This is TrackRecord version 2.30, for Rails 3.2.17.

- E-mail address / password sign-in support in addition to or instead of
  OpenID. Includes extensive SessionsController and UsersController overhaul,
  with dead code removal and bug fixes. Notification e-mail messages in
  particular now work sensibly; EMAIL_HOST configuration item is no longer
  needed and the site name from the locale file is used instead of a hard
  coded "TrackRecord" string in messages.

- Users shouldn't see links they can't use (e.g. managers would see links
  to delete resources, but would get 403 responses if they tried).

- Look and feel improvements including better small screen and printing
  behaviour, prettier deletion and help pages, new sign-in page design.

- Further internationalisation improvements (ongoing).

- More integration tests, though these still don't include the full set of
  new v2.30 features due to time constraints owing to failure of the
  development hardware and a hard-deadline due to a new job. Much more to
  be done for testing in general still.

- Includes the full "defaulticon.zip" distribution, though this bloats the
  sources; the licence conditions require it, so this should have been in
  there from the start.

CHANGELOG.rdoc

@@ -2,6 +2,88 @@
 
 
 
+== Version 2.30, 2014-04-04
+
+
+
+Please see "README.rdoc" for information on installation and upgrades.
+If updating, run bundle install" after updating your sources then migrate
+your data with "rake db:migrate".
+
+A while ago, a major OpenID provider shut down its ID service. Although
+other providers still exist - e.g. Google account holders have an OpenID,
+even if they don't realise it - OpenID has struggled to gain widespread
+adoption and finding an easy-to-use provider with a clear indication of
+your actual ID can be a struggle.
+
+Accordingly, TrackRecord now offers a more traditional sign-in option
+based on e-mail address and password. For administrators, the process is:
+
+- At first-time startup of a new installation, you get to choose either
+  an OpenID for your new admin account, or provide an e-mail address and
+  password which is used for subsequent sign-in, or you can even provide
+  both and use either to sign in later.
+
+- When someone new needs to use the system, the administrator creates
+  their user account as normal. Either that user tells the admin what
+  OpenID they want, or the admin assigns a temporary password to the
+  new account, or both; the admin then tells the new user about the
+  password (if that's been chosen). When the user signs in, they'll be
+  asked to reset the temporary password to a permanent one that only
+  they know. Adminstrators can actually change this - though it isn't
+  recommended - by deselecting the "must change password on sign-in"
+  option when creating the new user account. Administrators can also
+  re-set this option for existing users should they need to re-issue a
+  password (maybe the user forgot theirs), or should they want the user
+  to choose another password.
+
+- From the normal user perspective, the user can sign in with their OpenID
+  if they gave one to the administrator, and/or their e-mail address and
+  password. As per the above, they may be asked to change that the first
+  time they sign in, or if the administrator had subsequently turned back
+  on the "must change password" flag on their account.
+
+In TrackRecord, the process is always one wherein the administrator creates
+accounts for new users. Accordingly, the usual process of password reset
+messages, "forgotten my password" systems and so-on are not provided; a
+user who had forgotten their access details would contact the administrator
+who could issue a new temporary password by editing the user's account. The
+control over access management is primarily in the hands of the admin, not
+all other users of the system.
+
+Security is provided via rails-bcrypt and uses salted, encrypted storage.
+This is fairly secure; if you are unfortunate enough to have your database
+compromised and its contents downloaded by a miscreant, they are unlikely
+to be able to determine the unencrypted value of any password. It would
+still be necessary to inform all users of such a breach so they could make
+informed decisions about what to do with other web sites should they have
+used the same password anywhere else.
+
+- https://github.com/codahale/bcrypt-ruby/tree/master
+
+If you are unsure about detection of, mitigation of, or handling of
+security breaches when running a server, please spend some time Googling
+around the issue so that you can have confidence your provided service.
+
+
+=== Other notable changes
+
+- The sign-in/sign-up process has been cleaned up with some dead code
+  removal, bug fixes in e-mail sending, lots of improvements in User
+  model validation and so-on. Basically, a general overhaul.
+
+- Removal of some unncessary configuration items, related to continued
+  extension of internationalisation through "config/locales...", though
+  a great deal of work is still to be done here with many hard-coded
+  strings throughout the application.
+
+- Improved indication of errant fields in forms.
+
+- Fewer places where links might accidentally be shown to users that
+  lead to a "not authorised" response.
+
+
+
 == Version 2.26, 2014-03-20
 
 

Gemfile

@@ -32,6 +32,13 @@ gem 'prototype-rails'
 # To use debugger
 # gem 'ruby-debug'
 
+# For a Rails' has_secure_password (or equivalent - see the User model
+# implementation for details):
+# 
+# https://github.com/codahale/bcrypt-ruby/tree/master
+
+gem 'bcrypt', '~> 3.1.7'
+
 # https://github.com/timcharper/calendar_date_select (original, but not Rails 3 compatible)
 #       http://github.com/paneq/calendar_date_select (Rails 3 fork)
 # https://github.com/openid/ruby-openid
@@ -40,20 +47,28 @@ gem 'prototype-rails'
 # https://github.com/collectiveidea/audited
 # https://github.com/swanandp/acts_as_list
 # https://github.com/pond/safe_in_place_editing
+# https://github.com/fnando/browser
 
 gem 'calendar_date_select',   '~> 1.16', :git => 'git://github.com/paneq/calendar_date_select.git'
-gem 'ruby-openid',            '~> 2.3'     
+gem 'ruby-openid',            '~> 2.5'     
 gem 'open_id_authentication', '~> 1.2'
 gem 'will_paginate',          '~> 3.0'
 gem 'audited-activerecord',   '~> 3.0'
 gem 'acts_as_list'
 gem 'safe_in_place_editing',  '~> 2.0.1'
+gem 'browser', '~> 0.4'
 
 # For testing:
 #
 # https://github.com/jnicklas/capybara
+# https://github.com/macournoyer/thin/
+#
+# The 'thin' server is specified as the stock Rails 3 server caused lots
+# of problems in Safari with blank pages; looks like Safari's fault, but
+# that doesn't help solve the problem! Thin is faster anyway.
 
 gem 'capybara', '~> 2.2'
+gem 'thin'
 
 # If you want the charting stuff for some reason... Note that
 # this brings in awkward dependencies such as ImageMagick via

Gemfile.lock

@@ -41,6 +41,8 @@ GEM
     audited-activerecord (3.0.0)
       activerecord (~> 3.0)
       audited (= 3.0.0)
+    bcrypt (3.1.7)
+    browser (0.4.1)
     builder (3.0.4)
     capybara (2.2.1)
       mime-types (>= 1.16)
@@ -55,8 +57,10 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.7.0)
+    daemons (1.1.9)
     dynamic_form (1.1.4)
     erubis (2.7.0)
+    eventmachine (1.0.3)
     execjs (2.0.2)
     hike (1.2.3)
     i18n (0.6.9)
@@ -68,7 +72,7 @@ GEM
       treetop (~> 1.4.8)
     mime-types (1.25.1)
     mini_portile (0.5.2)
-    multi_json (1.9.0)
+    multi_json (1.9.2)
     nokogiri (1.6.1)
       mini_portile (~> 0.5.0)
     open_id_authentication (1.2.0)
@@ -83,7 +87,7 @@ GEM
     rack-openid (1.4.2)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-ssl (1.3.3)
+    rack-ssl (1.3.4)
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
@@ -111,7 +115,7 @@ GEM
     ruby-openid (2.5.0)
     safe_in_place_editing (2.0.1)
       railties (~> 3.2)
-    sass (3.3.2)
+    sass (3.3.4)
     sass-rails (3.2.6)
       railties (~> 3.2.0)
       sass (>= 3.1.10)
@@ -124,13 +128,17 @@ GEM
     therubyracer (0.12.1)
       libv8 (~> 3.16.14.0)
       ref
-    thor (0.18.1)
+    thin (1.6.1)
+      daemons (>= 1.0.9)
+      eventmachine (>= 1.0.0)
+      rack (>= 1.0.0)
+    thor (0.19.0)
     tilt (1.4.1)
     treetop (1.4.15)
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.39)
-    uglifier (2.4.0)
+    uglifier (2.5.0)
       execjs (>= 0.3.0)
       json (>= 1.8.0)
     will_paginate (3.0.5)
@@ -143,6 +151,8 @@ PLATFORMS
 DEPENDENCIES
   acts_as_list
   audited-activerecord (~> 3.0)
+  bcrypt (~> 3.1.7)
+  browser (~> 0.4)
   calendar_date_select (~> 1.16)!
   capybara (~> 2.2)
   coffee-rails
@@ -153,9 +163,10 @@ DEPENDENCIES
   prototype-rails
   rails (= 3.2.17)
   rails_autolink
-  ruby-openid (~> 2.3)
+  ruby-openid (~> 2.5)
   safe_in_place_editing (~> 2.0.1)
   sass-rails
   therubyracer
+  thin
   uglifier
   will_paginate (~> 3.0)

README.rdoc

@@ -1,4 +1,4 @@
-= Welcome to TrackRecord v2.26
+= Welcome to TrackRecord v2.30
 
 TrackRecord is a timesheet system written for the Ruby On Rails web
 development framework. More information, including a link to the most recent

app/assets/stylesheets/scaffold.css

@@ -15,9 +15,13 @@ a:visited { color: #666; }
 a:hover { color: #fff; background-color:#000; }
 
 .fieldWithErrors {
-  padding: 5px;
+  padding: 2px;
   background-color: red;
-  display: table;
+  display: inline-block;
+}
+
+.fieldWithErrors label {
+  color: white;
 }
 
 #errorExplanation {