;
+ }
+}
View
3 app/assets/stylesheets/sessions.css.scss
@@ -0,0 +1,3 @@
+// Place all the styles related to the sessions controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/
View
3 app/assets/stylesheets/users.css.scss
@@ -0,0 +1,3 @@
+// Place all the styles related to the Users controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/
View
7 app/controllers/application_controller.rb
@@ -1,3 +1,8 @@
class ApplicationController < ActionController::Base
- protect_from_forgery
+ #protect_from_forgery
+ protected
+
+ def current_user
+ @current_user ||= User.find(cookies[:user_id]) if cookies[:user_id]
+ end
end
View
25 app/controllers/sessions_controller.rb
@@ -0,0 +1,25 @@
+class SessionsController < ApplicationController
+ def new
+ end
+
+ def create
+
+ end
+
+ def create
+ #user = User.find_by_email(params[:email])
+ #if user && user.authenticate(params[:password])
+ if user = User.find_by_sql("SELECT users WHERE email = '#{params[:email]}' AND password = '#{params[:password]}'")
+ cookies[:user_id] = user.id
+ redirect_to root_url, :notice => "Logged in!"
+ else
+ flash.now.alert = "Invalid email or password"
+ render "new"
+ end
+ end
+
+ def destroy
+ cookies[:user_id] = nil
+ redirect_to root_url, :notice => "Logged out!"
+ end
+end
View
94 app/controllers/users_controller.rb
@@ -0,0 +1,94 @@
+class UsersController < ApplicationController
+ # GET /users
+ # GET /users.json
+ def index
+ @users = User.all
+
+ respond_to do |format|
+ format.html # index.html.erb
+ format.json { render json: @users }
+ end
+ end
+
+ # GET /users/1
+ # GET /users/1.json
+ def show
+ @user = User.find(params[:id])
+
+ respond_to do |format|
+ format.html # show.html.erb
+ format.json { render json: @user }
+ end
+ end
+
+ # GET /users/new
+ # GET /users/new.json
+ def new
+ @user = User.new
+
+ respond_to do |format|
+ format.html # new.html.erb
+ format.json { render json: @user }
+ end
+ end
+
+ # GET /users/1/edit
+ def edit
+ @user = User.find(params[:id])
+ end
+
+ # POST /users
+ # POST /users.json
+ def create
+ @user = User.new(user_params)
+
+ respond_to do |format|
+ if @user.save
+ format.html { redirect_to @user, notice: 'User was successfully created.' }
+ format.json { render json: @user, status: :created, location: @user }
+ else
+ format.html { render action: "new" }
+ format.json { render json: @user.errors, status: :unprocessable_entity }
+ end
+ end
+ end
+
+ # PATCH/PUT /users/1
+ # PATCH/PUT /users/1.json
+ def update
+ @user = User.find(params[:id])
+
+ respond_to do |format|
+ if @user.update_attributes(user_params)
+ format.html { redirect_to @user, notice: 'User was successfully updated.' }
+ format.json { head :no_content }
+ else
+ format.html { render action: "edit" }
+ format.json { render json: @user.errors, status: :unprocessable_entity }
+ end
+ end
+ end
+
+ # DELETE /users/1
+ # DELETE /users/1.json
+ def destroy
+ @user = User.find(params[:id])
+ @user.destroy
+
+ respond_to do |format|
+ format.html { redirect_to users_url }
+ format.json { head :no_content }
+ end
+ end
+
+ private
+
+ # Use this method to whitelist the permissible parameters. Example:
+ # params.require(:person).permit(:name, :age)
+ # Also, you can specialize this method with per-user checking of permissible attributes.
+ def user_params
+ # 2.2 This is vulnerable to parameters tampering.
+ params[:user]
+ #params.require(:user).permit(:email, :password_digest)
+ end
+end
View
2 app/helpers/sessions_helper.rb
@@ -0,0 +1,2 @@
+module SessionsHelper
+end
View
2 app/helpers/users_helper.rb
@@ -0,0 +1,2 @@
+module UsersHelper
+end
View
3 app/models/user.rb
@@ -0,0 +1,3 @@
+class User < ActiveRecord::Base
+ # has_secure_password
+end
View
29 app/views/users/_form.html.erb
@@ -0,0 +1,29 @@
+<%= form_for(@user) do |f| %>
+ <% if @user.errors.any? %>
+ <div id="error_explanation">
+ <h2><%= pluralize(@user.errors.count, "error") %> prohibited this user from being saved:</h2>
+
+ <ul>
+ <% @user.errors.full_messages.each do |msg| %>
+ <li><%= msg %></li>
+ <% end %>
+ </ul>
+ </div>
+ <% end %>
+
+ <div class="field">
+ <%= f.label :email %><br />
+ <%= f.text_field :email %>
+ </div>
+ <div class="field">
+ <%= f.label :password_digest %><br />
+ <%= f.text_field :password_digest %>
+ </div>
+ <div class="field">
+ <%= f.label :admin %><br />
+ <%= f.check_box :admin %>
+ </div>
+ <div class="actions">
+ <%= f.submit %>
+ </div>
+<% end %>
View
6 app/views/users/edit.html.erb
@@ -0,0 +1,6 @@
+<h1>Editing user</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Show', @user %> |
+<%= link_to 'Back', users_path %>
View
27 app/views/users/index.html.erb
@@ -0,0 +1,27 @@
+<h1>Listing users</h1>
+
+<table>
+ <tr>
+ <th>Email</th>
+ <th>Password digest</th>
+ <th>Admin</th>
+ <th></th>
+ <th></th>
+ <th></th>
+ </tr>
+
+<% @users.each do |user| %>
+ <tr>
+ <td><%= user.email %></td>
+ <td><%= user.password_digest %></td>
+ <td><%= user.admin %></td>
+ <td><%= link_to 'Show', user %></td>
+ <td><%= link_to 'Edit', edit_user_path(user) %></td>
+ <td><%= link_to 'Destroy', user, method: :delete, data: { confirm: 'Are you sure?' } %></td>
+ </tr>
+<% end %>
+</table>
+
+<br />
+
+<%= link_to 'New User', new_user_path %>
View
5 app/views/users/new.html.erb
@@ -0,0 +1,5 @@
+<h1>New user</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Back', users_path %>
View
20 app/views/users/show.html.erb
@@ -0,0 +1,20 @@
+<p id="notice"><%= notice %></p>
+
+<p>
+ <b>Email:</b>
+ <%= @user.email %>
+</p>
+
+<p>
+ <b>Password digest:</b>
+ <%= @user.password_digest %>
+</p>
+
+<p>
+ <b>Admin:</b>
+ <%= @user.admin %>
+</p>
+
+
+<%= link_to 'Edit', edit_user_path(@user) %> |
+<%= link_to 'Back', users_path %>
View
2 config/routes.rb
@@ -1,4 +1,6 @@
VulnerableApp::Application.routes.draw do
+ resources :users
+
# The priority is based upon order of creation:
# first created -> highest priority.
View
11 db/migrate/20120920170055_create_users.rb
@@ -0,0 +1,11 @@
+class CreateUsers < ActiveRecord::Migration
+ def change
+ create_table :users do |t|
+ t.string :email
+ t.string :password_digest
+ t.boolean :admin
+
+ t.timestamps
+ end
+ end
+end
View
5 db/migrate/20120920172409_add_password_to_users.rb
@@ -0,0 +1,5 @@
+class AddPasswordToUsers < ActiveRecord::Migration
+ def change
+ add_column :users, :password, :string
+ end
+end
View
25 db/schema.rb
@@ -0,0 +1,25 @@
+# encoding: UTF-8
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended to check this file into your version control system.
+
+ActiveRecord::Schema.define(:version => 20120920172409) do
+
+ create_table "users", :force => true do |t|
+ t.string "email"
+ t.string "password_digest"
+ t.boolean "admin"
+ t.datetime "created_at", :null => false
+ t.datetime "updated_at", :null => false
+ t.string "password"
+ end
+
+end
View
11 test/fixtures/users.yml
@@ -0,0 +1,11 @@
+# Read about fixtures at http://api.rubyonrails.org/classes/ActiveRecord/Fixtures.html
+
+one:
+ email: MyString
+ password_digest: MyString
+ admin: false
+
+two:
+ email: MyString
+ password_digest: MyString
+ admin: false
View
7 test/functional/sessions_controller_test.rb
@@ -0,0 +1,7 @@
+require 'test_helper'
+
+class SessionsControllerTest < ActionController::TestCase
+ # test "the truth" do
+ # assert true
+ # end
+end
View
49 test/functional/users_controller_test.rb
@@ -0,0 +1,49 @@
+require 'test_helper'
+
+class UsersControllerTest < ActionController::TestCase
+ setup do
+ @user = users(:one)
+ end
+
+ test "should get index" do
+ get :index
+ assert_response :success
+ assert_not_nil assigns(:users)
+ end
+
+ test "should get new" do
+ get :new
+ assert_response :success
+ end
+
+ test "should create user" do
+ assert_difference('User.count') do
+ post :create, user: { admin: @user.admin, email: @user.email, password_digest: @user.password_digest }
+ end
+
+ assert_redirected_to user_path(assigns(:user))
+ end
+
+ test "should show user" do
+ get :show, id: @user
+ assert_response :success
+ end
+
+ test "should get edit" do
+ get :edit, id: @user
+ assert_response :success
+ end
+
+ test "should update user" do
+ put :update, id: @user, user: { admin: @user.admin, email: @user.email, password_digest: @user.password_digest }
+ assert_redirected_to user_path(assigns(:user))
+ end
+
+ test "should destroy user" do
+ assert_difference('User.count', -1) do
+ delete :destroy, id: @user
+ end
+
+ assert_redirected_to users_path
+ end
+end
View
4 test/unit/helpers/sessions_helper_test.rb
@@ -0,0 +1,4 @@
+require 'test_helper'
+
+class SessionsHelperTest < ActionView::TestCase
+end
View
4 test/unit/helpers/users_helper_test.rb
@@ -0,0 +1,4 @@
+require 'test_helper'
+
+class UsersHelperTest < ActionView::TestCase
+end
View
7 test/unit/user_test.rb
@@ -0,0 +1,7 @@
+require 'test_helper'
+
+class UserTest < ActiveSupport::TestCase
+ # test "the truth" do
+ # assert true
+ # end
+end

0 comments on commit fdf5bcd

Please sign in to comment.