Commit Graph

20 Commits

Author SHA1 Message Date
Sam 7993845bfa add current_user_provider so people can override current_user bevior cleanly, see
http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 15:11:54 +11:00
Sam c4a0152dc6 recover from bad CSRF tokens without requiring a hard refresh of the browser 2013-08-27 15:56:12 +10:00
Neil Lalonde c74da0d262 Admins who haven't been approved can log in when must_approve_users is enabled 2013-08-06 16:51:29 -04:00
Sam aa6c92922d SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 15:13:13 +10:00
Michael Campagnaro 25f8692a79 Strip leading/trailing spaces from login 2013-07-23 23:03:38 -04:00
Neil Lalonde c1a39b5a30 Show date with year in message to banned users who try to log in 2013-06-30 12:49:34 -04:00
Neil Lalonde 5d6ad8f39c Show a useful message when a banned user tries to log in 2013-06-27 15:14:42 -04:00
Ian Christian Myers 0d01c33482 Enabled strong_parameters across all models/controllers.
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 00:30:59 -07:00
Sam 2dfba8d6de we need to be able to do username checks for registration to work 2013-06-05 12:50:42 +10:00
Chris Hunt 92a4828f72 Redirect all controllers to login if required
We want to skip the filter for sessions controller so that we can login
and we want to skip the filter for static pages because those should be
visible to visitors.
2013-06-04 16:10:10 -07:00
Sam 42494b5bb1 we can't trust CSRF for anon the way it is designed.
The page they have loaded may be cached we need a different way of delivering the CSRF potentially
2013-05-03 16:43:11 +10:00
Neil Lalonde cbe0168922 Fix a problem where you might see missing {{sentTo}} value after a failed login 2013-04-18 16:44:56 -04:00
Régis Hanol b24c1a1ad9 better consistency around email case sensitivity 2013-04-15 02:20:33 +02:00
Sarah Vessels 54c7b1ab63 Use consistent new-style hashes in render calls *twitch* 2013-03-22 14:08:11 -04:00
Neil Lalonde 213d3e5c10 Remove unused code and routes that don't exist in session_controller 2013-03-13 15:21:45 -04:00
Régis Hanol 239cbd2d58 enforce coding convention
replaced every `and` by `&&` and every `or` by `||`
2013-03-05 01:42:44 +01:00
Neil Lalonde ff3e012034 Add a link that allows you to send activation email again 2013-02-22 11:49:58 -05:00
Neil Lalonde c18b85873f Prevent login until email is confirmed 2013-02-11 11:18:37 -05:00
Jakub Arnold 61654ab8f0 Fix all the trailing whitespace 2013-02-07 16:45:24 +01:00
Robin Ward 21b5628528 Initial release of Discourse 2013-02-05 14:16:51 -05:00