Merge branch 'rails4'

2014-12-28 17:23:08 -05:00
parent 77f9150387 80e1ede02b
commit a0330cd323
52 changed files with 380 additions and 209 deletions
@@ -10,3 +10,4 @@
 coverage
 .tags
 /.vagrant
+/vendor/ruby
@@ -1,7 +1,7 @@
 source 'https://rubygems.org'

 #don't upgrade
-gem 'rails', '3.2.21'
+gem 'rails', '4.0.10'

 ruby '2.1.5'

@@ -44,15 +44,14 @@ end

 # Gems used only for assets and not required
 # in production environments by default.
-group :assets do
-  gem 'sass-rails'
-  gem 'coffee-rails'
-  gem 'jquery-fileupload-rails'
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
+gem 'sass-rails'
+gem 'coffee-rails'
+gem 'jquery-fileupload-rails'
+gem 'uglifier'
+gem 'turbolinks' # New for Rails 4.0

-  gem 'uglifier'
-end
+# See https://github.com/sstephenson/execjs#readme for more supported runtimes
+# gem 'therubyracer', :platforms => :ruby

 gem 'jquery-rails'

@@ -84,3 +83,9 @@ gem 'therubyracer'

 # Add SMTP server support using MailCatcher
 gem 'mailcatcher'
+
+#For Rails 4.0
+#group :doc do
+#  # bundle exec rake doc:rails generates the API under doc/api.
+#  gem 'sdoc', require: false
+#end
@@ -1,35 +1,32 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    actionmailer (3.2.21)
-      actionpack (= 3.2.21)
-      mail (~> 2.5.4)
-    actionpack (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
-      builder (~> 3.0.0)
+    actionmailer (4.0.10)
+      actionpack (= 4.0.10)
+      mail (~> 2.5, >= 2.5.4)
+    actionpack (4.0.10)
+      activesupport (= 4.0.10)
+      builder (~> 3.1.0)
      erubis (~> 2.7.0)
-      journey (~> 1.0.4)
-      rack (~> 1.4.5)
-      rack-cache (~> 1.2)
-      rack-test (~> 0.6.1)
-      sprockets (~> 2.2.1)
-    activemodel (3.2.21)
-      activesupport (= 3.2.21)
-      builder (~> 3.0.0)
-    activerecord (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
-      arel (~> 3.0.2)
-      tzinfo (~> 0.3.29)
-    activeresource (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
-    activesupport (3.2.21)
-      i18n (~> 0.6, >= 0.6.4)
-      multi_json (~> 1.0)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    activemodel (4.0.10)
+      activesupport (= 4.0.10)
+      builder (~> 3.1.0)
+    activerecord (4.0.10)
+      activemodel (= 4.0.10)
+      activerecord-deprecated_finders (~> 1.0.2)
+      activesupport (= 4.0.10)
+      arel (~> 4.0.0)
+    activerecord-deprecated_finders (1.0.3)
+    activesupport (4.0.10)
+      i18n (~> 0.6, >= 0.6.9)
+      minitest (~> 4.2)
+      multi_json (~> 1.3)
+      thread_safe (~> 0.1)
+      tzinfo (~> 0.3.37)
    addressable (2.3.6)
-    arel (3.0.3)
+    arel (4.0.2)
    aruba (0.5.4)
      childprocess (>= 0.3.6)
      cucumber (>= 1.1.1)
@@ -52,7 +49,7 @@ GEM
      sass (~> 3.0)
      slim (>= 1.3.6, < 3.0)
      terminal-table (~> 1.4)
-    builder (3.0.4)
+    builder (3.1.4)
    bundler-audit (0.3.1)
      bundler (~> 1.2)
      thor (~> 0.18)
@@ -68,9 +65,9 @@ GEM
      ffi (~> 1.0, >= 1.0.11)
    cliver (0.3.2)
    coderay (1.1.0)
-    coffee-rails (3.2.2)
+    coffee-rails (4.1.0)
      coffee-script (>= 2.2.0)
-      railties (~> 3.2.0)
+      railties (>= 4.0.0, < 5.0)
    coffee-script (2.3.0)
      coffee-script-source
      execjs
@@ -134,7 +131,6 @@ GEM
    hitimes (1.2.2)
    http_parser.rb (0.6.0)
    i18n (0.7.0)
-    journey (1.0.4)
    jquery-fileupload-rails (0.4.1)
      actionpack (>= 3.1)
      railties (>= 3.1)
@@ -151,21 +147,22 @@ GEM
      rb-fsevent (>= 0.9.3)
      rb-inotify (>= 0.9)
    lumberjack (1.0.9)
-    mail (2.5.4)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    mailcatcher (0.5.12)
-      activesupport (~> 3.0)
-      eventmachine (~> 1.0.0)
-      haml (>= 3.1, < 5)
-      mail (~> 2.3)
-      sinatra (~> 1.2)
-      skinny (~> 0.2.3)
-      sqlite3 (~> 1.3)
-      thin (~> 1.5.0)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mailcatcher (0.2.4)
+      eventmachine
+      haml
+      i18n
+      json
+      mail
+      sinatra
+      skinny (>= 0.1.2)
+      sqlite3-ruby
+      thin
    method_source (0.8.2)
-    mime-types (1.25.1)
+    mime-types (2.4.3)
    mini_portile (0.5.3)
+    minitest (4.7.5)
    multi_json (1.10.1)
    multi_test (0.1.1)
    mysql2 (0.3.17)
@@ -177,46 +174,37 @@ GEM
      cliver (~> 0.3.1)
      multi_json (~> 1.0)
      websocket-driver (>= 0.2.0)
-    polyglot (0.3.5)
    powder (0.3.0)
      thor (>= 0.11.5)
    pry (0.10.1)
      coderay (~> 1.1.0)
      method_source (~> 0.8.1)
      slop (~> 3.4)
-    rack (1.4.5)
-    rack-cache (1.2)
-      rack (>= 0.4)
+    rack (1.5.2)
    rack-livereload (0.3.15)
      rack
    rack-protection (1.5.3)
      rack
-    rack-ssl (1.3.4)
-      rack
    rack-test (0.6.2)
      rack (>= 1.0)
-    rails (3.2.21)
-      actionmailer (= 3.2.21)
-      actionpack (= 3.2.21)
-      activerecord (= 3.2.21)
-      activeresource (= 3.2.21)
-      activesupport (= 3.2.21)
-      bundler (~> 1.0)
-      railties (= 3.2.21)
-    railties (3.2.21)
-      actionpack (= 3.2.21)
-      activesupport (= 3.2.21)
-      rack-ssl (~> 1.3.2)
+    rails (4.0.10)
+      actionmailer (= 4.0.10)
+      actionpack (= 4.0.10)
+      activerecord (= 4.0.10)
+      activesupport (= 4.0.10)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.0.10)
+      sprockets-rails (~> 2.0)
+    railties (4.0.10)
+      actionpack (= 4.0.10)
+      activesupport (= 4.0.10)
      rake (>= 0.8.7)
-      rdoc (~> 3.4)
-      thor (>= 0.14.6, < 2.0)
+      thor (>= 0.18.1, < 2.0)
    raindrops (0.13.0)
    rake (10.4.2)
    rb-fsevent (0.9.4)
    rb-inotify (0.9.5)
      ffi (>= 0.5.0)
-    rdoc (3.12.2)
-      json (~> 1.4)
    ref (1.0.5)
    rspec (2.14.1)
      rspec-core (~> 2.14.0)
@@ -240,10 +228,12 @@ GEM
    ruby_parser (3.5.0)
      sexp_processor (~> 4.1)
    sass (3.4.9)
-    sass-rails (3.2.6)
-      railties (~> 3.2.0)
-      sass (>= 3.1.10)
-      tilt (~> 1.3)
+    sass-rails (5.0.0)
+      railties (>= 4.0.0, < 5.0)
+      sass (~> 3.1)
+      sprockets (>= 2.8, < 4.0)
+      sprockets-rails (>= 2.0, < 4.0)
+      tilt (~> 1.1)
    sexp_processor (4.4.4)
    simplecov (0.9.1)
      docile (~> 1.1.0)
@@ -261,12 +251,18 @@ GEM
      temple (~> 0.6.9)
      tilt (>= 1.3.3, < 2.1)
    slop (3.6.0)
-    sprockets (2.2.3)
+    sprockets (2.12.3)
      hike (~> 1.2)
      multi_json (~> 1.0)
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.2.2)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
    sqlite3 (1.3.10)
+    sqlite3-ruby (1.3.3)
+      sqlite3 (>= 1.3.3)
    temple (0.6.10)
    terminal-table (1.4.5)
    therubyracer (0.12.1)
@@ -277,15 +273,15 @@ GEM
      eventmachine (>= 0.12.6)
      rack (>= 1.0.0)
    thor (0.19.1)
+    thread_safe (0.3.4)
    tilt (1.4.1)
    timers (4.0.1)
      hitimes
    travis-lint (2.0.0)
      json
-    treetop (1.4.15)
-      polyglot
-      polyglot (>= 0.3.1)
    trollop (2.0)
+    turbolinks (2.5.3)
+      coffee-rails
    tzinfo (0.3.42)
    uglifier (2.6.0)
      execjs (>= 0.3.0)
@@ -329,7 +325,7 @@ DEPENDENCIES
  powder
  pry
  rack-livereload
-  rails (= 3.2.21)
+  rails (= 4.0.10)
  rb-fsevent
  rspec-rails (= 2.14.2)
  sass-rails
@@ -337,5 +333,6 @@ DEPENDENCIES
  sqlite3
  therubyracer
  travis-lint
+  turbolinks
  uglifier
  unicorn
@@ -12,6 +12,7 @@
 //
 //= require jquery
 //= require jquery_ujs
+//= require turbolinks
 //= require wysiwyg/wysihtml5-0.3.0.js
 //= require jquery.min.js
 //= require jquery.scrollUp.js
@@ -31,6 +32,7 @@
 //= require jsapi
 //= html5.js

+
 function rubyCodeFormat() {
 	

@@ -1,5 +1,5 @@
 class AdminController < ApplicationController
-  before_filter :administrative, :if => :admin_param, :except => [:get_user]
+  before_action :administrative, :if => :admin_param, :except => [:get_user]
  skip_before_filter :has_info

  def dashboard
@@ -1,9 +1,11 @@
 class ApplicationController < ActionController::Base
-  before_filter :authenticated, :has_info, :create_analytic, :mailer_options
+  before_action :authenticated, :has_info, :create_analytic, :mailer_options
  helper_method :current_user, :is_admin?, :sanitize_font

  # Our security guy keep talking about sea-surfing, cool story bro.
-  # protect_from_forgery
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  #protect_from_forgery with: :exception

  private

@@ -33,4 +33,10 @@ class MessagesController < ApplicationController
      end
    end
  end
-end
+
+  private
+
+  def message_params
+    params.require(:message).permit(:creator_id, :message, :read, :receiver_id)
+  end
+end
@@ -4,7 +4,7 @@ class ScheduleController < ApplicationController
    message = false

      if params[:schedule][:event_type] == "pto"
-        sched = Schedule.new(params[:schedule])
+        sched = Schedule.new(schedule_params)
        sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
        sched.user_id = current_user.user_id
        a = sched.date_end
@@ -56,4 +56,10 @@ class ScheduleController < ApplicationController
   end
     return vals
  end
+
+  private
+
+  def schedule_params
+    params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type)
+  end
 end
@@ -7,7 +7,7 @@ class UsersController < ApplicationController
  end

  def create
-    user = User.new(params[:user])
+    user = User.new(user_params)
    user.build_benefits_data
    if user.save
      session[:user_id] = user.user_id
@@ -31,11 +31,12 @@ class UsersController < ApplicationController
    # Still an Insecure DoR vulnerability
    #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])

-    user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
+    # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
+    user = User.where("user_id = '#{params[:user][:user_id]}'").first
    if user
      user.skip_user_id_assign = true
      user.skip_hash_password = true
-      user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
+      user.update_attributes(user_params_without_password)
      if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
        user.skip_hash_password = false
        user.password = params[:user][:password]
@@ -50,4 +51,15 @@ class UsersController < ApplicationController
      redirect_to user_account_settings_path(:user_id => current_user.user_id)
    end
  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation)
+  end
+
+  # unpermitted attributes are ignored in production
+  def user_params_without_password
+    params.require(:user).permit(:email, :admin, :first_name, :last_name)
+  end
 end
@@ -1,6 +1,4 @@
 class Analytics < ActiveRecord::Base
-  attr_accessible :ip_address, :referrer, :user_agent
-
  scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}

  def self.count_by_col(col)
@@ -1,5 +1,4 @@
 class Benefits < ActiveRecord::Base
-  attr_accessor :backup

  def self.save(file, backup=false)
    data_path = Rails.root.join("public", "data")
@@ -1,5 +1,4 @@
 class KeyManagement < ActiveRecord::Base
-  attr_accessible :iv, :user_id
  belongs_to :work_info
  belongs_to :user
 end
@@ -1,6 +1,5 @@
 class Message < ActiveRecord::Base
  belongs_to :user
-  attr_accessible :creator_id, :message, :read, :receiver_id
  validates_presence_of :creator_id, :receiver_id, :message

  def creator_name
@@ -1,5 +1,4 @@
 class PaidTimeOff < ActiveRecord::Base
-  attr_accessible :pto_earned, :pto_taken, :sick_days_earned, :sick_days_taken
  belongs_to :user
  has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy

@@ -1,7 +1,4 @@
 class Pay < ActiveRecord::Base
-  # mass-assignable attributes
-  attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit
-
  # Associations
  belongs_to :user

@@ -1,5 +1,4 @@
 class Performance < ActiveRecord::Base
-  attr_accessible :comments, :date_submitted, :reviewer, :score
  belongs_to :user

  def reviewer_name
@@ -1,4 +1,3 @@
 class Retirement < ActiveRecord::Base
-  attr_accessible :employee_contrib, :employer_contrib, :total
  belongs_to :user
 end
@@ -1,5 +1,4 @@
 class Schedule < ActiveRecord::Base
-  attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type
  belongs_to :paid_time_off

  validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type
@@ -1,7 +1,6 @@
 require 'encryption'

 class User < ActiveRecord::Base
-  attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
  validates :password, :presence => true,
                       :confirmation => true,
                       :length => {:within => 6..40},
@@ -1,5 +1,4 @@
 class WorkInfo < ActiveRecord::Base
-  attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
  belongs_to :user
  has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  #before_save :encrypt_ssn
@@ -2,8 +2,8 @@
 <html>
 <head>
  <title>RailsGoat</title>
-  <%= stylesheet_link_tag    "application", :media => "all" %>
-  <%= javascript_include_tag "application" %>
+  <%= stylesheet_link_tag    "application", media: "all", "data-turbolinks-track" => true %>
+  <%= javascript_include_tag "application", "data-turbolinks-track" => true %>
  <%= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz -->
  <!-- bootstrap css -->
 <%
@@ -1,4 +1,4 @@
 # This file is used by Rack-based servers to start the application.

 require ::File.expand_path('../config/environment',  __FILE__)
-run Railsgoat::Application
+run Rails.application
@@ -2,12 +2,9 @@ require File.expand_path('../boot', __FILE__)

 require 'rails/all'

-if defined?(Bundler)
-  # If you precompile assets before deploying to production, use this line
-  Bundler.require(*Rails.groups(:assets => %w(development test mysql)))
-  # If you want your assets lazily compiled in production, use this line
-  # Bundler.require(:default, :assets, Rails.env)
-end
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(:default, Rails.env)

 module Railsgoat
  class Application < Rails::Application
@@ -47,12 +44,6 @@ module Railsgoat
    # like if you have constraints or database-specific column types
    # config.active_record.schema_format = :sql

-    # Enforce whitelist mode for mass assignment.
-    # This will create an empty whitelist of attributes available for mass-assignment for all models
-    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
-    # parameters by using an attr_accessible or attr_protected declaration.
-    config.active_record.whitelist_attributes = false
-
    # Enable the asset pipeline
    config.assets.enabled = true
    
@@ -1,5 +1,3 @@
-require 'rubygems'
-
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)

@@ -1,5 +1,5 @@
-# Load the rails application
+# Load the Rails application.
 require File.expand_path('../application', __FILE__)

-# Initialize the rails application
+# Initialize the Rails application.
 Railsgoat::Application.initialize!
@@ -9,11 +9,11 @@ Railsgoat::Application.configure do
  # Log error messages when you accidentally call methods on nil.
  config.whiny_nils = true

-  # Show full error reports and disable caching
+  # Show full error reports and disable caching.
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false

-  # Don't care if the mailer can't send
+  # Don't care if the mailer can't send.
  config.action_mailer.raise_delivery_errors = false

  # Print deprecation notices to the Rails logger
@@ -22,9 +22,6 @@ Railsgoat::Application.configure do
  # Only use best-standards-support built into browsers
  config.action_dispatch.best_standards_support = :builtin

-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
  # Log the query plan for queries taking more than this (works
  # with SQLite, MySQL, and PostgreSQL)
  config.active_record.auto_explain_threshold_in_seconds = 0.5
@@ -35,7 +32,9 @@ Railsgoat::Application.configure do
  # Do not compress assets
  config.assets.compress = false

-  # Expands the lines which load the assets
+  # Debug mode disables concatenation and preprocessing of assets.
+  # This option may cause significant delays in view rendering with a large
+  # number of complex assets.
  config.assets.debug = true

  # ActionMailer settings for email support
@@ -50,4 +49,10 @@ Railsgoat::Application.configure do
       :host => 'railsgoat.dev',
       :ignore => [ %r{dont/modify\.html$} ]
  )
+
+  # For Rails 4.0+: Do not eager load code on boot.
+  config.eager_load = false
+
+  # For Rails 4.0+: Raise an error on page load if there are pending migrations
+  config.active_record.migration_error = :page_load
 end
@@ -22,9 +22,6 @@ Railsgoat::Application.configure do
  # Only use best-standards-support built into browsers
  config.action_dispatch.best_standards_support = :builtin

-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
  # Log the query plan for queries taking more than this (works
  # with SQLite, MySQL, and PostgreSQL)
  config.active_record.auto_explain_threshold_in_seconds = 0.5
@@ -1,37 +1,50 @@
 Railsgoat::Application.configure do
  # Settings specified here will take precedence over those in config/application.rb

-  # Code is not reloaded between requests
+  # Code is not reloaded between requests.
  config.cache_classes = true

-  # Full error reports are disabled and caching is turned on
+  # Full error reports are disabled and caching is turned on.
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true

-  # Disable Rails's static asset server (Apache or nginx will already do this)
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
+  # Add `rack-cache` to your Gemfile before enabling this.
+  # For large-scale production use, consider using a caching
+  # reverse proxy like nginx, varnish or squid.
+  # config.action_dispatch.rack_cache = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this).
  config.serve_static_assets = false

  # Compress JavaScripts and CSS
  config.assets.compress = true

-  # Don't fallback to assets pipeline if a precompiled asset is missed
-  config.assets.compile = true
+  # Compress JavaScripts and CSS.
+  config.assets.js_compressor = :uglifier
+  # config.assets.css_compressor = :sass

-  # Generate digests for assets URLs
+  # Do not fallback to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = true # default is false
+
+  # Generate digests for assets URLs.
  config.assets.digest = true

+  # For Rails 4.0+: Version of your assets, change this if you want to expire all your assets.
+  config.assets.version = '1.0'
+
  # Defaults to nil and saved in location specified by config.assets.prefix
  # config.assets.manifest = YOUR_PATH

-  # Specifies the header that your server uses for sending files
+  # Specifies the header that your server uses for sending files.
  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  # config.force_ssl = true

-  # See everything in the log (default is :info)
-  # config.log_level = :debug
+  # Set to :debug to see everything in the log.
+  config.log_level = :info

  # Prepend all log lines with the following tags
  # config.log_tags = [ :subdomain, :uuid ]
@@ -55,13 +68,45 @@ Railsgoat::Application.configure do
  # config.threadsafe!

  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
-  # the I18n.default_locale when a translation can not be found)
+  # the I18n.default_locale when a translation can not be found).
  config.i18n.fallbacks = true

-  # Send deprecation notices to registered listeners
+  # Send deprecation notices to registered listeners.
  config.active_support.deprecation = :notify

  # Log the query plan for queries taking more than this (works
  # with SQLite, MySQL, and PostgreSQL)
  # config.active_record.auto_explain_threshold_in_seconds = 0.5
+
+  # For Rails 4.0+: Eager load code on boot. This eager loads most of
+  # Rails and your application in memory, allowing both thread web
+  # servers and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # For Rails 4.0+: Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+
+  # For Rails 4.0+: Disable automatic flushing of the log to improve performance.
+  # config.autoflush_log = false
+
+  # Prepend all log lines with the following tags.
+  # config.log_tags = [ :subdomain, :uuid ]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Precompile additional assets.
+  # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
+  # config.assets.precompile += %w( search.js )
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
 end
@@ -7,21 +7,18 @@ Railsgoat::Application.configure do
  # and recreated between test runs. Don't rely on the data there!
  config.cache_classes = true

-  # Configure static asset server for tests with Cache-Control for performance
+  # Configure static asset server for tests with Cache-Control for performance.
  config.serve_static_assets = true
  config.static_cache_control = "public, max-age=3600"

-  # Log error messages when you accidentally call methods on nil
-  config.whiny_nils = true
-
-  # Show full error reports and disable caching
+  # Show full error reports and disable caching.
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false

-  # Raise exceptions instead of rendering exception templates
+  # Raise exceptions instead of rendering exception templates.
  config.action_dispatch.show_exceptions = false

-  # Disable request forgery protection in test environment
+  # Disable request forgery protection in test environment.
  config.action_controller.allow_forgery_protection    = false

  # Tell Action Mailer not to deliver emails to the real world.
@@ -29,9 +26,12 @@ Railsgoat::Application.configure do
  # ActionMailer::Base.deliveries array.
  config.action_mailer.delivery_method = :test

-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
-  # Print deprecation notices to the stderr
+  # Print deprecation notices to the stderr.
  config.active_support.deprecation = :stderr
+
+  # For Rails 4.0+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
 end
@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]
@@ -1,15 +1,16 @@
 # Be sure to restart your server when you modify this file.

-# Add new inflection rules using the following format
-# (all these examples are active by default):
-# ActiveSupport::Inflector.inflections do |inflect|
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
 #   inflect.plural /^(ox)$/i, '\1en'
 #   inflect.singular /^(ox)en/i, '\1'
 #   inflect.irregular 'person', 'people'
 #   inflect.uncountable %w( fish sheep )
 # end
-#
+
 # These inflection rules are supported but not enabled by default:
-# ActiveSupport::Inflector.inflections do |inflect|
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
 #   inflect.acronym 'RESTful'
 # end
@@ -5,3 +5,4 @@
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
 Railsgoat::Application.config.secret_token = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4'
+Railsgoat::Application.config.secret_key_base = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4'
@@ -1,8 +1,3 @@
 # Be sure to restart your server when you modify this file.

-Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false
-
-# Use the database for sessions instead of the cookie-based default,
-# which shouldn't be used to store highly confidential information
-# (create the session table with "rails generate session_migration")
-# Railsgoat::Application.config.session_store :active_record_store
+Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session'
@@ -0,0 +1 @@
+ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
@@ -5,7 +5,7 @@

 # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
 ActiveSupport.on_load(:action_controller) do
-  wrap_parameters format: [:json]
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
 end

 # Disable root element in JSON by default.
@@ -1,5 +1,23 @@
-# Sample localization file for English. Add more files in this directory for other locales.
-# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.

 en:
  hello: "Hello world"
@@ -3,7 +3,7 @@ Railsgoat::Application.routes.draw do
  get "login" => "sessions#new"
  get "signup" => "users#new"
  get "logout" => "sessions#destroy"
-  match "forgot_password" => "password_resets#forgot_password"
+  get "forgot_password" => "password_resets#forgot_password"
  get "password_resets" => "password_resets#confirm_token"
  post "password_resets" => "password_resets#reset_password"

@@ -80,7 +80,7 @@ Railsgoat::Application.routes.draw do
    get "dashboard"
    get "get_user"
    post "delete_user"
-    put "update_user"
+    patch "update_user"
    get "get_all_users"
    get "analytics"
  end
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.

-ActiveRecord::Schema.define(:version => 20140804171756) do
+ActiveRecord::Schema.define(:version => 20140408185601) do

  create_table "analytics", :force => true do |t|
    t.string   "ip_address"
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>The page you were looking for doesn't exist (404)</title>
-  <style type="text/css">
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
-    div.dialog {
-      width: 25em;
-      padding: 0 4em;
-      margin: 4em auto 0 auto;
-      border: 1px solid #ccc;
-      border-right-color: #999;
-      border-bottom-color: #999;
-    }
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
  </style>
 </head>

@@ -22,5 +53,6 @@
    <h1>The page you were looking for doesn't exist.</h1>
    <p>You may have mistyped the address or the page may have moved.</p>
  </div>
+  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>The change you wanted was rejected (422)</title>
-  <style type="text/css">
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
-    div.dialog {
-      width: 25em;
-      padding: 0 4em;
-      margin: 4em auto 0 auto;
-      border: 1px solid #ccc;
-      border-right-color: #999;
-      border-bottom-color: #999;
-    }
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
  </style>
 </head>

@@ -22,5 +53,6 @@
    <h1>The change you wanted was rejected.</h1>
    <p>Maybe you tried to change something you didn't have access to.</p>
  </div>
+  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>We're sorry, but something went wrong (500)</title>
-  <style type="text/css">
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
-    div.dialog {
-      width: 25em;
-      padding: 0 4em;
-      margin: 4em auto 0 auto;
-      border: 1px solid #ccc;
-      border-right-color: #999;
-      border-bottom-color: #999;
-    }
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
+  div.dialog {
+    width: 25em;
+    margin: 4em auto 0 auto;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+  }
  </style>
 </head>

@@ -21,5 +52,6 @@
  <div class="dialog">
    <h1>We're sorry, but something went wrong.</h1>
  </div>
+  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -1,5 +1,5 @@
 # See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
 #
 # To ban all spiders from the entire site uncomment the next two lines:
-# User-Agent: *
+# User-agent: *
 # Disallow: /
@@ -28,4 +28,4 @@ feature 'insecure direct object reference' do

    pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' }
  end
-end
+end
@@ -1,4 +1,4 @@
-ENV["RAILS_ENV"] = "test"
+ENV["RAILS_ENV"] ||= "test"

 # To use simplecov, do this: COVERAGE=true rake
 require 'simplecov'
@@ -8,6 +8,8 @@ require File.expand_path('../../config/environment', __FILE__)
 require 'rails/test_help'

 class ActiveSupport::TestCase
+  # Maybe for Rails 4.0: ActiveRecord::Migration.check_pending!
+
  # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order.
  #
  # Note: You'll currently still have to declare fixtures explicitly in integration tests
				`@@ -0,0 +1 @@`
				`ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)`