This repository is private.
All pages are served over SSL and all pushing and pulling is done over SSH.
No one may fork, clone, or view it unless they are added as a member.
Every repository with this icon (
) is private.
Every repository with this icon (
) is private.
This repository is public.
Anyone may fork, clone, or view it.
Every repository with this icon () is public.
Every repository with this icon (
) is public.
CHANGELOG
Internal Changes to code
As always, this is just a copy-and-pasted version of the CHANGELOG file in the source code tree.
Changes for the May, 2008 version of restful-authentication
Changes to user model
- recently_activated? belongs only if stateful
- Gave migration a 40-char limit on remember_token & an index on users by login
- Much stricter login and email validation
- put length constraints in migration too
- password in 6, 40
- salt and remember_token now much less predictability
Changes to session_controller
- use uniform logout function
- use uniform remember_cookie functions
- avoid calling logged_in? which will auto-log-you-in (safe in the face of
logout! call, but idiot-proof) - Moved reset_session into only the “now logged in” branch
- wherever it goes, it has to be in front of the current_user= call
- See more in README-Tradeoffs.txt
- made a place to take action on failed login attempt
- recycle login and remember_me setting on failed login
- nil’ed out the password field in ‘new’ view
Changes to users_controller
- use uniform logout function
- use uniform remember_cookie functions
- Moved reset_session into only the “now logged in” branch
- wherever it goes, it has to be in front of the current_user= call
- See more in README-Tradeoffs.txt
- made the implicit login only happen for non-activationed sites
- On a failed signup, kick you back to the signin screen (but strip out the password & confirmation)
- more descriptive error messages in activate()
users_helper
- link_to_user, link_to_current_user, link_to_signin_with_IP
- if_authorized(action, resource, &block) view function (with appropriate
warning)
authenticated_system
- Made authorized? take optional arguments action=nil, resource=nil, *args
This makes its signature better match traditional approaches to access control
eg Reference Monitor in Security Patterns) - authorized? should be a helper too
- added uniform logout! methods
- format.any (as found in access_denied) doesn’t work until
http://dev.rubyonrails.org/changeset/8987 lands. - cookies are now refreshed each time we cross the logged out/in barrier, as
best
practice
Other
- Used escapes <%= %> in email templates (among other reasons, so courtenay’s
‘dumbass’ test doesn’t complain) - Added site key to generator, users.yml.
- Made site key generation idempotent in the most crude and hackish way
- 100% coverage apart from the stateful code. (needed some access_control
checks, and the http_auth stuff) - Stories!
