team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removes user_id column from User model to use idiomatic Rails automatic IDs

Browse Source
This commit is contained in:
Joseph Mastey
2017-10-07 09:34:26 -06:00
parent c4f0b91534
commit b6c2259b88
29 changed files with 421 additions and 430 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/admin_controller.rb
+3 -3
View File
@@ -46,9 +46,9 @@ class AdminController < ApplicationController
end
def delete_user
user = User.find_by_user_id(params[:admin_id])
if user && !(current_user.user_id == user.user_id)
# Call destroy here so that all association records w/ user_id are destroyed as well
user = User.find_by(id: params[:admin_id])
if user && !(current_user.id == user.id)
# Call destroy here so that all association records w/ id are destroyed as well
# Example user.retirement records would be destroyed
user.destroy
message = true
app/controllers/application_controller.rb
+2 -2
View File
@@ -17,8 +17,8 @@ class ApplicationController < ActionController::Base
def current_user
@current_user ||= (
User.find_by_auth_token(cookies[:auth_token].to_s) ||
User.find_by_user_id(session[:user_id].to_s)
User.find_by(auth_token: cookies[:auth_token].to_s) ||
User.find_by(id: session[:user_id].to_s)
)
end
app/controllers/messages_controller.rb
+2 -2
View File
@@ -16,7 +16,7 @@ class MessagesController < ApplicationController
if message.destroy
flash[:success] = "Your message has been deleted."
redirect_to user_messages_path(user_id: current_user.user_id)
redirect_to user_messages_path(user_id: current_user.id)
else
flash[:error] = "Could not delete message."
end
@@ -25,7 +25,7 @@ class MessagesController < ApplicationController
def create
if Message.create(message_params)
respond_to do |format|
format.html { redirect_to user_messages_path(user_id: current_user.user_id) }
format.html { redirect_to user_messages_path(user_id: current_user.id) }
format.json { render json: {msg: "success"} }
end
else
app/controllers/password_resets_controller.rb
+2 -2
View File
@@ -50,10 +50,10 @@ class PasswordResetsController < ApplicationController
end
def is_valid?(token)
if token =~ /(?<user_id>\d+)-(?<email_hash>[A-Z0-9]{32})/i
if token =~ /(?<user>\d+)-(?<email_hash>[A-Z0-9]{32})/i
# Fetch the user by their id, and hash their email address
@user = User.find_by_id($~[:user_id])
@user = User.find_by(id: $~[:user])
email = Digest::MD5.hexdigest(@user.email)
# Compare and validate our hashes
app/controllers/pay_controller.rb
+5 -4
View File
@@ -7,11 +7,12 @@ class PayController < ApplicationController
def update_dd_info
msg = false
pay = Pay.new(
bank_account_num: params[:bank_account_num],
bank_routing_num: params[:bank_routing_num],
percent_of_deposit: params[:dd_percent]
bank_account_num: params[:bank_account_num],
bank_routing_num: params[:bank_routing_num],
percent_of_deposit: params[:dd_percent],
user_id: current_user.id
)
pay.user_id = current_user.user_id
msg = true if pay.save!
respond_to do |format|
format.json {render json: {msg: msg } }
app/controllers/schedule_controller.rb
+1 -1
View File
@@ -7,7 +7,7 @@ class ScheduleController < ApplicationController
if params[:schedule][:event_type] == "pto"
sched = Schedule.new(schedule_params)
sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
sched.user_id = current_user.user_id
sched.user_id = current_user.id
a = sched.date_end
if sched.save
message = true
app/controllers/sessions_controller.rb
+2 -2
View File
@@ -19,9 +19,9 @@ class SessionsController < ApplicationController
if user
if params[:remember_me]
cookies.permanent[:auth_token] = user.auth_token if User.where(user_id: user.user_id).exists?
cookies.permanent[:auth_token] = user.auth_token
else
session[:user_id] = user.user_id if User.where(user_id: user.user_id).exists?
session[:user_id] = user.id
end
redirect_to path
else
app/controllers/users_controller.rb
+5 -6
View File
@@ -10,7 +10,7 @@ class UsersController < ApplicationController
def create
user = User.new(user_params)
if user.save
session[:user_id] = user.user_id
session[:user_id] = user.id
redirect_to home_dashboard_index_path
else
@user = user
@@ -26,22 +26,21 @@ class UsersController < ApplicationController
def update
message = false
user = User.where("user_id = '#{params[:user][:user_id]}'")[0]
user = User.where("id = '#{params[:user][:id]}'")[0]
if user
user.skip_user_id_assign = true
user.update_attributes(user_params_without_password)
if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation])
user.password = params[:user][:password]
end
message = true if user.save!
respond_to do |format|
format.html { redirect_to user_account_settings_path(user_id: current_user.user_id) }
format.json { render json: {msg: message ? "success" : "false "} }
format.html { redirect_to user_account_settings_path(user_id: current_user.id) }
format.json { render :json => {:msg => message ? "success" : "false "} }
end
else
flash[:error] = "Could not update user!"
redirect_to user_account_settings_path(user_id: current_user.user_id)
redirect_to user_account_settings_path(user_id: current_user.id)
end
end
app/controllers/work_info_controller.rb
+1 -1
View File
@@ -1,7 +1,7 @@
# frozen_string_literal: true
class WorkInfoController < ApplicationController
def index
@user = User.find_by_user_id(params[:user_id])
@user = User.find_by(id: params[:user_id])
if !(@user) || @user.admin
flash[:error] = "Sorry, no user with that user id exists"
redirect_to home_dashboard_index_path
app/models/message.rb
+1 -1
View File
@@ -4,7 +4,7 @@ class Message < ApplicationRecord
validates_presence_of :creator_id, :receiver_id, :message
def creator_name
if creator = User.where(user_id: self.creator_id).first
if creator = User.where(id: self.creator_id).first
creator.full_name
else
"Name unavailable"
app/models/user.rb
+17 -31
View File
@@ -10,17 +10,17 @@ class User < ApplicationRecord
validates_presence_of :email
validates_uniqueness_of :email
validates_format_of :email, with: /.+@.+\..+/i
attr_accessor :skip_user_id_assign
before_save :assign_user_id, on: :create
validates_format_of :email, :with => /.+@.+\..+/i
has_one :retirement, dependent: :destroy
has_one :paid_time_off, dependent: :destroy
has_one :work_info, dependent: :destroy
has_many :performance, dependent: :destroy
has_many :pay, dependent: :destroy
has_many :messages, foreign_key: :receiver_id, dependent: :destroy
before_save :hash_password
has_one :retirement, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
has_one :paid_time_off, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
has_one :work_info, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
has_many :performance, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
has_many :messages, foreign_key: :receiver_id, primary_key: :user_id, dependent: :destroy
has_many :pay, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
before_create { generate_token(:auth_token) }
after_create { generate_token(:auth_token) }
before_create :build_benefits_data
def build_benefits_data
@@ -36,11 +36,6 @@ class User < ApplicationRecord
"#{self.first_name} #{self.last_name}"
end
# # Instead of the entire user object being returned, we can use this to filter.
# def as_json
# super(only: [:user_id, :email, :first_name, :last_name])
# end
private
def self.authenticate(email, password)
@@ -55,26 +50,17 @@ class User < ApplicationRecord
return auth
end
def assign_user_id
unless @skip_user_id_assign.present? || self.user_id.present?
user = User.order("user_id").last
uid = if user && user.user_id && !(User.exists?(user_id: "#{user.user_id.to_i + 1}"))
user.user_id.to_i + 1
else
1
end
self.user_id = uid.to_s if uid
end
end
def hash_password
if password.present? && password_changed?
self.password = Digest::MD5.hexdigest(password)
if will_save_change_to_password?
self.password = Digest::MD5.hexdigest(self.password)
end
end
def generate_token(column)
self[column] = Encryption.encrypt_sensitive_value(self.user_id)
generate_token(column) if User.exists?(column => self[column])
begin
self[column] = Encryption.encrypt_sensitive_value(self.id)
end while User.exists?(column => self[column])
self.save!
end
end
app/views/admin/get_user.html.erb
+1 -1
View File
@@ -62,7 +62,7 @@ $('#submit_button').click(function() {
$("#editAcct").modal('hide');
$.ajax({
url: "/admin/" + <%= @user.user_id %> + "/update_user.json",
url: "/admin/" + <%= @user.id %> + "/update_user.json",
data: valuesToSubmit,
type: "POST",
success: function(response) {
app/views/layouts/shared/_header.html.erb
+1 -1
View File
@@ -14,7 +14,7 @@
<span class="caret"></span>
<ul class="dropdown-menu pull-right">
<li>
<%= link_to "Account settings", user_account_settings_path(:user_id => current_user.user_id) %>
<%= link_to "Account settings", user_account_settings_path(user_id: current_user.id) %>
</li>
<li>
<%= link_to "Logout", logout_path %>
app/views/layouts/shared/_sidebar.html.erb
+8 -8
View File
@@ -32,7 +32,7 @@
</li>
<% end %>
<li id="benefit_forms">
<%= link_to user_benefit_forms_path(:user_id => current_user.user_id) do %>
<%= link_to user_benefit_forms_path(user_id: current_user.id) do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe05c;"></span>
</div>
@@ -40,7 +40,7 @@
<% end %>
</li>
<li id="retirement">
<%= link_to user_retirement_index_path(:user_id => current_user.user_id) do %>
<%= link_to user_retirement_index_path(user_id: current_user.id) do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe096;"></span>
</div>
@@ -48,7 +48,7 @@
<% end %>
</li>
<li id="pto">
<%= link_to user_paid_time_off_index_path(:user_id => current_user.user_id) do %>
<%= link_to user_paid_time_off_index_path(user_id: current_user.id) do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe0d2;"></span>
</div>
@@ -56,7 +56,7 @@
<% end %>
</li>
<li id="employee_info">
<%= link_to user_work_info_index_path(:user_id => current_user.user_id) do %>
<%= link_to user_work_info_index_path(user_id: current_user.id) do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe0a9;"></span>
</div>
@@ -64,7 +64,7 @@
<% end %>
</li>
<li id="performance">
<%= link_to user_performance_index_path(:user_id => current_user.user_id) do %>
<%= link_to user_performance_index_path(user_id: current_user.id) do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe14a;"></span>
</div>
@@ -72,7 +72,7 @@
<% end %>
</li>
<li id="messages">
<%= link_to user_messages_path(:user_id => current_user.user_id) do %>
<%= link_to user_messages_path(user_id: current_user.id) do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe040;"></span>
</div>
@@ -80,7 +80,7 @@
<% end %>
</li>
<li id="pay">
<%= link_to user_pay_index_path(:user_id => current_user.user_id) do %>
<%= link_to user_pay_index_path(user_id: current_user.id) do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe038;"></span>
</div>
@@ -139,4 +139,4 @@
});
</script>
<% end %>
<% end %>
app/views/messages/index.html.erb
+2 -2
View File
@@ -111,7 +111,7 @@ $("#submit_button").click(function(event) {
var valuesToSubmit = $("#send_message").serialize();
event.preventDefault();
$.ajax({
url: <%= "/users/#{current_user.user_id}/messages.json".inspect.html_safe %>,
url: <%= "/users/#{current_user.id}/messages.json".inspect.html_safe %>,
data: valuesToSubmit,
type: "POST",
success: function(response) {
@@ -135,4 +135,4 @@ $(document).ready(function () {
makeActive()
});
</script>
</script>
app/views/pay/index.html.erb
+3 -3
View File
@@ -186,7 +186,7 @@ function parseDirectDepostInfo(response){
function populateTable() {
$('#data_table').dataTable().fnClearTable();
$.ajax({
url: <%= sanitize(user_pay_path(:format => "json", :user_id => current_user.user_id, :id => current_user.user_id).inspect) %>,
url: <%= sanitize(user_pay_path(:format => "json", user_id: current_user.id, id: current_user.id).inspect) %>,
type: "GET",
success: function(response) {
parseDirectDepostInfo(response);
@@ -237,7 +237,7 @@ $("#decrypt_btn").click(function(event){
var valuesToSubmit = $("#decrypt_form").serialize();
event.preventDefault();
$.ajax({
url: <%= sanitize(decrypted_bank_acct_num_user_pay_index_path(:format => "json", :user_id => current_user.user_id).inspect) %>,
url: <%= sanitize(decrypted_bank_acct_num_user_pay_index_path(:format => "json", user_id: current_user.id).inspect) %>,
data: valuesToSubmit,
type: "POST",
success: function(response) {
@@ -298,4 +298,4 @@ $(document).ready(
populateTable()
)
</script>
</script>
app/views/sessions/new.html.erb
+1 -1
View File
@@ -30,7 +30,7 @@
</div>
<div class="content">
<%= hidden_field_tag :url, @url%>
<%= hidden_field_tag :url, @url %>
<%= text_field_tag :email, params[:email], {:class => "input input-block-level", :placeholder=>"Email"} %>
<%= password_field_tag :password, nil, {:class => "input input-block-level", :placeholder=>"Password"}%>
</div>
app/views/users/account_settings.html.erb
+2 -2
View File
@@ -37,7 +37,7 @@
</div>
<div class="widget-body">
<%= form_for @user, :html => {:id => "account_edit"} do |f|%>
<%= f.hidden_field :user_id%>
<%= f.hidden_field :id %>
<div class="control-group">
<%= f.label :email, nil, {:class => "control-label"}%>
<%= f.text_field :email, {:class => "span12"}%>
@@ -84,7 +84,7 @@ $("#submit_button").click(function(event) {
var valuesToSubmit = $("#account_edit").serialize();
event.preventDefault();
$.ajax({
url: <%= "/users/#{current_user.user_id}.json".inspect.html_safe %>,
url: <%= "/users/#{current_user.id}.json".inspect.html_safe %>,
data: valuesToSubmit,
type: "POST",
success: function(response) {
db/migrate/20171007010129_remove_users_user_id.rb
+5
View File
@@ -0,0 +1,5 @@
class RemoveUsersUserId < ActiveRecord::Migration[5.1]
def change
remove_column :users, :user_id, :integer
end
end
db/schema.rb
+47 -48
View File
@@ -11,12 +11,12 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 20140408185601) do
ActiveRecord::Schema.define(version: 20171007010129) do
create_table "analytics", force: :cascade do |t|
t.string "ip_address"
t.string "referrer"
t.string "user_agent"
t.string "ip_address"
t.string "referrer"
t.string "user_agent"
t.datetime "created_at"
t.datetime "updated_at"
end
@@ -27,92 +27,91 @@ ActiveRecord::Schema.define(version: 20140408185601) do
end
create_table "key_managements", force: :cascade do |t|
t.string "iv"
t.integer "user_id"
t.string "iv"
t.integer "user_id"
t.datetime "created_at"
t.datetime "updated_at"
end
create_table "messages", force: :cascade do |t|
t.integer "creator_id"
t.integer "receiver_id"
t.text "message"
t.boolean "read"
t.integer "creator_id"
t.integer "receiver_id"
t.text "message"
t.boolean "read"
t.datetime "created_at"
t.datetime "updated_at"
end
create_table "paid_time_offs", force: :cascade do |t|
t.integer "user_id"
t.integer "sick_days_taken"
t.integer "sick_days_earned"
t.integer "pto_taken"
t.integer "pto_earned"
t.integer "user_id"
t.integer "sick_days_taken"
t.integer "sick_days_earned"
t.integer "pto_taken"
t.integer "pto_earned"
t.datetime "created_at"
t.datetime "updated_at"
end
create_table "pays", force: :cascade do |t|
t.integer "user_id"
t.string "bank_account_num"
t.string "bank_routing_num"
t.integer "percent_of_deposit"
t.integer "user_id"
t.string "bank_account_num"
t.string "bank_routing_num"
t.integer "percent_of_deposit"
t.datetime "created_at"
t.datetime "updated_at"
end
create_table "performances", force: :cascade do |t|
t.integer "user_id"
t.date "date_submitted"
t.integer "score"
t.string "comments"
t.integer "reviewer"
t.integer "user_id"
t.date "date_submitted"
t.integer "score"
t.string "comments"
t.integer "reviewer"
t.datetime "created_at"
t.datetime "updated_at"
end
create_table "retirements", force: :cascade do |t|
t.string "total"
t.string "employee_contrib"
t.string "employer_contrib"
t.integer "user_id"
t.string "total"
t.string "employee_contrib"
t.string "employer_contrib"
t.integer "user_id"
t.datetime "created_at"
t.datetime "updated_at"
end
create_table "schedules", force: :cascade do |t|
t.string "event_type"
t.date "date_begin"
t.date "date_end"
t.string "event_name"
t.string "event_desc"
t.integer "user_id"
t.string "event_type"
t.date "date_begin"
t.date "date_end"
t.string "event_name"
t.string "event_desc"
t.integer "user_id"
t.datetime "created_at"
t.datetime "updated_at"
end
create_table "users", force: :cascade do |t|
t.string "email"
t.string "password"
t.boolean "admin"
t.string "first_name"
t.string "last_name"
t.integer "user_id"
t.string "email"
t.string "password"
t.boolean "admin"
t.string "first_name"
t.string "last_name"
t.datetime "created_at"
t.datetime "updated_at"
t.string "auth_token"
t.string "auth_token"
end
create_table "work_infos", force: :cascade do |t|
t.integer "user_id"
t.string "income"
t.string "bonuses"
t.integer "years_worked"
t.string "SSN"
t.date "DoB"
t.integer "user_id"
t.string "income"
t.string "bonuses"
t.integer "years_worked"
t.string "SSN"
t.date "DoB"
t.datetime "created_at"
t.datetime "updated_at"
t.binary "encrypted_ssn"
t.binary "encrypted_ssn"
end
end
db/seeds.rb
+271 -277
View File
@@ -4,314 +4,308 @@
#
users = [
{
email: "admin@metacorp.com",
admin: true,
password: "admin1234",
password_confirmation: "admin1234",
first_name: "Admin",
last_name: "",
user_id: 1
},
{
email: "jmmastey@metacorp.com",
admin: false,
password: "railsgoat!",
password_confirmation: "railsgoat!",
first_name: "Joseph",
last_name: "Mastey",
user_id: 2
},
{
email: "jim@metacorp.com",
admin: false,
password: "alohaowasp",
password_confirmation: "alohaowasp",
first_name: "Jim",
last_name: "Manico",
user_id: 3
},
{
email: "mike@metacorp.com",
admin: false,
password: "motocross1445",
password_confirmation: "motocross1445",
first_name: "Mike",
last_name: "McCabe",
user_id: 4
},
{
email: "ken@metacorp.com",
admin: false,
password: "citrusblend",
password_confirmation: "citrusblend",
first_name: "Ken",
last_name: "Johnson",
user_id: 5
},
{
email: "admin2@metacorp.com",
admin: false,
password: "adminadmin",
password_confirmation: "adminadmin",
first_name: "Admin2",
last_name: "",
user_id: 6
}
{
email: "admin@metacorp.com",
admin: true,
password: "admin1234",
password_confirmation: "admin1234",
first_name: "Admin",
last_name: "",
},
{
:email => "jmmastey@metacorp.com",
:admin => false,
:password => "railsgoat!",
:password_confirmation => "railsgoat!",
:first_name => "Joseph",
:last_name => "Mastey",
},
{
email: "jack@metacorp.com",
admin: false,
password: "yankeessuck",
password_confirmation: "yankeessuck",
first_name: "Jack",
last_name: "Mannino",
},
{
email: "jim@metacorp.com",
admin: false,
password: "alohaowasp",
password_confirmation: "alohaowasp",
first_name: "Jim",
last_name: "Manico",
},
{
email: "mike@metacorp.com",
admin: false,
password: "motocross1445",
password_confirmation: "motocross1445",
first_name: "Mike",
last_name: "McCabe",
},
{
email: "ken@metacorp.com",
admin: false,
password: "citrusblend",
password_confirmation: "citrusblend",
first_name: "Ken",
last_name: "Johnson",
},
{
email: "admin2@metacorp.com",
admin: false,
password: "adminadmin",
password_confirmation: "adminadmin",
first_name: "Admin2",
last_name: "",
}
]
retirements = [
{
user_id: 2,
employee_contrib: "1000",
employer_contrib: "2000",
total: "4500"
},
{
user_id: 3,
employee_contrib: "8000",
employer_contrib: "16000",
total: "30000"
},
{
user_id: 4,
employee_contrib: "10000",
employer_contrib: "20000",
total: "40000"
},
{
user_id: 5,
employee_contrib: "3000",
employer_contrib: "6000",
total: "12500"
}
{
user: "jack@metacorp.com",
employee_contrib: "1000",
employer_contrib: "2000",
total: "4500"
},
{
user: "jim@metacorp.com",
employee_contrib: "8000",
employer_contrib: "16000",
total: "30000"
},
{
user: "mike@metacorp.com",
employee_contrib: "10000",
employer_contrib: "20000",
total: "40000"
},
{
user: "ken@metacorp.com",
employee_contrib: "3000",
employer_contrib: "6000",
total: "12500"
}
]
paid_time_off = [
{
user_id: 2,
sick_days_taken: 2,
sick_days_earned: 5,
pto_taken: 5,
pto_earned: 30
},
{
user_id: 3,
sick_days_taken: 3,
sick_days_earned: 6,
pto_taken: 3,
pto_earned: 20
},
{
user_id: 4,
sick_days_taken: 2,
sick_days_earned: 5,
pto_taken: 5,
pto_earned: 30
},
{
user_id: 5,
sick_days_taken: 1,
sick_days_earned: 5,
pto_taken: 10,
pto_earned: 30
}
{
user: "jack@metacorp.com",
sick_days_taken: 2,
sick_days_earned: 5,
pto_taken: 5,
pto_earned: 30
},
{
user: "jim@metacorp.com",
sick_days_taken: 3,
sick_days_earned: 6,
pto_taken: 3,
pto_earned: 20
},
{
user: "mike@metacorp.com",
sick_days_taken: 2,
sick_days_earned: 5,
pto_taken: 5,
pto_earned: 30
},
{
user: "ken@metacorp.com",
sick_days_taken: 1,
sick_days_earned: 5,
pto_taken: 10,
pto_earned: 30
}
]
]
schedule = [
{
user: "jack@metacorp.com",
date_begin: Date.new(2014, 7, 30),
date_end: Date.new(2014, 8, 2),
event_type: "pto",
event_desc: "vacation to france",
event_name: "My 2014 Vacation"
},
{
user: "jim@metacorp.com",
date_begin: Date.new(2013, 9, 1),
date_end: Date.new(2013, 9, 12),
event_type: "pto",
event_desc: "Going Home to see folks",
event_name: "Visit Parents"
},
{
user: "mike@metacorp.com",
date_begin: Date.new(2013, 9, 13),
date_end: Date.new(2013, 9, 20),
event_type: "pto",
event_desc: "Taking kids to Grand Canyon",
event_name: "AZ Trip"
},
{
user: "ken@metacorp.com",
date_begin: Date.new(2013, 12, 20),
date_end: Date.new(2013, 12, 30),
event_type: "pto",
event_desc: "Xmas Staycation",
event_name: "Christmas Leave"
}
]
schedule = [
{
user_id: 2,
date_begin: Date.new(2014, 7, 30),
date_end: Date.new(2014, 8, 2),
event_type: "pto",
event_desc: "vacation to france",
event_name: "My 2014 Vacation"
work_info = [
{
user: "jack@metacorp.com",
income: "$50,000",
bonuses: "$10,000",
years_worked: 2,
SSN: "555-55-5555",
DoB: "01-01-1980"
},
{
user: "jim@metacorp.com",
income: "$40,000",
bonuses: "$10,000",
years_worked: 1,
SSN: "333-33-3333",
DoB: "01-01-1979"
},
{
user: "mike@metacorp.com",
income: "$60,000",
bonuses: "$12,000",
years_worked: 3,
SSN: "444-44-4444",
DoB: "01-01-1981"
},
{
user: "ken@metacorp.com",
income: "$30,000",
bonuses: "7,000",
years_worked: 1,
SSN: "222-22-2222",
DoB: "01-01-1982"
}
]
},
{
user_id: 3,
date_begin: Date.new(2013, 9, 1),
date_end: Date.new(2013, 9, 12),
event_type: "pto",
event_desc: "Going Home to see folks",
event_name: "Visit Parents"
},
{
user_id: 4,
date_begin: Date.new(2013, 9, 13),
date_end: Date.new(2013, 9, 20),
event_type: "pto",
event_desc: "Taking kids to Grand Canyon",
event_name: "AZ Trip"
},
{
user_id: 5,
date_begin: Date.new(2013, 12, 20),
date_end: Date.new(2013, 12, 30),
event_type: "pto",
event_desc: "Xmas Staycation",
event_name: "Christmas Leave"
}
]
work_info = [
{
user_id: 2,
income: "$50,000",
bonuses: "$10,000",
years_worked: 2,
SSN: "555-55-5555",
DoB: "01-01-1980"
},
{
user_id: 3,
income: "$40,000",
bonuses: "$10,000",
years_worked: 1,
SSN: "333-33-3333",
DoB: "01-01-1979"
},
{
user_id: 4,
income: "$60,000",
bonuses: "$12,000",
years_worked: 3,
SSN: "444-44-4444",
DoB: "01-01-1981"
},
{
user_id: 5,
income: "$30,000",
bonuses: "7,000",
years_worked: 1,
SSN: "222-22-2222",
DoB: "01-01-1982"
}
]
performance = [
{
user_id: 2,
reviewer: 1,
comments: "Great job! You are my hero",
date_submitted: Date.new(2012, 01, 01),
score: 5
},
{
user_id: 2,
performance = [
{
user: "jack@metacorp.com",
reviewer: 1,
comments: "Great job! You are my hero",
date_submitted: Date.new(2012, 01, 01),
score: 5
},
{
user: "jack@metacorp.com",
reviewer: 1,
comments: "Once again, you've done a great job this year. We greatly appreciate your hard work.",
date_submitted: Date.new(2013, 01, 01),
score: 5
},
{
user_id: 3,
reviewer: 1,
comments: "Great worker, great attitude for this newcomer!",
date_submitted: Date.new(2013, 01, 01),
score: 5
},
{
user_id: 4,
reviewer: 1,
comments: "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.",
date_submitted: Date.new(2011, 01, 01),
score: 4
},
{
user_id: 4,
reviewer: 1,
comments: "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.",
date_submitted: Date.new(2012, 01, 01),
score: 5
},
{
user_id: 4,
reviewer: 1,
comments: "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.",
date_submitted: Date.new(2013, 01, 01),
score: 4
},
{
user_id: 5,
reviewer: 1,
comments: "Ehh, you are okay, we will let you stay..... barely",
date_submitted: Date.new(2013, 01, 01),
score: 2
}
]
},
{
user: "jim@metacorp.com",
reviewer: 1,
comments: "Great worker, great attitude for this newcomer!",
date_submitted: Date.new(2013, 01, 01),
score: 5
},
{
user: "mike@metacorp.com",
reviewer: 1,
comments: "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.",
date_submitted: Date.new(2011, 01, 01),
score: 4
},
{
user: "mike@metacorp.com",
reviewer: 1,
comments: "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.",
date_submitted: Date.new(2012, 01, 01),
score: 5
},
{
user: "mike@metacorp.com",
reviewer: 1,
comments: "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.",
date_submitted: Date.new(2013, 01, 01),
score: 4
},
{
user: "ken@metacorp.com",
reviewer: 1,
comments: "Ehh, you are okay, we will let you stay..... barely",
date_submitted: Date.new(2013, 01, 01),
score: 2
}
]
messages = [
{
receiver_id: 2,
creator_id: 5,
message: "Your benefits have been updated.",
read: false
},
{
receiver_id: 3,
creator_id: 4,
message: "Please update your profile.",
read: false
},
{
receiver_id: 4,
creator_id: 3,
message: "Welcome to Railsgoat.",
read: false
},
{
receiver_id: 5,
creator_id: 2,
message: "Hello friend.",
read: false
}
]
messages = [
{
creator: "ken@metacorp.com",
receiver: "jack@metacorp.com",
message: 'Your benefits have been updated.',
read: false
},
{
creator: "mike@metacorp.com",
receiver: "jim@metacorp.com",
message: 'Please update your profile.',
read: false
},
{
creator: "jim@metacorp.com",
receiver: "mike@metacorp.com",
message: 'Welcome to Railsgoat.',
read: false
},
{
creator: "jack@metacorp.com",
receiver: "ken@metacorp.com",
message: 'Hello friend.',
read: false
}
]
users.each do |user_info|
user = User.new(user_info.reject { |k| k == :user_id })
user.user_id = user_info[:user_id]
user.save!
user_map = users.each_with_object({}) do |user_info, h|
h[user_info[:email]] = User.create!(user_info).id
end
retirements.each do |r|
ret = Retirement.new(r.reject { |k| k == :user_id})
ret.user_id = r[:user_id]
ret.save!
r[:user_id] = user_map.fetch(r.delete(:user))
Retirement.create!(r)
end
paid_time_off.each do |pto|
ptoff = PaidTimeOff.new(pto.reject { |k| k == :user_id})
ptoff.user_id = pto[:user_id]
ptoff.save!
pto[:user_id] = user_map.fetch(pto.delete(:user))
PaidTimeOff.create!(pto)
end
schedule.each do |event|
sched = Schedule.new(event.reject { |k| k == :user_id})
sched.user_id = event[:user_id]
sched.save!
event[:user_id] = user_map.fetch(event.delete(:user))
Schedule.create!(event)
end
performance.each do |perf|
p = Performance.new(perf.reject { |k| k == :user_id})
p.user_id = perf[:user_id]
p.save!
perf[:user_id] = user_map.fetch(perf.delete(:user))
Performance.create!(perf)
end
messages.each do |message|
m = Message.new(message.reject { |k| k == :creator_id})
m.creator_id = message[:creator_id]
m.save!
message[:creator_id] = user_map.fetch(message.delete(:creator))
message[:receiver_id] = user_map.fetch(message.delete(:receiver))
Message.create!(message)
end
work_info.each do |wi|
info = WorkInfo.new(wi.reject { |k| k == :user_id })
info.user_id = wi[:user_id]
info.save!
wi[:user_id] = user_map.fetch(wi.delete(:user))
WorkInfo.create!(wi)
end
spec/support/user_fixture.rb
+10 -7
View File
@@ -6,13 +6,16 @@ class UserFixture
end
def self.normal_user
password = "thi$ 1s cOmplExEr"
user = User.new(first_name: "Joe", last_name: "Schmoe",
email: "joe@schmoe.com", password: password, password_confirmation: password)
def user.clear_password
"thi$ 1s cOmplExEr"
password = 'thi$ 1s cOmplExEr'
User.create!(first_name: 'Joe', last_name: 'Schmoe', email: 'joe@schmoe.com',
password: password, password_confirmation: password).tap do |user|
def user.clear_password
'thi$ 1s cOmplExEr'
end
end
user.save!
user
end
def self.admin_user
User.where(admin: true).first
end
end
spec/vulnerabilities/command_injection_spec.rb
+1 -1
View File
@@ -14,7 +14,7 @@ feature "command injection" do
legit_file = File.join(Rails.root, "public", "data", "legit.txt")
File.open(legit_file, "w") { |f| f.puts "totes legit" }
visit "/users/#{@normal_user.user_id}/benefit_forms"
visit "/users/#{@normal_user.id}/benefit_forms"
Dir.mktmpdir do |dir|
hackety_file = File.join(dir, "test; cd public && cd data && rm -f * ;")
File.open(hackety_file, "w") { |f| f.print "mwahaha" }
spec/vulnerabilities/insecure_dor_spec.rb
+5 -5
View File
@@ -10,9 +10,9 @@ feature "insecure direct object reference" do
scenario "attack one" do
login(@normal_user)
visit "/users/#{@normal_user.user_id}/benefit_forms"
download_url = first(".widget-body a")[:href]
visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
visit "/users/#{@normal_user.id}/benefit_forms"
download_url = first('.widget-body a')[:href]
visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')
pending if verifying_fixed?
@@ -24,8 +24,8 @@ feature "insecure direct object reference" do
scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
login(@normal_user)
expect(@normal_user.user_id).not_to eq(2)
visit "/users/2/work_info"
expect(@normal_user.id).not_to eq(2)
visit '/users/2/work_info'
pending if verifying_fixed?
expect(first("td").text).to eq("Joseph Mastey")
spec/vulnerabilities/mass_assignment_spec.rb
+2 -2
View File
@@ -13,10 +13,10 @@ feature "mass assignment" do
login(@normal_user)
params = {user: {admin: "t",
user_id: @normal_user.user_id,
user_id: @normal_user.id,
password: @normal_user.clear_password,
password_confirmation: @normal_user.clear_password}}
page.driver.put "/users/#{@normal_user.user_id}.json", params
page.driver.put "/users/#{@normal_user.id}.json", params
pending if verifying_fixed?
expect(@normal_user.reload.admin).to be_truthy
spec/vulnerabilities/sensitive_data_exposure.rb
+1 -1
View File
@@ -13,7 +13,7 @@ feature "sensitive data exposure" do
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Cleartext-Storage-SSNs" do
login @normal_user
visit "/users/#{@normal_user.user_id}/work_info"
visit "/users/#{@normal_user.id}/work_info"
pending if verifying_fixed?
expect(page.source).to include "999-99-9999"
end
spec/vulnerabilities/sql_injection_spec.rb
+9 -7
View File
@@ -4,8 +4,9 @@ require "spec_helper"
feature "sql injection" do
before(:each) do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
@admin_user = User.where("admin='t'").first
@admin_user = UserFixture.admin_user
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
@@ -13,14 +14,15 @@ feature "sql injection" do
login(@normal_user)
visit "/users/#{@normal_user.user_id}/account_settings"
within("#account_edit") do
fill_in "Email", with: "joe.admin@schmoe.com"
fill_in "user_password", with: "H4cketyhack"
fill_in "user_password_confirmation", with: "H4cketyhack"
visit "/users/#{@normal_user.id}/account_settings"
within('#account_edit') do
fill_in 'Email', :with => 'joe.admin@schmoe.com'
fill_in 'user_password', :with => 'H4cketyhack'
fill_in 'user_password_confirmation', :with => 'H4cketyhack'
# this is a hidden field, so cannot use fill_in to access it.
find(:xpath, "//input[@id='user_user_id']", visible: false).set "8' OR admin='t') --"
find(:xpath, "//input[@id='user_id']", :visible => false).set "8' OR admin='t') --"
end
click_on "Submit"
spec/vulnerabilities/unvalidated_redirects_spec.rb
+7 -5
View File
@@ -7,15 +7,17 @@ feature "unvalidated redirect" do
@normal_user = UserFixture.normal_user
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", js: true do
visit "/?url=http://example.com/do/evil/things"
within(".signup") do
fill_in "email", with: @normal_user.email
fill_in "password", with: @normal_user.clear_password
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", :js => true do
visit '/?url=http://example.com/do/evil/things'
within('.signup') do
fill_in 'email', with: @normal_user.email
fill_in 'password', with: @normal_user.clear_password
end
within(".actions") do
click_on "Login"
end
pending if verifying_fixed?
expect(current_url).to eq("http://example.com/do/evil/things")
end
spec/vulnerabilities/xss_spec.rb
+4 -4
View File
@@ -10,9 +10,9 @@ feature "xss" do
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", js: true do
login @normal_user
visit "/users/#{@normal_user.user_id}/account_settings"
within("#account_edit") do
fill_in "First name", with: "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
visit "/users/#{@normal_user.id}/account_settings"
within('#account_edit') do
fill_in 'First name', :with => "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
# password gets screwed up if you don't re-submit - need to fix
fill_in "user_password", with: @normal_user.clear_password
@@ -22,7 +22,7 @@ feature "xss" do
sleep(1)
visit "/users/#{@normal_user.user_id}/account_settings"
visit "/users/#{@normal_user.id}/account_settings"
pending if verifying_fixed?
expect(find("#submit_button").value).to eq("RailsGoat h4x0r3d")