Skip to content
This repository

Internal Changes to code

As always, this is just a copy-and-pasted version of the CHANGELOG file in the source code tree.

Changes for the May, 2008 version of restful-authentication

Changes to user model

  • recently_activated? belongs only if stateful
  • Gave migration a 40-char limit on remember_token & an index on users by login
  • Much stricter login and email validation
  • put length constraints in migration too
  • password in 6, 40
  • salt and remember_token now much less predictability

Changes to session_controller

  • use uniform logout function
  • use uniform remember_cookie functions
  • avoid calling logged_in? which will auto-log-you-in (safe in the face of
    logout! call, but idiot-proof)
  • Moved reset_session into only the “now logged in” branch
    • wherever it goes, it has to be in front of the current_user= call
    • See more in README-Tradeoffs.txt
  • made a place to take action on failed login attempt
  • recycle login and remember_me setting on failed login
  • nil’ed out the password field in ‘new’ view

Changes to users_controller

  • use uniform logout function
  • use uniform remember_cookie functions
  • Moved reset_session into only the “now logged in” branch
    • wherever it goes, it has to be in front of the current_user= call
    • See more in README-Tradeoffs.txt
  • made the implicit login only happen for non-activationed sites
  • On a failed signup, kick you back to the signin screen (but strip out the password & confirmation)
  • more descriptive error messages in activate()

users_helper

  • link_to_user, link_to_current_user, link_to_signin_with_IP
  • if_authorized(action, resource, &block) view function (with appropriate
    warning)

authenticated_system

  • Made authorized? take optional arguments action=nil, resource=nil, *args
    This makes its signature better match traditional approaches to access control
    eg Reference Monitor in Security Patterns)
  • authorized? should be a helper too
  • added uniform logout! methods
  • format.any (as found in access_denied) doesn’t work until
    http://dev.rubyonrails.org/changeset/8987 lands.
  • cookies are now refreshed each time we cross the logged out/in barrier, as
    best
    practice

Other

  • Used escapes <%= %> in email templates (among other reasons, so courtenay’s
    ‘dumbass’ test doesn’t complain)
  • Added site key to generator, users.yml.
  • Made site key generation idempotent in the most crude and hackish way
  • 100% coverage apart from the stateful code. (needed some access_control
    checks, and the http_auth stuff)
  • Stories!
Something went wrong with that request. Please try again.