Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: publify/publify
base: master
...
head fork: emk/typo
compare: master
Checking mergeability… Don't worry, you can still create the pull request.
  • 2 commits
  • 2 files changed
  • 0 commit comments
  • 1 contributor
Commits on Nov 30, 2008
@emk emk Fixing onhover: Add typo_user_profile cookie (and fix auth_token)
I'm trying to re-enable the [Edit], etc., links on posts and comments.
These were implemented using JavaScript.  Originally, the JavaScript
checked the is_admin cookie, which was removed when roles were added to
Typo in fcbcefc.  This patch replaces the
old is_admin cookie with a new typo_user_profile cookie indicating what
type of account the user has.  The JavaScript portion of this new feature
will be included in a future patch.

Note that we also add code to clear the auth_token cookie on logout.
135670a
@emk emk Mark auth_token cookie as :http_only
An attacker who manages to capture the auth_token cookie can log into Typo
without a password.  By marking the auth_token cookie as :http_only, we
instruct modern browsers to restrict JavaScript access to the auth_token
cookie (though some browsers ignore this instruction, and other browsers
make the cookie available via XmlHttpRequest).
39f6d3d
View
9 app/controllers/accounts_controller.rb
@@ -13,8 +13,13 @@ def login
if params[:remember_me] == "1"
self.current_user.remember_me unless self.current_user.remember_token?
- cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
+ cookies[:auth_token] = {
+ :value => self.current_user.remember_token,
+ :expires => self.current_user.remember_token_expires_at,
+ :http_only => true # Help prevent auth_token theft.
+ }
end
+ add_to_cookies(:typo_user_profile, self.current_user.profile.label, '/')
flash[:notice] = _("Login successful")
redirect_back_or_default :controller => "admin/dashboard", :action => "index"
@@ -48,6 +53,8 @@ def logout
self.current_user.forget_me
self.current_user = nil
session[:user_id] = nil
+ cookies.delete :auth_token
+ cookies.delete :typo_user_profile
redirect_to :action => 'login'
end
View
19 spec/controllers/accounts_controller_spec.rb
@@ -5,6 +5,7 @@
before(:each) do
@user = mock_model(User, :new_record? => false, :reload => @user)
+ @user.stub!(:profile).and_return(Profile.find_by_label('admin'))
User.stub!(:authenticate).and_return(@user)
User.stub!(:count).and_return(1)
controller.stub!(:this_blog).and_return(Blog.default)
@@ -20,6 +21,11 @@ def make_request
request.session[:user_id].should == @user.id
end
+ it 'sets typo_user_profile cookie' do
+ make_request
+ cookies[:typo_user_profile].should == ['admin']
+ end
+
it 'redirects to /bogus/location' do
request.session[:return_to] = '/bogus/location'
make_request
@@ -55,9 +61,9 @@ def make_request
assigns[:login].should == 'bob'
end
- it 'cookies[:is_admin] should be blank' do
+ it 'typo_user_profile cookie should be blank' do
make_request
- response.cookies[:is_admin].should be_blank
+ cookies[:typo_user_profile].should be_blank
end
it 'should render login action' do
@@ -191,12 +197,12 @@ def params
.and_return(@user)
@user.should_receive(:forget_me)
- request.cookies[:is_admin] = 'yes'
+ cookies[:typo_user_profile] = 'admin'
end
it 'logging out deletes the session[:user_id]' do
get 'logout'
- session[:user_id].should == nil
+ session[:user_id].should be_blank
end
it 'redirects to the login action' do
@@ -204,8 +210,9 @@ def params
response.should redirect_to(:action => 'login')
end
- it 'logging out deletes the "is_admin" cookie' do
+ it 'logging out deletes cookies containing credentials' do
get 'logout'
- response.cookies[:is_admin].should be_blank
+ cookies[:auth_token].should == []
+ cookies[:typo_user_profile].should == []
end
end

No commit comments for this range

Something went wrong with that request. Please try again.