Merge branch 'master' of https://github.com/OWASP/railsgoat

2017-12-13 09:07:14 -05:00
parent edac6e8b1b 3851e87b25
commit d33d3fc738
31 changed files with 421 additions and 444 deletions
@@ -46,9 +46,9 @@ class AdminController < ApplicationController
  end

  def delete_user
-    user = User.find_by_user_id(params[:admin_id])
-    if user && !(current_user.user_id == user.user_id)
-      # Call destroy here so that all association records w/ user_id are destroyed as well
+    user = User.find_by(id: params[:admin_id])
+    if user && !(current_user.id == user.id)
+      # Call destroy here so that all association records w/ id are destroyed as well
      # Example user.retirement records would be destroyed
      user.destroy
      message = true
@@ -17,8 +17,8 @@ class ApplicationController < ActionController::Base

  def current_user
    @current_user ||= (
-      User.find_by_auth_token(cookies[:auth_token].to_s) ||
-      User.find_by_user_id(session[:user_id].to_s)
+      User.find_by(auth_token: cookies[:auth_token].to_s) ||
+      User.find_by(id: session[:user_id].to_s)
    )
  end

@@ -11,7 +11,7 @@ class BenefitFormsController < ApplicationController
     file = params[:type].constantize.new(path)
     send_file file, disposition: "attachment"
   rescue
-     redirect_to user_benefit_forms_path(user_id: current_user.user_id)
+     redirect_to user_benefit_forms_path(user_id: current_user.id)
   end
  end

@@ -23,7 +23,7 @@ class BenefitFormsController < ApplicationController
    else
      flash[:error] = "Something went wrong"
    end
-    redirect_to user_benefit_forms_path(user_id: current_user.user_id)
+    redirect_to user_benefit_forms_path(user_id: current_user.id)
  end

 end
@@ -16,7 +16,7 @@ class MessagesController < ApplicationController

    if message.destroy
      flash[:success] = "Your message has been deleted."
-      redirect_to user_messages_path(user_id: current_user.user_id)
+      redirect_to user_messages_path(user_id: current_user.id)
    else
      flash[:error] = "Could not delete message."
    end
@@ -25,7 +25,7 @@ class MessagesController < ApplicationController
  def create
    if Message.create(message_params)
      respond_to do |format|
-        format.html { redirect_to user_messages_path(user_id: current_user.user_id) }
+        format.html { redirect_to user_messages_path(user_id: current_user.id) }
        format.json { render json: {msg: "success"} }
      end
    else
@@ -50,10 +50,10 @@ class PasswordResetsController < ApplicationController
  end

  def is_valid?(token)
-    if token =~ /(?<user_id>\d+)-(?<email_hash>[A-Z0-9]{32})/i
+    if token =~ /(?<user>\d+)-(?<email_hash>[A-Z0-9]{32})/i

      # Fetch the user by their id, and hash their email address
-      @user = User.find_by_id($~[:user_id])
+      @user = User.find_by(id: $~[:user])
      email = Digest::MD5.hexdigest(@user.email)

      # Compare and validate our hashes
@@ -7,11 +7,12 @@ class PayController < ApplicationController
  def update_dd_info
    msg = false
    pay = Pay.new(
-    bank_account_num: params[:bank_account_num],
-    bank_routing_num: params[:bank_routing_num],
-    percent_of_deposit: params[:dd_percent]
+      bank_account_num: params[:bank_account_num],
+      bank_routing_num: params[:bank_routing_num],
+      percent_of_deposit: params[:dd_percent],
+      user_id: current_user.id
    )
-    pay.user_id = current_user.user_id
+
    msg = true if pay.save!
    respond_to do |format|
      format.json {render json: {msg: msg } }
@@ -7,7 +7,7 @@ class ScheduleController < ApplicationController
      if params[:schedule][:event_type] == "pto"
        sched = Schedule.new(schedule_params)
        sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
-        sched.user_id = current_user.user_id
+        sched.user_id = current_user.id
        a = sched.date_end
        if sched.save
          message = true
@@ -19,9 +19,9 @@ class SessionsController < ApplicationController

    if user
      if params[:remember_me]
-        cookies.permanent[:auth_token] = user.auth_token if User.where(user_id: user.user_id).exists?
+        cookies.permanent[:auth_token] = user.auth_token
      else
-        session[:user_id] = user.user_id if User.where(user_id: user.user_id).exists?
+        session[:user_id] = user.id
      end
      redirect_to path
    else
@@ -10,7 +10,7 @@ class UsersController < ApplicationController
  def create
    user = User.new(user_params)
    if user.save
-      session[:user_id] = user.user_id
+      session[:user_id] = user.id
      redirect_to home_dashboard_index_path
    else
      @user = user
@@ -26,22 +26,21 @@ class UsersController < ApplicationController
  def update
    message = false

-    user = User.where("user_id = '#{params[:user][:user_id]}'")[0]
+    user = User.where("id = '#{params[:user][:id]}'")[0]

    if user
-      user.skip_user_id_assign = true
      user.update_attributes(user_params_without_password)
      if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation])
        user.password = params[:user][:password]
      end
      message = true if user.save!
      respond_to do |format|
-        format.html { redirect_to user_account_settings_path(user_id: current_user.user_id) }
+        format.html { redirect_to user_account_settings_path(user_id: current_user.id) }
        format.json { render json: {msg: message ? "success" : "false "} }
      end
    else
      flash[:error] = "Could not update user!"
-      redirect_to user_account_settings_path(user_id: current_user.user_id)
+      redirect_to user_account_settings_path(user_id: current_user.id)
    end
  end

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 class WorkInfoController < ApplicationController
  def index
-    @user = User.find_by_user_id(params[:user_id])
+    @user = User.find_by(id: params[:user_id])
    if !(@user) || @user.admin
      flash[:error] = "Sorry, no user with that user id exists"
      redirect_to home_dashboard_index_path
@@ -4,7 +4,7 @@ class Message < ApplicationRecord
  validates_presence_of :creator_id, :receiver_id, :message

  def creator_name
-    if creator = User.where(user_id: self.creator_id).first
+    if creator = User.where(id: self.creator_id).first
      creator.full_name
    else
      "Name unavailable"
@@ -11,16 +11,16 @@ class User < ApplicationRecord
  validates_presence_of :email
  validates_uniqueness_of :email
  validates_format_of :email, with: /.+@.+\..+/i
-  attr_accessor :skip_user_id_assign
-  before_save :assign_user_id, on: :create
+
+  has_one :retirement, dependent: :destroy
+  has_one :paid_time_off, dependent: :destroy
+  has_one :work_info, dependent: :destroy
+  has_many :performance, dependent: :destroy
+  has_many :pay, dependent: :destroy
+  has_many :messages, foreign_key: :receiver_id, dependent: :destroy
+
  before_save :hash_password
-  has_one :retirement, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  has_one :paid_time_off, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  has_one :work_info, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  has_many :performance, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  has_many :messages, foreign_key: :receiver_id, primary_key: :user_id, dependent: :destroy
-  has_many :pay, foreign_key: :user_id, primary_key: :user_id, dependent: :destroy
-  before_create { generate_token(:auth_token) }
+  after_create { generate_token(:auth_token) }
  before_create :build_benefits_data

  def build_benefits_data
@@ -36,11 +36,6 @@ class User < ApplicationRecord
    "#{self.first_name} #{self.last_name}"
  end

-#   # Instead of the entire user object being returned, we can use this to filter.
-#   def as_json
-#     super(only: [:user_id, :email, :first_name, :last_name])
-#   end
-
  private

  def self.authenticate(email, password)
@@ -55,26 +50,18 @@ class User < ApplicationRecord
    return auth
  end

-  def assign_user_id
-    unless @skip_user_id_assign.present? || self.user_id.present?
-      user = User.order("user_id").last
-      uid = if user && user.user_id && !(User.exists?(user_id: "#{user.user_id.to_i + 1}"))
-              user.user_id.to_i + 1
-            else
-              1
-            end
-      self.user_id = uid.to_s if uid
-    end
-  end
-
  def hash_password
-    if password.present? && password_changed?
-      self.password = Digest::MD5.hexdigest(password)
+    if will_save_change_to_password?
+      self.password = Digest::MD5.hexdigest(self.password)
    end
  end

  def generate_token(column)
-    self[column] = Encryption.encrypt_sensitive_value(self.user_id)
-    generate_token(column) if User.exists?(column => self[column])
+    loop do
+      self[column] = Encryption.encrypt_sensitive_value(self.id)
+      break unless User.exists?(column => self[column])
+    end
+
+    self.save!
  end
 end
@@ -62,7 +62,7 @@ $('#submit_button').click(function() {
  $("#editAcct").modal('hide');

  $.ajax({
-      url: "/admin/" +  <%= @user.user_id %> + "/update_user.json",
+      url: "/admin/" +  <%= @user.id %> + "/update_user.json",
    data: valuesToSubmit,
    type: "POST",
    success: function(response) {
@@ -14,7 +14,7 @@
        <span class="caret"></span>
        <ul class="dropdown-menu pull-right">
          <li>
-           <%= link_to "Account settings", user_account_settings_path(:user_id => current_user.user_id) %>
+           <%= link_to "Account settings", user_account_settings_path(user_id: current_user.id) %>
          </li>
          <li>
            <%= link_to "Logout", logout_path %>
@@ -32,7 +32,7 @@
            </li>
    	<% end %>
        <li id="benefit_forms">
-    <%= link_to user_benefit_forms_path(:user_id => current_user.user_id) do %>
+    <%= link_to user_benefit_forms_path(user_id: current_user.id) do %>
            <div class="icon">
              <span class="fs1" aria-hidden="true" data-icon="&#xe05c;"></span>
            </div>
@@ -40,7 +40,7 @@
          <% end %>
        </li>
        <li id="retirement">
-           <%= link_to user_retirement_index_path(:user_id => current_user.user_id) do %>
+           <%= link_to user_retirement_index_path(user_id: current_user.id) do %>
            <div class="icon">
              <span class="fs1" aria-hidden="true" data-icon="&#xe096;"></span>
            </div>
@@ -48,7 +48,7 @@
          <% end %>
        </li>
        <li id="pto">
-          <%= link_to user_paid_time_off_index_path(:user_id => current_user.user_id) do %>
+          <%= link_to user_paid_time_off_index_path(user_id: current_user.id) do %>
            <div class="icon">
              <span class="fs1" aria-hidden="true" data-icon="&#xe0d2;"></span>
            </div>
@@ -56,7 +56,7 @@
         <% end %>
        </li>
        <li id="employee_info">
-           <%= link_to user_work_info_index_path(:user_id => current_user.user_id) do %>
+           <%= link_to user_work_info_index_path(user_id: current_user.id) do %>
            <div class="icon">
              <span class="fs1" aria-hidden="true" data-icon="&#xe0a9;"></span>
            </div>
@@ -64,7 +64,7 @@
          <% end %>
        </li>
        <li id="performance">
-          <%= link_to user_performance_index_path(:user_id => current_user.user_id) do %>
+          <%= link_to user_performance_index_path(user_id: current_user.id) do %>
            <div class="icon">
              <span class="fs1" aria-hidden="true" data-icon="&#xe14a;"></span>
            </div>
@@ -72,7 +72,7 @@
          <% end %>
        </li>
        <li id="messages">
-          <%= link_to user_messages_path(:user_id => current_user.user_id) do %>
+          <%= link_to user_messages_path(user_id: current_user.id) do %>
            <div class="icon">
              <span class="fs1" aria-hidden="true" data-icon="&#xe040;"></span>
            </div>
@@ -80,7 +80,7 @@
          <% end %>
        </li>
    <li id="pay">
-      <%= link_to user_pay_index_path(:user_id => current_user.user_id) do %>
+      <%= link_to user_pay_index_path(user_id: current_user.id) do %>
            <div class="icon">
              <span class="fs1" aria-hidden="true" data-icon="&#xe038;"></span>
            </div>
@@ -139,4 +139,4 @@
  });

  </script>
-<% end %>
+<% end %>
@@ -111,7 +111,7 @@ $("#submit_button").click(function(event) {
    var valuesToSubmit = $("#send_message").serialize();
    event.preventDefault();
    $.ajax({
-      url: <%= "/users/#{current_user.user_id}/messages.json".inspect.html_safe %>,
+      url: <%= "/users/#{current_user.id}/messages.json".inspect.html_safe %>,
    data: valuesToSubmit,
    type: "POST",
    success: function(response) {
@@ -135,4 +135,4 @@ $(document).ready(function () {
  makeActive()
 });

-</script>
+</script>
@@ -186,7 +186,7 @@ function parseDirectDepostInfo(response){
 function populateTable() {
  $('#data_table').dataTable().fnClearTable();
  $.ajax({
-      url: <%= sanitize(user_pay_path(:format => "json", :user_id => current_user.user_id, :id => current_user.user_id).inspect) %>,
+      url: <%= sanitize(user_pay_path(:format => "json", user_id: current_user.id, id: current_user.id).inspect) %>,
    type: "GET",
    success: function(response) {
    parseDirectDepostInfo(response);
@@ -237,7 +237,7 @@ $("#decrypt_btn").click(function(event){
  var valuesToSubmit = $("#decrypt_form").serialize();
  event.preventDefault();
  $.ajax({
-      url: <%= sanitize(decrypted_bank_acct_num_user_pay_index_path(:format => "json", :user_id => current_user.user_id).inspect) %>,
+      url: <%= sanitize(decrypted_bank_acct_num_user_pay_index_path(:format => "json", user_id: current_user.id).inspect) %>,
    data: valuesToSubmit,
    type: "POST",
    success: function(response) {
@@ -298,4 +298,4 @@ $(document).ready(
   populateTable()
 )

-</script>
+</script>
@@ -30,7 +30,7 @@
          </div>

          <div class="content">
-            <%= hidden_field_tag :url, @url%>
+            <%= hidden_field_tag :url, @url %>
            <%= text_field_tag :email, params[:email], {:class => "input input-block-level", :placeholder=>"Email"} %>
            <%= password_field_tag :password, nil, {:class => "input input-block-level", :placeholder=>"Password"}%>
          </div>
@@ -37,7 +37,7 @@
            </div>
            <div class="widget-body">
           <%= form_for @user, :html => {:id => "account_edit"} do |f|%>
-               <%= f.hidden_field :user_id%>
+               <%= f.hidden_field :id %>
          <div class="control-group">
                  <%= f.label :email, nil, {:class => "control-label"}%>
            <%= f.text_field :email, {:class => "span12"}%>
@@ -84,7 +84,7 @@ $("#submit_button").click(function(event) {
    var valuesToSubmit = $("#account_edit").serialize();
    event.preventDefault();
    $.ajax({
-      url: <%= "/users/#{current_user.user_id}.json".inspect.html_safe %>,
+      url: <%= "/users/#{current_user.id}.json".inspect.html_safe %>,
    data: valuesToSubmit,
    type: "POST",
    success: function(response) {
@@ -12,31 +12,17 @@ Railsgoat::Application.routes.draw do

  get "dashboard/doc" => "dashboard#doc"

-  resources :sessions do
-  end
+  resources :sessions

  resources :users do
    get "account_settings"

-    resources :retirement do
-    end
-
-    resources :paid_time_off do
-    end
-
-    resources :work_info do
-    end
-
-    resources :performance do
-
-    end
-
-    resources :benefit_forms do
-
-    end
-
-    resources :messages do
-    end
+    resources :retirement
+    resources :paid_time_off
+    resources :work_info
+    resources :performance
+    resources :benefit_forms
+    resources :messages

    resources :pay do
      collection do
@@ -60,7 +46,6 @@ Railsgoat::Application.routes.draw do
    collection do
      get "get_pto_schedule"
    end
-
  end

  resources :admin do
@@ -81,12 +66,10 @@ Railsgoat::Application.routes.draw do

  namespace :api, defaults: {format: "json"} do
    namespace :v1 do
-        resources :users
-        resources :mobile
+      resources :users
+      resources :mobile
    end
  end

-
  root to: "sessions#new"
-
 end
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+class RemoveUsersUserId < ActiveRecord::Migration[5.1]
+  def change
+    remove_column :users, :user_id, :integer
+  end
+end
@@ -11,12 +11,12 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20140408185601) do
+ActiveRecord::Schema.define(version: 20171007010129) do

  create_table "analytics", force: :cascade do |t|
-    t.string   "ip_address"
-    t.string   "referrer"
-    t.string   "user_agent"
+    t.string "ip_address"
+    t.string "referrer"
+    t.string "user_agent"
    t.datetime "created_at"
    t.datetime "updated_at"
  end
@@ -27,92 +27,91 @@ ActiveRecord::Schema.define(version: 20140408185601) do
  end

  create_table "key_managements", force: :cascade do |t|
-    t.string   "iv"
-    t.integer  "user_id"
+    t.string "iv"
+    t.integer "user_id"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "messages", force: :cascade do |t|
-    t.integer  "creator_id"
-    t.integer  "receiver_id"
-    t.text     "message"
-    t.boolean  "read"
+    t.integer "creator_id"
+    t.integer "receiver_id"
+    t.text "message"
+    t.boolean "read"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "paid_time_offs", force: :cascade do |t|
-    t.integer  "user_id"
-    t.integer  "sick_days_taken"
-    t.integer  "sick_days_earned"
-    t.integer  "pto_taken"
-    t.integer  "pto_earned"
+    t.integer "user_id"
+    t.integer "sick_days_taken"
+    t.integer "sick_days_earned"
+    t.integer "pto_taken"
+    t.integer "pto_earned"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "pays", force: :cascade do |t|
-    t.integer  "user_id"
-    t.string   "bank_account_num"
-    t.string   "bank_routing_num"
-    t.integer  "percent_of_deposit"
+    t.integer "user_id"
+    t.string "bank_account_num"
+    t.string "bank_routing_num"
+    t.integer "percent_of_deposit"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "performances", force: :cascade do |t|
-    t.integer  "user_id"
-    t.date     "date_submitted"
-    t.integer  "score"
-    t.string   "comments"
-    t.integer  "reviewer"
+    t.integer "user_id"
+    t.date "date_submitted"
+    t.integer "score"
+    t.string "comments"
+    t.integer "reviewer"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "retirements", force: :cascade do |t|
-    t.string   "total"
-    t.string   "employee_contrib"
-    t.string   "employer_contrib"
-    t.integer  "user_id"
+    t.string "total"
+    t.string "employee_contrib"
+    t.string "employer_contrib"
+    t.integer "user_id"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "schedules", force: :cascade do |t|
-    t.string   "event_type"
-    t.date     "date_begin"
-    t.date     "date_end"
-    t.string   "event_name"
-    t.string   "event_desc"
-    t.integer  "user_id"
+    t.string "event_type"
+    t.date "date_begin"
+    t.date "date_end"
+    t.string "event_name"
+    t.string "event_desc"
+    t.integer "user_id"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "users", force: :cascade do |t|
-    t.string   "email"
-    t.string   "password"
-    t.boolean  "admin"
-    t.string   "first_name"
-    t.string   "last_name"
-    t.integer  "user_id"
+    t.string "email"
+    t.string "password"
+    t.boolean "admin"
+    t.string "first_name"
+    t.string "last_name"
    t.datetime "created_at"
    t.datetime "updated_at"
-    t.string   "auth_token"
+    t.string "auth_token"
  end

  create_table "work_infos", force: :cascade do |t|
-    t.integer  "user_id"
-    t.string   "income"
-    t.string   "bonuses"
-    t.integer  "years_worked"
-    t.string   "SSN"
-    t.date     "DoB"
+    t.integer "user_id"
+    t.string "income"
+    t.string "bonuses"
+    t.integer "years_worked"
+    t.string "SSN"
+    t.date "DoB"
    t.datetime "created_at"
    t.datetime "updated_at"
-    t.binary   "encrypted_ssn"
+    t.binary "encrypted_ssn"
  end

 end
@@ -4,314 +4,308 @@
 #

 users = [
-     {
-       email: "admin@metacorp.com",
-       admin: true,
-       password: "admin1234",
-       password_confirmation: "admin1234",
-       first_name: "Admin",
-       last_name: "",
-       user_id: 1
-      },
-     {
-       email: "jmmastey@metacorp.com",
-       admin: false,
-       password: "railsgoat!",
-       password_confirmation: "railsgoat!",
-       first_name: "Joseph",
-       last_name: "Mastey",
-       user_id: 2
-     },
-     {
-       email: "jim@metacorp.com",
-       admin: false,
-       password: "alohaowasp",
-       password_confirmation: "alohaowasp",
-       first_name: "Jim",
-       last_name: "Manico",
-       user_id: 3
-     },
-     {
-       email: "mike@metacorp.com",
-       admin: false,
-       password: "motocross1445",
-       password_confirmation: "motocross1445",
-       first_name: "Mike",
-       last_name: "McCabe",
-       user_id: 4
-      },
-     {
-       email: "ken@metacorp.com",
-       admin: false,
-       password: "citrusblend",
-       password_confirmation: "citrusblend",
-       first_name: "Ken",
-       last_name: "Johnson",
-       user_id: 5
-     },
-     {
-       email: "admin2@metacorp.com",
-       admin: false,
-       password: "adminadmin",
-       password_confirmation: "adminadmin",
-       first_name: "Admin2",
-       last_name: "",
-       user_id: 6
-      }
+  {
+    email: "admin@metacorp.com",
+    admin: true,
+    password: "admin1234",
+    password_confirmation: "admin1234",
+    first_name: "Admin",
+    last_name: "",
+  },
+
+  {
+    email: "jmmastey@metacorp.com",
+    admin: false,
+    password: "railsgoat!",
+    password_confirmation: "railsgoat!",
+    first_name: "Joseph",
+    last_name: "Mastey",
+  },
+
+  {
+    email: "jack@metacorp.com",
+    admin: false,
+    password: "yankeessuck",
+    password_confirmation: "yankeessuck",
+    first_name: "Jack",
+    last_name: "Mannino",
+  },
+
+  {
+    email: "jim@metacorp.com",
+    admin: false,
+    password: "alohaowasp",
+    password_confirmation: "alohaowasp",
+    first_name: "Jim",
+    last_name: "Manico",
+  },
+
+  {
+    email: "mike@metacorp.com",
+    admin: false,
+    password: "motocross1445",
+    password_confirmation: "motocross1445",
+    first_name: "Mike",
+    last_name: "McCabe",
+  },
+
+  {
+    email: "ken@metacorp.com",
+    admin: false,
+    password: "citrusblend",
+    password_confirmation: "citrusblend",
+    first_name: "Ken",
+    last_name: "Johnson",
+  },
+
+  {
+    email: "admin2@metacorp.com",
+    admin: false,
+    password: "adminadmin",
+    password_confirmation: "adminadmin",
+    first_name: "Admin2",
+    last_name: "",
+  }
 ]

 retirements = [
-      {
-        user_id: 2,
-        employee_contrib: "1000",
-        employer_contrib: "2000",
-        total: "4500"
-      },
-      {
-        user_id: 3,
-        employee_contrib: "8000",
-        employer_contrib: "16000",
-        total: "30000"
-      },
-      {
-        user_id: 4,
-        employee_contrib: "10000",
-        employer_contrib: "20000",
-        total: "40000"
-      },
-      {
-        user_id: 5,
-        employee_contrib: "3000",
-        employer_contrib: "6000",
-        total: "12500"
-      }
-
+  {
+    user: "jack@metacorp.com",
+    employee_contrib: "1000",
+    employer_contrib: "2000",
+    total: "4500"
+  },
+  {
+    user: "jim@metacorp.com",
+    employee_contrib: "8000",
+    employer_contrib: "16000",
+    total: "30000"
+  },
+  {
+    user: "mike@metacorp.com",
+    employee_contrib: "10000",
+    employer_contrib: "20000",
+    total: "40000"
+  },
+  {
+    user: "ken@metacorp.com",
+    employee_contrib: "3000",
+    employer_contrib: "6000",
+    total: "12500"
+  }
 ]

 paid_time_off = [
-      {
-        user_id: 2,
-        sick_days_taken: 2,
-        sick_days_earned: 5,
-        pto_taken: 5,
-        pto_earned: 30
-      },
-      {
-        user_id: 3,
-        sick_days_taken: 3,
-        sick_days_earned: 6,
-        pto_taken: 3,
-        pto_earned: 20
-      },
-      {
-        user_id: 4,
-        sick_days_taken: 2,
-        sick_days_earned: 5,
-        pto_taken: 5,
-        pto_earned: 30
-      },
-      {
-        user_id: 5,
-        sick_days_taken: 1,
-        sick_days_earned: 5,
-        pto_taken: 10,
-        pto_earned: 30
-      }
+  {
+    user: "jack@metacorp.com",
+    sick_days_taken: 2,
+    sick_days_earned: 5,
+    pto_taken: 5,
+    pto_earned: 30
+  },
+  {
+    user: "jim@metacorp.com",
+    sick_days_taken: 3,
+    sick_days_earned: 6,
+    pto_taken: 3,
+    pto_earned: 20
+  },
+  {
+    user: "mike@metacorp.com",
+    sick_days_taken: 2,
+    sick_days_earned: 5,
+    pto_taken: 5,
+    pto_earned: 30
+  },
+  {
+    user: "ken@metacorp.com",
+    sick_days_taken: 1,
+    sick_days_earned: 5,
+    pto_taken: 10,
+    pto_earned: 30
+  }
+]

-  ]
+schedule = [
+  {
+    user: "jack@metacorp.com",
+    date_begin: Date.new(2014, 7, 30),
+    date_end: Date.new(2014, 8, 2),
+    event_type: "pto",
+    event_desc: "vacation to france",
+    event_name: "My 2014 Vacation"
+  },
+  {
+    user: "jim@metacorp.com",
+    date_begin: Date.new(2013, 9, 1),
+    date_end: Date.new(2013, 9, 12),
+    event_type: "pto",
+    event_desc: "Going Home to see folks",
+    event_name: "Visit Parents"
+  },
+  {
+    user: "mike@metacorp.com",
+    date_begin: Date.new(2013, 9, 13),
+    date_end: Date.new(2013, 9, 20),
+    event_type: "pto",
+    event_desc: "Taking kids to Grand Canyon",
+    event_name: "AZ Trip"
+  },
+  {
+    user: "ken@metacorp.com",
+    date_begin: Date.new(2013, 12, 20),
+    date_end: Date.new(2013, 12, 30),
+    event_type: "pto",
+    event_desc: "Xmas Staycation",
+    event_name: "Christmas Leave"
+  }
+]

-  schedule = [
-        {
-          user_id: 2,
-          date_begin: Date.new(2014, 7, 30),
-          date_end: Date.new(2014, 8, 2),
-          event_type: "pto",
-          event_desc: "vacation to france",
-          event_name: "My 2014 Vacation"
+work_info = [
+  {
+    user: "jack@metacorp.com",
+    income: "$50,000",
+    bonuses: "$10,000",
+    years_worked: 2,
+    SSN: "555-55-5555",
+    DoB: "01-01-1980"
+  },
+  {
+    user: "jim@metacorp.com",
+    income: "$40,000",
+    bonuses: "$10,000",
+    years_worked: 1,
+    SSN: "333-33-3333",
+    DoB: "01-01-1979"
+  },
+  {
+    user: "mike@metacorp.com",
+    income: "$60,000",
+    bonuses: "$12,000",
+    years_worked: 3,
+    SSN: "444-44-4444",
+    DoB: "01-01-1981"
+  },
+  {
+    user: "ken@metacorp.com",
+    income: "$30,000",
+    bonuses: "7,000",
+    years_worked: 1,
+    SSN: "222-22-2222",
+    DoB: "01-01-1982"
+  }
+]

-        },
-        {
-          user_id: 3,
-          date_begin: Date.new(2013, 9, 1),
-          date_end: Date.new(2013, 9, 12),
-          event_type: "pto",
-          event_desc: "Going Home to see folks",
-          event_name: "Visit Parents"
-
-        },
-        {
-          user_id: 4,
-          date_begin: Date.new(2013, 9, 13),
-          date_end: Date.new(2013, 9, 20),
-          event_type: "pto",
-          event_desc: "Taking kids to Grand Canyon",
-          event_name: "AZ Trip"
-
-        },
-        {
-          user_id: 5,
-          date_begin: Date.new(2013, 12, 20),
-          date_end: Date.new(2013, 12, 30),
-          event_type: "pto",
-          event_desc: "Xmas Staycation",
-          event_name: "Christmas Leave"
-        }
-
-    ]
-
-  work_info = [
-    {
-      user_id: 2,
-      income: "$50,000",
-      bonuses: "$10,000",
-      years_worked: 2,
-      SSN: "555-55-5555",
-      DoB: "01-01-1980"
-    },
-    {
-      user_id: 3,
-      income: "$40,000",
-      bonuses: "$10,000",
-      years_worked: 1,
-      SSN: "333-33-3333",
-      DoB: "01-01-1979"
-    },
-    {
-      user_id: 4,
-      income: "$60,000",
-      bonuses: "$12,000",
-      years_worked: 3,
-      SSN: "444-44-4444",
-      DoB: "01-01-1981"
-    },
-    {
-      user_id: 5,
-      income: "$30,000",
-      bonuses: "7,000",
-      years_worked: 1,
-      SSN: "222-22-2222",
-      DoB: "01-01-1982"
-    }
-  ]
-
-  performance = [
-    {
-      user_id: 2,
-      reviewer: 1,
-      comments: "Great job! You are my hero",
-      date_submitted: Date.new(2012, 01, 01),
-      score: 5
-    },
-    {
-    user_id: 2,
+performance = [
+  {
+    user: "jack@metacorp.com",
+    reviewer: 1,
+    comments: "Great job! You are my hero",
+    date_submitted: Date.new(2012, 01, 01),
+    score: 5
+  },
+  {
+    user: "jack@metacorp.com",
    reviewer: 1,
    comments: "Once again, you've done a great job this year. We greatly appreciate your hard work.",
    date_submitted: Date.new(2013, 01, 01),
    score: 5
-    },
-    {
-      user_id: 3,
-      reviewer: 1,
-      comments: "Great worker, great attitude for this newcomer!",
-      date_submitted: Date.new(2013, 01, 01),
-      score: 5
-    },
-    {
-      user_id: 4,
-      reviewer: 1,
-      comments: "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.",
-      date_submitted: Date.new(2011, 01, 01),
-      score: 4
-    },
-    {
-      user_id: 4,
-      reviewer: 1,
-      comments: "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.",
-      date_submitted: Date.new(2012, 01, 01),
-      score: 5
-    },
-    {
-      user_id: 4,
-      reviewer: 1,
-      comments: "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.",
-      date_submitted: Date.new(2013, 01, 01),
-      score: 4
-    },
-    {
-       user_id: 5,
-       reviewer: 1,
-       comments: "Ehh, you are okay, we will let you stay..... barely",
-       date_submitted: Date.new(2013, 01, 01),
-       score: 2
-     }
-  ]
+  },
+  {
+    user: "jim@metacorp.com",
+    reviewer: 1,
+    comments: "Great worker, great attitude for this newcomer!",
+    date_submitted: Date.new(2013, 01, 01),
+    score: 5
+  },
+  {
+    user: "mike@metacorp.com",
+    reviewer: 1,
+    comments: "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.",
+    date_submitted: Date.new(2011, 01, 01),
+    score: 4
+  },
+  {
+    user: "mike@metacorp.com",
+    reviewer: 1,
+    comments: "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.",
+    date_submitted: Date.new(2012, 01, 01),
+    score: 5
+  },
+  {
+    user: "mike@metacorp.com",
+    reviewer: 1,
+    comments: "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.",
+    date_submitted: Date.new(2013, 01, 01),
+    score: 4
+  },
+  {
+    user: "ken@metacorp.com",
+    reviewer: 1,
+    comments: "Ehh, you are okay, we will let you stay..... barely",
+    date_submitted: Date.new(2013, 01, 01),
+    score: 2
+  }
+]

-    messages = [
-    {
-      receiver_id: 2,
-      creator_id: 5,
-      message: "Your benefits have been updated.",
-      read: false
-    },
-    {
-      receiver_id: 3,
-      creator_id: 4,
-      message: "Please update your profile.",
-      read: false
-    },
-    {
-      receiver_id: 4,
-      creator_id: 3,
-      message: "Welcome to Railsgoat.",
-      read: false
-    },
-    {
-      receiver_id: 5,
-      creator_id: 2,
-      message: "Hello friend.",
-      read: false
-    }
-  ]
+messages = [
+  {
+    creator: "ken@metacorp.com",
+    receiver: "jack@metacorp.com",
+    message: "Your benefits have been updated.",
+    read: false
+  },
+  {
+    creator: "mike@metacorp.com",
+    receiver: "jim@metacorp.com",
+    message: "Please update your profile.",
+    read: false
+  },
+  {
+    creator: "jim@metacorp.com",
+    receiver: "mike@metacorp.com",
+    message: "Welcome to Railsgoat.",
+    read: false
+  },
+  {
+    creator: "jack@metacorp.com",
+    receiver: "ken@metacorp.com",
+    message: "Hello friend.",
+    read: false
+  }
+]

-
-users.each do |user_info|
-  user = User.new(user_info.reject { |k| k == :user_id })
-  user.user_id = user_info[:user_id]
-  user.save!
+user_map = users.each_with_object({}) do |user_info, h|
+  h[user_info[:email]] = User.create!(user_info).id
 end

 retirements.each do |r|
- ret = Retirement.new(r.reject { |k| k == :user_id})
- ret.user_id = r[:user_id]
- ret.save!
+  r[:user_id] = user_map.fetch(r.delete(:user))
+  Retirement.create!(r)
 end

 paid_time_off.each do |pto|
-  ptoff = PaidTimeOff.new(pto.reject { |k| k == :user_id})
-  ptoff.user_id = pto[:user_id]
-  ptoff.save!
+  pto[:user_id] = user_map.fetch(pto.delete(:user))
+  PaidTimeOff.create!(pto)
 end

 schedule.each do |event|
-  sched = Schedule.new(event.reject { |k| k == :user_id})
-  sched.user_id = event[:user_id]
-  sched.save!
+  event[:user_id] = user_map.fetch(event.delete(:user))
+  Schedule.create!(event)
 end

 performance.each do |perf|
-  p = Performance.new(perf.reject { |k| k == :user_id})
-  p.user_id = perf[:user_id]
-  p.save!
+  perf[:user_id] = user_map.fetch(perf.delete(:user))
+  Performance.create!(perf)
 end

 messages.each do |message|
-  m = Message.new(message.reject { |k| k == :creator_id})
-  m.creator_id = message[:creator_id]
-  m.save!
+  message[:creator_id] = user_map.fetch(message.delete(:creator))
+  message[:receiver_id] = user_map.fetch(message.delete(:receiver))
+  Message.create!(message)
 end

 work_info.each do |wi|
-  info = WorkInfo.new(wi.reject { |k| k == :user_id })
-  info.user_id = wi[:user_id]
-  info.save!
+  wi[:user_id] = user_map.fetch(wi.delete(:user))
+  WorkInfo.create!(wi)
 end
@@ -7,12 +7,15 @@ class UserFixture

  def self.normal_user
    password = "thi$ 1s cOmplExEr"
-    user = User.new(first_name: "Joe", last_name: "Schmoe",
-                    email: "joe@schmoe.com", password: password, password_confirmation: password)
-    def user.clear_password
-      "thi$ 1s cOmplExEr"
+    User.create!(first_name: "Joe", last_name: "Schmoe", email: "joe@schmoe.com",
+                 password: password, password_confirmation: password).tap do |user|
+      def user.clear_password
+        "thi$ 1s cOmplExEr"
+      end
    end
-    user.save!
-    user
+  end
+
+  def self.admin_user
+    User.where(admin: true).first
  end
 end
@@ -14,7 +14,7 @@ feature "command injection" do
    legit_file = File.join(Rails.root, "public", "data", "legit.txt")
    File.open(legit_file, "w") { |f| f.puts "totes legit" }

-    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    visit "/users/#{@normal_user.id}/benefit_forms"
    Dir.mktmpdir do |dir|
      hackety_file = File.join(dir, "test; cd public && cd data && rm -f * ;")
      File.open(hackety_file, "w") { |f| f.print "mwahaha" }
@@ -10,7 +10,7 @@ feature "insecure direct object reference" do
  scenario "attack one" do
    login(@normal_user)

-    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    visit "/users/#{@normal_user.id}/benefit_forms"
    download_url = first(".widget-body a")[:href]
    visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")

@@ -23,11 +23,12 @@ feature "insecure direct object reference" do

  scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
    login(@normal_user)
+    expect(@normal_user.id).not_to eq(2)
+    another_user = User.find(2)

-    expect(@normal_user.user_id).not_to eq(2)
-    visit "/users/2/work_info"
+    visit "/users/#{another_user.id}/work_info"

    pending if verifying_fixed?
-    expect(first("td").text).to eq("Joseph Mastey")
+    expect(first("td").text).to eq(another_user.full_name)
  end
 end
@@ -12,11 +12,11 @@ feature "mass assignment" do

    login(@normal_user)

-    params = {user: {admin: "t",
-                        user_id: @normal_user.user_id,
+    params = { user:  { admin: "t",
+                        id: @normal_user.id,
                        password: @normal_user.clear_password,
                        password_confirmation: @normal_user.clear_password}}
-    page.driver.put "/users/#{@normal_user.user_id}.json", params
+    page.driver.put "/users/#{@normal_user.id}.json", params

    pending if verifying_fixed?
    expect(@normal_user.reload.admin).to be_truthy
@@ -13,7 +13,7 @@ feature "sensitive data exposure" do
  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Cleartext-Storage-SSNs" do
    login @normal_user

-    visit "/users/#{@normal_user.user_id}/work_info"
+    visit "/users/#{@normal_user.id}/work_info"
    pending if verifying_fixed?
    expect(page.source).to include "999-99-9999"
  end
@@ -4,8 +4,9 @@ require "spec_helper"
 feature "sql injection" do
  before(:each) do
    UserFixture.reset_all_users
+
    @normal_user = UserFixture.normal_user
-    @admin_user = User.where("admin='t'").first
+    @admin_user = UserFixture.admin_user
  end

  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
@@ -13,14 +14,15 @@ feature "sql injection" do

    login(@normal_user)

-    visit "/users/#{@normal_user.user_id}/account_settings"
+    visit "/users/#{@normal_user.id}/account_settings"
+
    within("#account_edit") do
      fill_in "Email", with: "joe.admin@schmoe.com"
      fill_in "user_password", with: "H4cketyhack"
      fill_in "user_password_confirmation", with: "H4cketyhack"

      # this is a hidden field, so cannot use fill_in to access it.
-      find(:xpath, "//input[@id='user_user_id']", visible: false).set "8' OR admin='t') --"
+      find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --"
    end
    click_on "Submit"

@@ -9,6 +9,7 @@ feature "unvalidated redirect" do

  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", js: true do
    visit "/?url=http://example.com/do/evil/things"
+
    within(".signup") do
      fill_in "email", with: @normal_user.email
      fill_in "password", with: @normal_user.clear_password
@@ -16,6 +17,7 @@ feature "unvalidated redirect" do
    within(".actions") do
      click_on "Login"
    end
+
    pending if verifying_fixed?
    expect(current_url).to eq("http://example.com/do/evil/things")
  end
@@ -10,7 +10,7 @@ feature "xss" do
  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", js: true do
    login @normal_user

-    visit "/users/#{@normal_user.user_id}/account_settings"
+    visit "/users/#{@normal_user.id}/account_settings"
    within("#account_edit") do
      fill_in "First name", with: "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"

@@ -22,7 +22,7 @@ feature "xss" do

    sleep(1)

-    visit "/users/#{@normal_user.user_id}/account_settings"
+    visit "/users/#{@normal_user.id}/account_settings"

    pending if verifying_fixed?
    expect(find("#submit_button").value).to eq("RailsGoat h4x0r3d")