summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAzul <azul@leap.se>2012-11-23 12:11:11 +0100
committerAzul <azul@leap.se>2012-11-23 15:09:53 +0100
commitee3c9146e4bbe93ec1f00ee45386a82ec4363c4d (patch)
treeec673f97f22c13c19c1f9034dfe88646525bdeae
parent716dc248e940be8bd323a9d92f98785737fc99a0 (diff)
identify user by id so rerendering the form does not use new invalid login
-rw-r--r--users/app/controllers/users_controller.rb15
-rw-r--r--users/app/models/user.rb8
-rw-r--r--users/lib/warden/strategies/secure_remote_password.rb2
-rw-r--r--users/test/functional/users_controller_test.rb4
-rw-r--r--users/test/unit/user_test.rb8
5 files changed, 21 insertions, 16 deletions
diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index ecab53b..3913d0d 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -1,6 +1,8 @@
class UsersController < ApplicationController
- skip_before_filter :verify_authenticity_token
+ skip_before_filter :verify_authenticity_token, :only => [:create]
+
+ before_filter :fetch_user, :only => [:edit, :update]
respond_to :json, :html
@@ -17,12 +19,17 @@ class UsersController < ApplicationController
end
def edit
- @user = current_user
end
def update
- @user = current_user
- @user.update(params[:user])
+ @user.update_attributes(params[:user])
respond_with(@user, :location => edit_user_path(@user))
end
+
+ protected
+
+ def fetch_user
+ @user = User.find_by_param(params[:id])
+ access_denied unless @user == current_user
+ end
end
diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index 507eda5..624754b 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -29,9 +29,7 @@ class User < CouchRest::Model::Base
end
class << self
- def find_by_param(login)
- return find_by_login(login) || raise(RECORD_NOT_FOUND)
- end
+ alias_method :find_by_param, :find
# valid set of attributes for testing
def valid_attributes_hash
@@ -42,9 +40,7 @@ class User < CouchRest::Model::Base
end
- def to_param
- self.login
- end
+ alias_method :to_param, :id
def to_json(options={})
{
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 95570e0..953e2e9 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -30,7 +30,7 @@ module Warden
end
def initialize!
- user = User.find_by_param(id)
+ user = User.find_by_login(id)
session[:handshake] = user.initialize_auth(params['A'].hex)
custom! json_response(session[:handshake])
rescue RECORD_NOT_FOUND
diff --git a/users/test/functional/users_controller_test.rb b/users/test/functional/users_controller_test.rb
index 4318928..e39869f 100644
--- a/users/test/functional/users_controller_test.rb
+++ b/users/test/functional/users_controller_test.rb
@@ -32,6 +32,7 @@ class UsersControllerTest < ActionController::TestCase
test "should get edit view" do
user = stub_record User
+ User.expects(:find_by_param).with(user.id.to_s).returns(user)
login user
get :edit, :id => user.id
assert_equal user, assigns[:user]
@@ -39,7 +40,8 @@ class UsersControllerTest < ActionController::TestCase
test "should process updated params" do
user = stub_record User
- user.expects(:update).with(user.params).returns(user)
+ user.expects(:update_attributes).with(user.params).returns(true)
+ User.expects(:find_by_param).with(user.id.to_s).returns(user)
login user
post :update, :user => user.params, :id => user.id
assert_equal user, assigns[:user]
diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb
index f057ca7..92c1463 100644
--- a/users/test/unit/user_test.rb
+++ b/users/test/unit/user_test.rb
@@ -23,14 +23,14 @@ class UserTest < ActiveSupport::TestCase
assert !@user.valid?
end
- test "find_by_param gets User by login" do
+ test "find_by_param gets User by id" do
@user.save
- assert_equal @user, User.find_by_param(@user.login)
+ assert_equal @user, User.find_by_param(@user.id)
@user.destroy
end
- test "to_param gives user login" do
- assert_equal @user.login, @user.to_param
+ test "to_param gives user id" do
+ assert_equal @user.id, @user.to_param
end
test "verifier returns number for the hex in password_verifier" do