Added a redirect handler for users who try to access /upload via GET
request instead of using the form POST. This prevents errors and guides
users to the proper upload form.
Changes:
- Added GET route for /upload that redirects to benefit forms page
- Added redirect_to_benefit_forms action in controller
- Shows info flash message directing users to the upload form
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed flash message handling to ensure success and error messages
are visible to users after file upload attempts.
Changes:
- Use flash.now for validation errors (no file, wrong type, too large)
so messages display immediately without redirect
- Re-render index page on validation errors instead of redirecting
- Keep regular flash for success messages to persist through redirect
- Refactored file listing into load_uploaded_files helper method
Before: Flash messages were set but not displaying after redirect
After: Users see clear feedback for all upload outcomes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Enhanced the benefit forms file upload functionality to provide better
user feedback and visibility of uploaded files.
Changes:
1. Added file type validation in controller:
- Only accepts PDF, DOC, DOCX, JPG, PNG formats
- Shows clear error message with the rejected file extension
2. Added file size validation:
- Maximum 10MB file size limit
- Shows file size in error message if exceeded
3. Improved success/error messages:
- Shows specific filename on successful upload
- Shows detailed error messages for validation failures
4. Added uploaded files display section:
- Lists all uploaded files with icons based on file type
- Shows file size and upload timestamp
- Provides download button for each file
- Only displays when files exist
Before: Users received generic "Something went wrong" message with no
indication of why uploads failed. No way to see uploaded files.
After: Clear validation feedback tells users exactly what went wrong
(wrong format, too large, etc.) and uploaded files are visible with
download links.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit improves the admin user management interface while preserving
the intentional mass assignment vulnerability for educational purposes.
Changes:
1. Removed layout false from admin controller to enable full styling
2. Modernized admin users table view with Bootstrap components:
- Added page header with icon and description
- Wrapped table in card component for better visual hierarchy
- Updated admin indicator to use Bootstrap icons
- Modernized Edit button styling
3. Fixed admin update_user action form submission error:
- Previous code caused ForbiddenAttributesError in Rails
- Used to_unsafe_h to explicitly bypass strong parameters
- VULNERABILITY PRESERVED: This intentionally allows mass assignment
- See wiki: Extras:-Mass-Assignment-Admin-Role.md
- Fixed password field filtering to handle blank passwords correctly
The mass assignment vulnerability is maintained as a teaching example per
the OWASP RailsGoat mission. Students can learn about privilege escalation
attacks through the admin parameter.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove complex modal implementation and replace with simple page navigation:
- Convert get_user view from modal partial to full edit page
- Add proper form with Bootstrap 5 styling
- Link directly from users list to edit page
- Update controller actions to redirect instead of returning JSON
- Add flash messages for success/error feedback
- Remove all modal JavaScript and markup
- Remove modal CSS and backdrop handling
Benefits:
- Much simpler and more maintainable
- No JavaScript errors or complexity
- Standard Rails CRUD pattern
- Better user experience with proper navigation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed complex modal implementation and replaced with simple
link to dedicated credentials page to eliminate all modal issues.
Changes:
- Add credentials action to TutorialsController
- Remove layout false restriction for credentials
- Replace button with simple link_to for Demo Credentials
- Remove entire modal HTML structure
- Remove all JavaScript for modal initialization
- Remove fetch/AJAX complexity
The credentials view already existed but was modal-only. Now it's
a proper page that users can navigate to directly. Much simpler!
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Awesome @jmmastey. I think we went with a match route, later changed it as match was *sorta-ish* deprecated in Rails 4+. Anyways, believe those changes might have caused some issues.
Either way, verified everything worked locally and performed PR. Thanks again!
no functional change here, but familiar Rails users will see view files in the
locations they expect. this also slightly simplifies controller code
there is one attendant change in the wiki at `rails_3/A1-SQL-Injection-Interpolation.md`
that I'm happy to make after the PR is merged.
currently this is flagged manually in one place, but there's no reason not to
let the user model handle it. this way, you can update your user model from a
console or some other area without accidentally changing your password.
Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.
I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin
Ken Johnson