diff options
author | Azul <azul@leap.se> | 2012-11-23 12:11:11 +0100 |
---|---|---|
committer | Azul <azul@leap.se> | 2012-11-23 15:09:53 +0100 |
commit | ee3c9146e4bbe93ec1f00ee45386a82ec4363c4d (patch) | |
tree | ec673f97f22c13c19c1f9034dfe88646525bdeae /users | |
parent | 716dc248e940be8bd323a9d92f98785737fc99a0 (diff) |
identify user by id so rerendering the form does not use new invalid login
Diffstat (limited to 'users')
-rw-r--r-- | users/app/controllers/users_controller.rb | 15 | ||||
-rw-r--r-- | users/app/models/user.rb | 8 | ||||
-rw-r--r-- | users/lib/warden/strategies/secure_remote_password.rb | 2 | ||||
-rw-r--r-- | users/test/functional/users_controller_test.rb | 4 | ||||
-rw-r--r-- | users/test/unit/user_test.rb | 8 |
5 files changed, 21 insertions, 16 deletions
diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb index ecab53b..3913d0d 100644 --- a/users/app/controllers/users_controller.rb +++ b/users/app/controllers/users_controller.rb @@ -1,6 +1,8 @@ class UsersController < ApplicationController - skip_before_filter :verify_authenticity_token + skip_before_filter :verify_authenticity_token, :only => [:create] + + before_filter :fetch_user, :only => [:edit, :update] respond_to :json, :html @@ -17,12 +19,17 @@ class UsersController < ApplicationController end def edit - @user = current_user end def update - @user = current_user - @user.update(params[:user]) + @user.update_attributes(params[:user]) respond_with(@user, :location => edit_user_path(@user)) end + + protected + + def fetch_user + @user = User.find_by_param(params[:id]) + access_denied unless @user == current_user + end end diff --git a/users/app/models/user.rb b/users/app/models/user.rb index 507eda5..624754b 100644 --- a/users/app/models/user.rb +++ b/users/app/models/user.rb @@ -29,9 +29,7 @@ class User < CouchRest::Model::Base end class << self - def find_by_param(login) - return find_by_login(login) || raise(RECORD_NOT_FOUND) - end + alias_method :find_by_param, :find # valid set of attributes for testing def valid_attributes_hash @@ -42,9 +40,7 @@ class User < CouchRest::Model::Base end - def to_param - self.login - end + alias_method :to_param, :id def to_json(options={}) { diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb index 95570e0..953e2e9 100644 --- a/users/lib/warden/strategies/secure_remote_password.rb +++ b/users/lib/warden/strategies/secure_remote_password.rb @@ -30,7 +30,7 @@ module Warden end def initialize! - user = User.find_by_param(id) + user = User.find_by_login(id) session[:handshake] = user.initialize_auth(params['A'].hex) custom! json_response(session[:handshake]) rescue RECORD_NOT_FOUND diff --git a/users/test/functional/users_controller_test.rb b/users/test/functional/users_controller_test.rb index 4318928..e39869f 100644 --- a/users/test/functional/users_controller_test.rb +++ b/users/test/functional/users_controller_test.rb @@ -32,6 +32,7 @@ class UsersControllerTest < ActionController::TestCase test "should get edit view" do user = stub_record User + User.expects(:find_by_param).with(user.id.to_s).returns(user) login user get :edit, :id => user.id assert_equal user, assigns[:user] @@ -39,7 +40,8 @@ class UsersControllerTest < ActionController::TestCase test "should process updated params" do user = stub_record User - user.expects(:update).with(user.params).returns(user) + user.expects(:update_attributes).with(user.params).returns(true) + User.expects(:find_by_param).with(user.id.to_s).returns(user) login user post :update, :user => user.params, :id => user.id assert_equal user, assigns[:user] diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb index f057ca7..92c1463 100644 --- a/users/test/unit/user_test.rb +++ b/users/test/unit/user_test.rb @@ -23,14 +23,14 @@ class UserTest < ActiveSupport::TestCase assert !@user.valid? end - test "find_by_param gets User by login" do + test "find_by_param gets User by id" do @user.save - assert_equal @user, User.find_by_param(@user.login) + assert_equal @user, User.find_by_param(@user.id) @user.destroy end - test "to_param gives user login" do - assert_equal @user.login, @user.to_param + test "to_param gives user id" do + assert_equal @user.id, @user.to_param end test "verifier returns number for the hex in password_verifier" do |