GitHub User: suzi2000
-
watch on iTunes
-
follow on Twitter
-
follow on Facebook
-
subscribe to RSS feed
watch on iTunes
follow on Twitter
follow on Facebook
subscribe to RSS feed
though i forgot, rails takes care of the forms validity with the authenticity token, however its probably still safer to have a time check in the update action.
Having a check in the edit action makes it more convenient.
However you should NOT remove the check from the update action, as attackers can now try outdated activation codes forever with forged PUT requests.
i have the same concern, since it is quite possible to brute force many ids in password_resets/id/edit and then set the users password AND email to your own pw & email.
If you could not assign an email via the password_resets_controller, then it would be much harder to figure out which email was assigned to the updated password.
for anybody having the same problem with testing, when switching from session to cookies. You need to use request.cookies to assign the cookie.
and in your normal specs where you use test_sign_in
in specs where you dont use test_sign_in but rather post :create, :email => "user@example.com", :password => "somepassword"
its really confusing me
appears unfiltered in the log files (Rails 3.1.rc4) Is this a security issue ?
Check this out:
You can easily get associated model data into Jason
http://stackoverflow.com/questions/4764954/getting-value-from-associated-model
Then within token-field you can add a function to manipulate your entries
Very nice solution, but is there a specific reason to not use Boolean tables within the user model for each role ? (user.amin, user.moderator etc.) It seems to be easier this way to delete roles and all the corresponding data through migrations.