summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorjessib <jessib@riseup.net>2013-07-15 10:33:13 -0700
committerjessib <jessib@riseup.net>2013-07-15 10:33:13 -0700
commitbf5922d26e27ee9695b07eade42d36a34b63fc4e (patch)
tree1bba41b4d5b4ba59966012f9171c01817a332bc0 /config
parentcc32ad53286c2c03c88cb55713565c2930796024 (diff)
parent673c1af5e90a925e00fe6ad7847583a1ddd53ad0 (diff)
Merge pull request #58 from elijh/bugfix/security
fix misc security related bugs
Diffstat (limited to 'config')
-rw-r--r--config/application.rb5
-rw-r--r--config/defaults.yml14
-rw-r--r--config/environments/production.rb2
-rw-r--r--config/initializers/secret_token.rb4
4 files changed, 17 insertions, 8 deletions
diff --git a/config/application.rb b/config/application.rb
index 5e52c7b..ec25da5 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -15,6 +15,11 @@ if defined?(Bundler)
# Bundler.require(:default, :assets, Rails.env)
end
+APP_CONFIG = ["defaults.yml", "config.yml"].inject({}) {|config, file|
+ filepath = File.expand_path(file, File.dirname(__FILE__))
+ config.merge(File.exists?(filepath) ? YAML.load_file(filepath)[Rails.env] : {})
+}.with_indifferent_access
+
module LeapWeb
class Application < Rails::Application
# Settings in config/environments/* take precedence over those specified here.
diff --git a/config/defaults.yml b/config/defaults.yml
index 54c5a23..343c3ac 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -13,24 +13,28 @@ cert_options: &cert_options
limited_cert_prefix: "LIMITED"
unlimited_cert_prefix: "UNLIMITED"
+common: &common
+ force_ssl: false
+ pagination_size: 30
+
development:
<<: *dev_ca
<<: *cert_options
+ <<: *common
admins: [blue, admin, admin2]
domain: example.org
- secret_token: '550df064dbc5052d9e192b324c1c5a1095c85a2195f88bd6f6829c63b74d8dffa4556494a2e8cc44345a1926be8b6cb17aa4b3f3102d826f5679c3fb57bb7100'
- pagination_size: 30
+ secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
test:
<<: *dev_ca
<<: *cert_options
+ <<: *common
admins: [admin, admin2]
domain: test.me
- secret_token: '550df064dbc5052d9e192b324c1c5a1095c85a2195f88bd6f6829c63b74d8dffa4556494a2e8cc44345a1926be8b6cb17aa4b3f3102d826f5679c3fb57bb7100'
- pagination_size: 30
+ secret_token: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
production:
<<: *cert_options
+ <<: *common
admins: []
domain: example.net
- pagination_size: 30 \ No newline at end of file
diff --git a/config/environments/production.rb b/config/environments/production.rb
index d9d37bd..32b4558 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -28,7 +28,7 @@ LeapWeb::Application.configure do
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
- # config.force_ssl = true
+ config.force_ssl = APP_CONFIG[:force_ssl]
# See everything in the log (default is :info)
# config.log_level = :debug
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index c4e1e6d..bdd9b1c 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -5,8 +5,8 @@
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
-if token = APP_CONFIG['secret_token']
+if token = APP_CONFIG[:secret_token]
LeapWeb::Application.config.secret_token = token
else
- raise StandartError.new("No secret_token defined in config/config.yml - please provide one.")
+ raise StandardError.new("No secret_token defined in config/config.yml - please provide one.")
end