From b3541093da5a0fb4fa5982ed64878ff0df1fbb17 Mon Sep 17 00:00:00 2001 From: lykaios Date: Wed, 2 May 2012 15:03:26 -0700 Subject: [PATCH] Fixed a security problem that would allow a user to navigate past authentication process. --- app/assets/stylesheets/sqlcons.css.scss | 5 ----- app/controllers/application_controller.rb | 9 ++++++++ app/controllers/sqlcons_controller.rb | 2 ++ app/helpers/sqlcons_helper.rb | 27 +++++++---------------- app/models/sqlcons.rb | 3 --- app/models/userlesson.rb | 5 ----- 6 files changed, 19 insertions(+), 32 deletions(-) delete mode 100644 app/assets/stylesheets/sqlcons.css.scss diff --git a/app/assets/stylesheets/sqlcons.css.scss b/app/assets/stylesheets/sqlcons.css.scss deleted file mode 100644 index da20be3..0000000 --- a/app/assets/stylesheets/sqlcons.css.scss +++ /dev/null @@ -1,5 +0,0 @@ -// Place all the styles related to the sqlcons controller here. -// They will automatically be included in application.css. -// You can use Sass (SCSS) here: http://sass-lang.com/ -H3 {text-align: center} -P {text-align: center} diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index e8065d9..628ec6f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,3 +1,12 @@ class ApplicationController < ActionController::Base protect_from_forgery + + private + #Check if user isn't signed in. + def validate_user + if user_signed_in? + else + redirect_to root_path + end + end end diff --git a/app/controllers/sqlcons_controller.rb b/app/controllers/sqlcons_controller.rb index c2f20c8..8c45003 100644 --- a/app/controllers/sqlcons_controller.rb +++ b/app/controllers/sqlcons_controller.rb @@ -1,5 +1,7 @@ class SqlconsController < ApplicationController #qvarname means it has to do with query + #Make sure user is signed in before they can access application + before_filter :validate_user # GET /sqlcons # GET /sqlcons.json diff --git a/app/helpers/sqlcons_helper.rb b/app/helpers/sqlcons_helper.rb index 5775026..5b67bbb 100644 --- a/app/helpers/sqlcons_helper.rb +++ b/app/helpers/sqlcons_helper.rb @@ -1,22 +1,11 @@ module SqlconsHelper - def incsection - if session[:tutsec] < session[:maxsec] - session[:tutsec] += 1 - end - @qstring = "empty" - @qresults = nil - - end - - def incch - session[:tutch] += 1 if session[:tutch] < 2 - session[:tutsec] = 1 - end - - def resetlesson - session[:tutsec] = 1 - end - - +# def incsection +# if session[:tutsec] < session[:maxsec] +# session[:tutsec] += 1 +# end +# @qstring = "empty" +# @qresults = nil +# +# end end diff --git a/app/models/sqlcons.rb b/app/models/sqlcons.rb index c8d4811..1d423e2 100644 --- a/app/models/sqlcons.rb +++ b/app/models/sqlcons.rb @@ -1,6 +1,5 @@ class Sqlcons < ActiveRecord::Base #This model contains the regexp for each individual lesson we go through. - def checkquery #create a regexp object based on string we recieve from controller #true makes for case insensitive matching @@ -11,6 +10,4 @@ def checkquery #Check if regexp was valid for lesson, and not a sqlinject attempt return (qtext =~ reg && !(qtext =~ reg2)) end - - end diff --git a/app/models/userlesson.rb b/app/models/userlesson.rb index 342e506..b38a821 100644 --- a/app/models/userlesson.rb +++ b/app/models/userlesson.rb @@ -1,7 +1,2 @@ class Userlesson < ActiveRecord::Base - - def self.update_lesson(user_id, chapter_completed) - #put update stmt here. - - end end