Age | Commit message (Collapse) | Author |
|
fixes #8801
Includes a test reproducing 500 on lynx
We now make use of ActionController::Parameters require and permit
methods.
|
|
On a failed login the warden failure app gets called.
Some of the params are changed accordingly but controller
and action remain.
set_locale would detect there was no locale in the path
and thus attempt to redirect. However the params still
belong to the previous request which was a POST to
Api::SessionsController.
This route does not respond to get requests and so it
would trigger a 404 in production and a 500 in development.
This commit prevents set_locale to act upon warden failure
app controller calls by adding /new to the list of
`NON_LOCALE_PATHS`. (The path is updated by warden to the
name of the action called in the failure app).
A test is included in this commit that tries to login
with an invalid username, password combination and a german
locale set.
fixes #8805
|
|
|
|
|
|
We now use the hash of the token for comparison and as the id.
In order to use it you need the original token though. So forms and
thus the session should have token.to_s rather than token.id.
|
|
|
|
* reran the simple form initializer.
* wrapped submit buttons are now broken and need a fix.
* disabled confirmation validation in client side validations as the
error message always is attached to the wrong field.
|
|
our special error handler for json requests would turn all exceptions
into 500s - removed it. now the rescue_responses can do their thing
again.
|
|
|
|
enable testing error responses on the full rack stack.
|
|
That's the only thing the controller handles meaningful.
Before the route would also catch anything that started with a . interpreting
it as a format string. This lead to lots of false positives in our security
scanner.
|
|
Related with https://github.com/pixelated/pixelated-user-agent/issues/924
With @aarni
|
|
If you inherit respond to and call it again in your controller
it will not overwrite the previous but add to it.
Since we always have some exceptions from the rules it's probably
easiest to be explicit in the controllers that require it themselves.
|
|
for him/herself
So that it we do not expose the is_admin property to anyone else
including other admins.
|
|
feature/expose_admin_in_api
|
|
So that whoever consumes the API can use this attribute to
determine if admin functionalities should be made available to
the current user.
|
|
There was a lot of special case handling going on in the users_controller
for this. Lot simpler this way.
|
|
Otherwise this will mess up other tests.
|
|
|
|
|
|
Rails 4.2 runs all tests mixed together. So unit tests and integration tests
may not have conflicting names.
|
|
AccountLivecycleTest -> CRUD accounts
SecurityTest -> security specific tests
AdminTest -> admin specific tests
|
|
create/delete test & tmp users.
|
|
token, "tmp" users are users that exist only in tmp db, "test" users are either tmp users or users named "test_user_x"
|
|
are configured in the static config, to be used for infrastructure monitoring.
|
|
get re-enabled.
|
|
Through the config param 'invite_required', providers can decide whether users need to provide an invite code upon signup.
The default setting is false.
|
|
Handing freshly generated invite codes to Factory Girl to make the tests pass
|
|
|
|
Remove the change password test because the change password functionality is currently unused - however, it breaks with the new invite code field in the signup form.
|
|
valid user for the tests again
|
|
|
|
|
|
tmp db for test users.
|
|
client_cert_lifespan config option.
|
|
We're not testing the redirects anymore. But the error messages should be pretty clear already. We can start testing redirects again once we redirect to different places for different actions.
|
|
|
|
|
|
|
|
There's an identities tab now for admins that will allow unblocking blocked handles. It should be easy to expand for aliases and forwards and other types of actions such as editing.
|
|
Feature/i18n for ticket system
|
|
Identity.new.valid? should not crash. So validate presence where needed and
skip the other validations if the value is absent.
|
|
|
|
We create an identity alongside each user. Make sure the identity
is valid when creating the user. This also ensures that the login
picked is available because otherwise the identities address would
not be available anymore.
|
|
|
|
hash token with sha512 against timing attacs #3398
|
|
|
|
We create them. let's reflect that in the verb.
|
|
Only storing the date as that should suffice for normal expiry and is less useful for identifying users by timestamps
|
|
|