removed comments and Fixed Issue #184

app/controllers/admin_controller.rb

@@ -10,8 +10,6 @@ class AdminController < ApplicationController
       fields = "*"
     else
       fields = params[:field].map {|k,v| k }.join(",")
-      # This seems to be a bit safer
-      #fields = params[:field].map {|k,v| Analytics.parse_field(k) }.join(",")
     end
 
     if params[:ip]

app/controllers/api/v1/users_controller.rb

@@ -6,9 +6,6 @@ class Api::V1::UsersController < ApplicationController
   respond_to :json
 
   def index
-    # We removed the .as_json code from the model, just seemed like extra work.
-    # dunno, maybe useful at a later time?
-    #respond_with @user.admin ? User.all.as_json : @user.as_json
     respond_with @user.admin ? User.all : @user
   end
 

app/controllers/application_controller.rb

@@ -32,7 +32,6 @@ class ApplicationController < ActionController::Base
 
   def administrative
     if not is_admin?
-     #reset_session
      redirect_to root_url
    end
   end
@@ -57,6 +56,5 @@ class ApplicationController < ActionController::Base
 
   def sanitize_font(css)
     css
-    # css if css.match(/\A[0-9]+([\%]|pt)\z/)
   end
 end

app/controllers/benefit_forms_controller.rb

@@ -25,24 +25,4 @@ class BenefitFormsController < ApplicationController
     redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
   end
 
-=begin
-    # More secure version
-    def download
-     file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
-     begin
-       if file_assoc.has_key?(params[:name].to_s)
-          path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
-          if params[:type] == "File"
-            file = params[:type].constantize.new(path)
-            send_file file, :disposition => 'attachment'
-          end
-       else
-         file =  Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
-         send_file file, :disposition => 'attachment'
-       end
-     rescue
-       redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
-     end
-    end
-=end
 end

app/controllers/messages_controller.rb

@@ -3,7 +3,6 @@ class MessagesController < ApplicationController
   def index
     @messages = current_user.messages
     @message = Message.new
-    # Blocking code can cause DOS
     sleep(3)
   end
 

app/controllers/sessions_controller.rb

@@ -12,7 +12,6 @@ class SessionsController < ApplicationController
     begin
       # Normalize the email address, why not
       user = User.authenticate(params[:email].to_s.downcase, params[:password])
-      # @url = params[:url]
       rescue Exception => e
     end
 
@@ -24,8 +23,6 @@ class SessionsController < ApplicationController
       end
       redirect_to path
     else
-      # Removed this code, just doesn't seem specific enough!
-      # flash[:error] = "Either your username and password is incorrect"
       flash[:error] = e.message
       render "new"
     end

app/controllers/users_controller.rb

@@ -25,13 +25,7 @@ class UsersController < ApplicationController
 
   def update
     message = false
-    #Safest
-    # user = current_user
-
-    # Still an Insecure DoR vulnerability
-    #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])
-
-    # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
+  
     user = User.where("user_id = '#{params[:user][:user_id]}'").first
     if user
       user.skip_user_id_assign = true

app/controllers/work_info_controller.rb

@@ -7,14 +7,4 @@ class WorkInfoController < ApplicationController
     end
   end
 
-=begin
-  # More secure version
-  def index
-    @user = current_user
-    if !(@user) || @user.admin
-      flash[:error] = "Apologies, looks like something went wrong"
-      redirect_to home_dashboard_index_path
-    end
-  end
-=end
 end