team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

change to the user model based on a merge with master. Master is the correct code

Browse Source
This commit is contained in:
cktricky
2013-10-11 12:04:19 -04:00
parent ef8a9c1a46 2ff4dc1aee
commit e2c4fb4bd8
26 changed files with 348 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/users_controller.rb
+27 -18
View File
@@ -1,12 +1,12 @@
class UsersController < ApplicationController
skip_before_filter :has_info
skip_before_filter :authenticated, :only => [:new, :create]
def new
@user = User.new
end
def create
user = User.new(params[:user])
user.build_benefits_data
@@ -15,32 +15,41 @@ class UsersController < ApplicationController
redirect_to home_dashboard_index_path
else
@user = user
render :new
flash[:error] = user.errors.full_messages.to_sentence
redirect_to :sign_up
end
end
def account_settings
@user = current_user
end
def update
message = false
#Safest
# user = current_user
# Still an Insecure DoR vulnerability
#user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])
user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
user.skip_user_id_assign = true
user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
pass = params[:user][:password]
user.password = pass if !(pass.blank?)
message = true if user.save!
respond_to do |format|
format.html { redirect_to user_account_settings_path(:user_id => current_user.user_id) }
format.json { render :json => {:msg => message ? "success" : "false "} }
if user
user.skip_user_id_assign = true
user.skip_hash_password = true
user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
user.skip_hash_password = false
user.password = params[:user][:password]
end
message = true if user.save!
respond_to do |format|
format.html { redirect_to user_account_settings_path(:user_id => current_user.user_id) }
format.json { render :json => {:msg => message ? "success" : "false "} }
end
else
flash[:error] = "Could not update user!"
redirect_to user_account_settings_path(:user_id => current_user.user_id)
end
end
end
end
app/models/user.rb
+10 -6
View File
@@ -1,15 +1,16 @@
class User < ActiveRecord::Base
attr_accessible :email, :password, :admin, :password_confirmation, :first_name, :last_name
validates_confirmation_of :password, :password_confirmation, :on => :create
attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
validates :password, :presence => true,
:confirmation => true,
:length => {:within => 6..40},
:on => :create#,
:on => :create,
:if => :password#,
#:format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
validates_presence_of :email
validates_uniqueness_of :email
validates_format_of :email, :with => /.+@.+\..+/i
attr_accessor :skip_user_id_assign
attr_accessor :skip_hash_password
before_save :assign_user_id, :on => :create
before_save :hash_password
has_one :retirement, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
@@ -18,6 +19,7 @@ class User < ActiveRecord::Base
has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
def build_benefits_data
build_retirement(POPULATE_RETIREMENTS.shuffle.first)
build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first)
@@ -41,7 +43,7 @@ class User < ActiveRecord::Base
raise "Incorrect Password!"
end
return auth
end
end
=begin
# More secure version, still lacking a decent hashing routine, this is for timing attack prevention
@@ -66,8 +68,10 @@ class User < ActiveRecord::Base
end
def hash_password
if self.password.present?
self.password = Digest::MD5.hexdigest(password)
unless @skip_hash_password == true
if password.present?
self.password = Digest::MD5.hexdigest(password)
end
end
end