removed comments and Fixed Issue #184

app/controllers/admin_controller.rb

@@ -10,8 +10,6 @@ class AdminController < ApplicationController
       fields = "*"
     else
       fields = params[:field].map {|k,v| k }.join(",")
-      # This seems to be a bit safer
-      #fields = params[:field].map {|k,v| Analytics.parse_field(k) }.join(",")
     end
 
     if params[:ip]

app/controllers/api/v1/users_controller.rb

@@ -6,9 +6,6 @@ class Api::V1::UsersController < ApplicationController
   respond_to :json
 
   def index
-    # We removed the .as_json code from the model, just seemed like extra work.
-    # dunno, maybe useful at a later time?
-    #respond_with @user.admin ? User.all.as_json : @user.as_json
     respond_with @user.admin ? User.all : @user
   end
 

app/controllers/application_controller.rb

@@ -32,7 +32,6 @@ class ApplicationController < ActionController::Base
 
   def administrative
     if not is_admin?
-     #reset_session
      redirect_to root_url
    end
   end
@@ -57,6 +56,5 @@ class ApplicationController < ActionController::Base
 
   def sanitize_font(css)
     css
-    # css if css.match(/\A[0-9]+([\%]|pt)\z/)
   end
 end

app/controllers/benefit_forms_controller.rb

@@ -25,24 +25,4 @@ class BenefitFormsController < ApplicationController
     redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
   end
 
-=begin
-    # More secure version
-    def download
-     file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
-     begin
-       if file_assoc.has_key?(params[:name].to_s)
-          path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
-          if params[:type] == "File"
-            file = params[:type].constantize.new(path)
-            send_file file, :disposition => 'attachment'
-          end
-       else
-         file =  Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
-         send_file file, :disposition => 'attachment'
-       end
-     rescue
-       redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
-     end
-    end
-=end
 end

app/controllers/messages_controller.rb

@@ -3,7 +3,6 @@ class MessagesController < ApplicationController
   def index
     @messages = current_user.messages
     @message = Message.new
-    # Blocking code can cause DOS
     sleep(3)
   end
 

app/controllers/sessions_controller.rb

@@ -12,7 +12,6 @@ class SessionsController < ApplicationController
     begin
       # Normalize the email address, why not
       user = User.authenticate(params[:email].to_s.downcase, params[:password])
-      # @url = params[:url]
       rescue Exception => e
     end
 
@@ -24,8 +23,6 @@ class SessionsController < ApplicationController
       end
       redirect_to path
     else
-      # Removed this code, just doesn't seem specific enough!
-      # flash[:error] = "Either your username and password is incorrect"
       flash[:error] = e.message
       render "new"
     end

app/controllers/users_controller.rb

@@ -25,13 +25,7 @@ class UsersController < ApplicationController
 
   def update
     message = false
-    #Safest
+  
-    # user = current_user
-
-    # Still an Insecure DoR vulnerability
-    #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])
-
-    # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
     user = User.where("user_id = '#{params[:user][:user_id]}'").first
     if user
       user.skip_user_id_assign = true

app/controllers/work_info_controller.rb

@@ -7,14 +7,4 @@ class WorkInfoController < ApplicationController
     end
   end
 
-=begin
-  # More secure version
-  def index
-    @user = current_user
-    if !(@user) || @user.admin
-      flash[:error] = "Apologies, looks like something went wrong"
-      redirect_to home_dashboard_index_path
-    end
-  end
-=end
 end

app/models/benefits.rb

@@ -15,12 +15,6 @@ class Benefits < ActiveRecord::Base
     end
   end
 
-=begin
-  def self.make_backup(file, data_path, full_file_name)
-    FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.zone.now.to_i}_#{file.original_filename}"
-  end
-=end
-
   def self.silence_streams(*streams)
     on_hold = streams.collect { |stream| stream.dup }
     streams.each do |stream|

app/models/user.rb

@@ -6,12 +6,7 @@ class User < ActiveRecord::Base
                        :length => {:within => 6..40},
                        :on => :create,
                        :if => :password
-=begin
+
-  validates :password, :presence => true,
-                        :confirmation => true,
-                        :if => :password,
-                        :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
-=end
   validates_presence_of :email
   validates_uniqueness_of :email
   validates_format_of :email, :with => /.+@.+\..+/i
@@ -61,18 +56,6 @@ class User < ActiveRecord::Base
     return auth
   end
 
-=begin
-  # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
-  def self.authenticate(email, password)
-       user = find_by_email(email) || User.new(:password => "")
-        if Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
-          return user
-        else
-          raise "Incorrect username or password"
-        end
-   end
-=end
-
   def assign_user_id
     unless @skip_user_id_assign.present? || self.user_id.present?
       user = User.order("user_id").last