Erick Guan
9937af7ac4
disable sending email or show presence when forgot system user password
2014-12-10 14:17:56 +08:00
Sam
800ae5265f
Add admin and moderator state to sso provider
2014-11-27 12:24:37 +11:00
Sam
c10e3df012
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it
...
FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 17:26:27 +11:00
Sam
9e1e3df6c9
FEATURE: Localize SSO error messages
2014-11-24 12:16:23 +11:00
Sam
d3b24b625b
Add more SSO logging for failure conditions
2014-11-24 10:02:22 +11:00
Robin Ward
1252e7324f
Added easy impersonate route while in development mode
2014-10-07 12:25:50 -04:00
Sam
d53e01619f
SECURITY: rate limit user/password login
2014-09-25 10:06:44 +10:00
riking
2c6d03f87f
SECURITY: Limit passwords to 200 characters
...
Prevents layer 8 attack.
2014-09-12 12:07:11 -04:00
Sam
45e8337a29
FEATURE: renames forgot_password_verbose, forgot_password_strict
2014-09-11 15:53:29 +10:00
Sam
61bcde6284
FEATURE: inform users if forgot password works or not
...
FIX: flash dialog in forgot password often had wrong color
(this can be disabled by setting forgot_password_verbose to false)
2014-09-11 12:04:44 +10:00
Neil Lalonde
ca5f361d0a
FEATURE: restrict admin access based on IP address
2014-09-05 12:06:01 -04:00
Sam
e0a82d3088
FIX: rate limit password reset email
2014-08-18 10:55:30 +10:00
Neil Lalonde
1da59e7e2e
FIX: deactivated users shouldn't be able to log in
2014-04-28 13:46:28 -04:00
Sam
be06156629
SECURITY: when enabled_local_logins is false users could log in via API
...
thanks @Nicholas Blanco
2014-03-26 15:39:44 +11:00
Sam
74a1145a0b
BUGFIX: sso to respect must_approve_users
2014-02-26 10:27:39 +11:00
Sam
440435f023
FEATURE: SSO to handle return_path automatically
2014-02-26 09:58:30 +11:00
Sam
6f31d3f0e5
FEATURE: single sign on support
...
Added support for outsourcing auth to a different website, documentation on meta
2014-02-25 14:31:03 +11:00
Robin Ward
1dac3cfd64
API endpoint for retrieving the current user
2014-02-05 13:46:24 -05:00
Neil Lalonde
da825451d0
Invite link can't be used to log in after you set a password or sign in with 3rd party
2014-01-21 16:56:41 -05:00
Sam
79087f4e6f
fix exception in logs
2013-11-28 12:39:59 +11:00
railsaholic
34bba737ff
Refactor SessionController#create, reduce complexity.
...
Don't compromise readablity
2013-11-15 22:09:03 +05:30
Neil Lalonde
0c6f794eb0
Used the term suspended instead of banned.
2013-11-07 13:53:49 -05:00
Neil Lalonde
92a0729937
When banning a user, a reason can be provided. The user will see this reason when trying to log in. Also log bans and unbans in the staff action logs.
2013-11-01 10:47:26 -04:00
Manoj
96ae3cdacc
Utilize already existing method 'find_by_username_or_email'
...
check presence of email using include, dont use =~
2013-10-24 19:26:06 +05:30
Sam
7993845bfa
add current_user_provider so people can override current_user bevior cleanly, see
...
http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 15:11:54 +11:00
Sam
c4a0152dc6
recover from bad CSRF tokens without requiring a hard refresh of the browser
2013-08-27 15:56:12 +10:00
Neil Lalonde
c74da0d262
Admins who haven't been approved can log in when must_approve_users is enabled
2013-08-06 16:51:29 -04:00
Sam
aa6c92922d
SECURITY: correct our CSRF implementation to be much more aggressive
2013-07-29 15:13:13 +10:00
Michael Campagnaro
25f8692a79
Strip leading/trailing spaces from login
2013-07-23 23:03:38 -04:00
Neil Lalonde
c1a39b5a30
Show date with year in message to banned users who try to log in
2013-06-30 12:49:34 -04:00
Neil Lalonde
5d6ad8f39c
Show a useful message when a banned user tries to log in
2013-06-27 15:14:42 -04:00
Ian Christian Myers
0d01c33482
Enabled strong_parameters across all models/controllers.
...
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.
The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.
It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 00:30:59 -07:00
Sam
2dfba8d6de
we need to be able to do username checks for registration to work
2013-06-05 12:50:42 +10:00
Chris Hunt
92a4828f72
Redirect all controllers to login if required
...
We want to skip the filter for sessions controller so that we can login
and we want to skip the filter for static pages because those should be
visible to visitors.
2013-06-04 16:10:10 -07:00
Sam
42494b5bb1
we can't trust CSRF for anon the way it is designed.
...
The page they have loaded may be cached we need a different way of delivering the CSRF potentially
2013-05-03 16:43:11 +10:00
Neil Lalonde
cbe0168922
Fix a problem where you might see missing {{sentTo}} value after a failed login
2013-04-18 16:44:56 -04:00
Régis Hanol
b24c1a1ad9
better consistency around email case sensitivity
2013-04-15 02:20:33 +02:00
Sarah Vessels
54c7b1ab63
Use consistent new-style hashes in render calls *twitch*
2013-03-22 14:08:11 -04:00
Neil Lalonde
213d3e5c10
Remove unused code and routes that don't exist in session_controller
2013-03-13 15:21:45 -04:00
Régis Hanol
239cbd2d58
enforce coding convention
...
replaced every `and` by `&&` and every `or` by `||`
2013-03-05 01:42:44 +01:00
Neil Lalonde
ff3e012034
Add a link that allows you to send activation email again
2013-02-22 11:49:58 -05:00
Neil Lalonde
c18b85873f
Prevent login until email is confirmed
2013-02-11 11:18:37 -05:00
Jakub Arnold
61654ab8f0
Fix all the trailing whitespace
2013-02-07 16:45:24 +01:00
Robin Ward
21b5628528
Initial release of Discourse
2013-02-05 14:16:51 -05:00