forked from technoweenie/restful-authentication
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG
68 lines (53 loc) · 2.71 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Internal Changes to code
As always, this is just a copy-and-pasted version of the CHANGELOG file in the source code tree.
## Changes for the May, 2008 version of restful-authentication
### Changes to user model
* recently_activated? belongs only if stateful
* Gave migration a 40-char limit on remember_token & an index on users by login
* **Much** stricter login and email validation
* put length constraints in migration too
* password in 6, 40
* salt and remember_token now much less predictability
### Changes to session_controller
* use uniform logout function
* use uniform remember_cookie functions
* avoid calling logged_in? which will auto-log-you-in (safe in the face of
logout! call, but idiot-proof)
* Moved reset_session into only the "now logged in" branch
** wherever it goes, it has to be in front of the current_user= call
** See more in README-Tradeoffs.txt
* made a place to take action on failed login attempt
* recycle login and remember_me setting on failed login
* nil'ed out the password field in 'new' view
### Changes to users_controller
* use uniform logout function
* use uniform remember_cookie functions
* Moved reset_session into only the "now logged in" branch
** wherever it goes, it has to be in front of the current_user= call
** See more in README-Tradeoffs.txt
* made the implicit login only happen for non-activationed sites
* On a failed signup, kick you back to the signin screen (but strip out the password & confirmation)
* more descriptive error messages in activate()
### users_helper
* link_to_user, link_to_current_user, link_to_signin_with_IP
* if_authorized(action, resource, &block) view function (with appropriate
warning)
### authenticated_system
* Made authorized? take optional arguments action=nil, resource=nil, *args
This makes its signature better match traditional approaches to access control
eg Reference Monitor in "Security Patterns":http://www.securitypatterns.org/patterns.html)
* authorized? should be a helper too
* added uniform logout! methods
* format.any (as found in access_denied) doesn't work until
http://dev.rubyonrails.org/changeset/8987 lands.
* cookies are now refreshed each time we cross the logged out/in barrier, as
"best":http://palisade.plynt.com/issues/2004Jul/safe-auth-practices/
"practice":http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_Tokens
### Other
* Used escapes <%= %> in email templates (among other reasons, so courtenay's
"'dumbass' test":http://tinyurl.com/684g9t doesn't complain)
* Added site key to generator, users.yml.
* Made site key generation idempotent in the most crude and hackish way
* 100% coverage apart from the stateful code. (needed some access_control
checks, and the http_auth stuff)
* Stories!