From b84c8d4cc79dc7e647ed7b7b24e847c03fa1b477 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 14 Nov 2013 10:47:27 -0500
Subject: [PATCH] finished write-up for broken auth

---
 app/controllers/users_controller.rb            |  2 +-
 app/models/user.rb                             |  8 +++++++-
 .../_password_complexity.html.erb              | 18 +++++++++++++-----
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index e7f1684..665c12c 100755
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -16,7 +16,7 @@ class UsersController < ApplicationController
     else
       @user = user
       flash[:error] = user.errors.full_messages.to_sentence
-      redirect_to :sign_up
+      redirect_to :signup
     end
   end
 
diff --git a/app/models/user.rb b/app/models/user.rb
index b0204b9..105e3f0 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -5,7 +5,13 @@ class User < ActiveRecord::Base
                        :length => {:within => 6..40},
                        :on => :create,
                        :if => :password#,
-                       #:format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+=begin                       :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+  validates :password, :presence => true,
+                        :confirmation => true,
+                        :on => :update,
+                        :if => :password,
+                        :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+=end  
   validates_presence_of :email
   validates_uniqueness_of :email
   validates_format_of :email, :with => /.+@.+\..+/i
diff --git a/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb
index 507bf0c..a373e91 100644
--- a/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb
+++ b/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb
@@ -70,11 +70,19 @@
 				<li>1 special character</li>
 			  </p>	
 			  <pre class="ruby">
-				  validates :password, :presence => true,
-				                       :confirmation => true,
-				                       :length => {:within => 6..40},
-				                       :on => :create,
-				                       <span style="background-color: yellow">:format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}</span>
+			  # VALIDATE PASSWORD BOTH AT CREATION AND WHEN UPDATING	 
+			  validates :password, :presence => true,
+			                        :confirmation => true,
+			                        :length => {:within => 6..40},
+			                        :on => :create,
+			                        :if => :password,
+			                        :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+			  validates :password, :presence => true,
+			                         :confirmation => true,
+			                         :on => :update,
+			                         :if => :password,
+			                         :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+										
 			  </pre>	
             </div>
           </div>