More secure password changing - have to specifically have clicked link in

change password email, rather than using any link.
author: francis <francis> 2008-03-21 14:45:38 +0000
committer: francis <francis> 2008-03-21 14:45:38 +0000
commit: 53b0da179b7bd8fc5c47a00c1b44673a436b35d9 (patch)
tree: f02d44b8515d35f9dc35fca81b55155e7d76c68e
parent: 426be7f2c0eb5cf09bb35bb9d40c67b7af59d7ec (diff)
15 files changed, 53 insertions, 37 deletions
diff --git a/app/controllers/application.rb b/app/controllers/application.rb
index 891a505d9..daa8a955b 100644
--- a/app/controllers/application.rb
+++ b/app/controllers/application.rb
@@ -6,7 +6,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: application.rb,v 1.31 2008-03-20 11:58:21 francis Exp $
+# $Id: application.rb,v 1.32 2008-03-21 14:45:38 francis Exp $
 
 
 class ApplicationController < ActionController::Base
@@ -37,7 +37,7 @@ class ApplicationController < ActionController::Base
             raise "bad token in test code email"
         end
         session[:user_id] = post_redirect.user.id
-        session[:user_authtype] = :email
+        session[:user_circumstance] = post_redirect.circumstance
         params = controller_example_group.params_from(:get, post_redirect.local_part_uri)
         params.merge(post_redirect.post_params)
         controller_example_group.get params[:action], params
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 40547aafe..c95029c99 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -4,7 +4,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: user_controller.rb,v 1.40 2008-03-20 11:58:21 francis Exp $
+# $Id: user_controller.rb,v 1.41 2008-03-21 14:45:38 francis Exp $
 
 class UserController < ApplicationController
     # Show page about a set of users with same url name
@@ -39,7 +39,7 @@ class UserController < ApplicationController
                 # Successful login
                 if @user_signin.email_confirmed
                     session[:user_id] = @user_signin.id
-                    session[:user_authtype] = :password
+                    session[:user_circumstance] = nil
                     do_post_redirect @post_redirect.uri, @post_redirect.post_params
                 else
                     send_confirmation_mail @user_signin
@@ -89,7 +89,7 @@ class UserController < ApplicationController
         @user.save!
 
         session[:user_id] = @user.id
-        session[:user_authtype] = :email
+        session[:user_circumstance] = post_redirect.circumstance
 
         do_post_redirect post_redirect.uri, post_redirect.post_params
     end
@@ -97,7 +97,7 @@ class UserController < ApplicationController
     # Logout form
     def signout
         session[:user_id] = nil
-        session[:user_authtype] = nil
+        session[:user_circumstance] = nil
         if params[:r]
             redirect_to params[:r]
         else
@@ -107,7 +107,7 @@ class UserController < ApplicationController
 
     # Change password (XXX and perhaps later email) - requires email authentication
     def signchange
-        if @user and ((not session[:user_authtype]) or (session[:user_authtype] != :email))
+        if @user and ((not session[:user_circumstance]) or (session[:user_circumstance] != "change_password"))
             # Not logged in via email, so send confirmation
             params[:submitted_signchange_email] = true
             params[:signchange] = { :email => @user.email }
@@ -132,7 +132,9 @@ class UserController < ApplicationController
                         :web => "",
                         :email => "Then you can change your password on WhatDoTheyKnow.com",
                         :email_subject => "Change your password on WhatDoTheyKnow.com"
-                    })
+                    },
+                    :circumstance => "change_password" # special login that lets you change your password
+                )
                 post_redirect.user = user_signchange
                 post_redirect.save!
                 url = confirm_url(:email_token => post_redirect.email_token)
@@ -146,8 +148,8 @@ class UserController < ApplicationController
             # Not logged in, prompt for email
             render :action => 'signchange_email'
         else
-            # Logged in via email link, so can offer form to change email/password
-            raise "internal error" unless (session[:user_authtype] == :email)
+            # Logged in via special email change password link, so can offer form to change password
+            raise "internal error" unless (session[:user_circumstance] == "change_password")
 
             if params[:submitted_signchange_password]
                 @user.password = params[:user][:password]
diff --git a/app/models/contact_validator.rb b/app/models/contact_validator.rb
index d4f1d0a7b..6f97c29c0 100644
--- a/app/models/contact_validator.rb
+++ b/app/models/contact_validator.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: contact_validators
 #
@@ -15,7 +15,7 @@
 # Copyright (c) 2008 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: contact_validator.rb,v 1.7 2008-03-21 14:04:29 francis Exp $
+# $Id: contact_validator.rb,v 1.8 2008-03-21 14:45:38 francis Exp $
 
 class ContactValidator < ActiveRecord::BaseWithoutTable
     column :name, :string
diff --git a/app/models/incoming_message.rb b/app/models/incoming_message.rb
index 4b56f0cc4..8e6783495 100644
--- a/app/models/incoming_message.rb
+++ b/app/models/incoming_message.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: incoming_messages
 #
@@ -17,7 +17,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: incoming_message.rb,v 1.68 2008-03-21 14:04:29 francis Exp $
+# $Id: incoming_message.rb,v 1.69 2008-03-21 14:45:38 francis Exp $
 
 
 # TODO
diff --git a/app/models/info_request.rb b/app/models/info_request.rb
index 647d884f8..3c0e97107 100644
--- a/app/models/info_request.rb
+++ b/app/models/info_request.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: info_requests
 #
@@ -22,7 +22,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: info_request.rb,v 1.70 2008-03-21 14:04:29 francis Exp $
+# $Id: info_request.rb,v 1.71 2008-03-21 14:45:38 francis Exp $
 
 require 'digest/sha1'
 
diff --git a/app/models/info_request_event.rb b/app/models/info_request_event.rb
index 41408787e..fc4588596 100644
--- a/app/models/info_request_event.rb
+++ b/app/models/info_request_event.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: info_request_events
 #
@@ -16,7 +16,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: info_request_event.rb,v 1.23 2008-03-21 14:04:29 francis Exp $
+# $Id: info_request_event.rb,v 1.24 2008-03-21 14:45:38 francis Exp $
 
 class InfoRequestEvent < ActiveRecord::Base
     belongs_to :info_request
diff --git a/app/models/outgoing_message.rb b/app/models/outgoing_message.rb
index 6ba085fe0..20e2d33ec 100644
--- a/app/models/outgoing_message.rb
+++ b/app/models/outgoing_message.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: outgoing_messages
 #
@@ -21,7 +21,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: outgoing_message.rb,v 1.37 2008-03-21 14:04:29 francis Exp $
+# $Id: outgoing_message.rb,v 1.38 2008-03-21 14:45:38 francis Exp $
 
 class OutgoingMessage < ActiveRecord::Base
     belongs_to :info_request
diff --git a/app/models/post_redirect.rb b/app/models/post_redirect.rb
index e62d4b2a0..bd3de5b32 100644
--- a/app/models/post_redirect.rb
+++ b/app/models/post_redirect.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: post_redirects
 #
@@ -12,6 +12,7 @@
 #  email_token        :text            not null
 #  reason_params_yaml :text            
 #  user_id            :integer         
+#  circumstance       :text            default("normal"), not null
 #
 
 # models/post_redirect.rb:
@@ -25,7 +26,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: post_redirect.rb,v 1.25 2008-03-21 14:04:29 francis Exp $
+# $Id: post_redirect.rb,v 1.26 2008-03-21 14:45:38 francis Exp $
 
 require 'openssl' # for random bytes function
 
diff --git a/app/models/public_body.rb b/app/models/public_body.rb
index 3772e39c6..b4b1e1487 100644
--- a/app/models/public_body.rb
+++ b/app/models/public_body.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: public_bodies
 #
@@ -21,7 +21,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: public_body.rb,v 1.41 2008-03-21 14:04:29 francis Exp $
+# $Id: public_body.rb,v 1.42 2008-03-21 14:45:38 francis Exp $
 
 require 'csv'
 require 'set'
diff --git a/app/models/public_body_tag.rb b/app/models/public_body_tag.rb
index a1d0cc9d0..7ec781146 100644
--- a/app/models/public_body_tag.rb
+++ b/app/models/public_body_tag.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: public_body_tags
 #
@@ -15,7 +15,7 @@
 # Copyright (c) 2008 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: public_body_tag.rb,v 1.5 2008-03-21 14:04:29 francis Exp $
+# $Id: public_body_tag.rb,v 1.6 2008-03-21 14:45:38 francis Exp $
 
 class PublicBodyTag < ActiveRecord::Base
     validates_presence_of :public_body
diff --git a/app/models/user.rb b/app/models/user.rb
index 4c5e13f06..bd2df8267 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: users
 #
@@ -20,7 +20,7 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: user.rb,v 1.39 2008-03-21 14:04:29 francis Exp $
+# $Id: user.rb,v 1.40 2008-03-21 14:45:38 francis Exp $
 
 require 'digest/sha1'
 
diff --git a/app/models/user_info_request_sent_alert.rb b/app/models/user_info_request_sent_alert.rb
index 99dea8f42..f58f6a58c 100644
--- a/app/models/user_info_request_sent_alert.rb
+++ b/app/models/user_info_request_sent_alert.rb
@@ -1,5 +1,5 @@
 # == Schema Information
-# Schema version: 44
+# Schema version: 45
 #
 # Table name: user_info_request_sent_alerts
 #
@@ -16,7 +16,7 @@
 # Copyright (c) 2008 UK Citizens Online Democracy. All rights reserved.
 # Email: francis@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: user_info_request_sent_alert.rb,v 1.6 2008-03-21 14:04:29 francis Exp $
+# $Id: user_info_request_sent_alert.rb,v 1.7 2008-03-21 14:45:38 francis Exp $
 
 class UserInfoRequestSentAlert < ActiveRecord::Base
     belongs_to :user
diff --git a/db/migrate/045_add_circumstance_to_post_redirect.rb b/db/migrate/045_add_circumstance_to_post_redirect.rb
new file mode 100644
index 000000000..e6e7ca513
--- /dev/null
+++ b/db/migrate/045_add_circumstance_to_post_redirect.rb
@@ -0,0 +1,11 @@
+class AddCircumstanceToPostRedirect < ActiveRecord::Migration
+  def self.up
+        add_column :post_redirects, :circumstance, :text, :default => "normal"
+        PostRedirect.update_all "circumstance = 'normal'"
+        change_column :post_redirects, :circumstance, :text, :default => "normal", :null => false
+  end
+
+  def self.down
+        remove_column :post_redirects, :circumstance
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 2f304ddc7..d057a9a10 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -9,7 +9,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 44) do
+ActiveRecord::Schema.define(:version => 45) do
 
   create_table "incoming_messages", :force => true do |t|
     t.integer  "info_request_id", :null => false
@@ -56,14 +56,15 @@ ActiveRecord::Schema.define(:version => 44) do
   end
 
   create_table "post_redirects", :force => true do |t|
-    t.text     "token",              :null => false
-    t.text     "uri",                :null => false
+    t.text     "token",                                    :null => false
+    t.text     "uri",                                      :null => false
     t.text     "post_params_yaml"
-    t.datetime "created_at",         :null => false
-    t.datetime "updated_at",         :null => false
-    t.text     "email_token",        :null => false
+    t.datetime "created_at",                               :null => false
+    t.datetime "updated_at",                               :null => false
+    t.text     "email_token",                              :null => false
     t.text     "reason_params_yaml"
     t.integer  "user_id"
+    t.text     "circumstance",       :default => "normal", :null => false
   end
 
   add_index "post_redirects", ["email_token"], :name => "index_post_redirects_on_email_token"
diff --git a/todo.txt b/todo.txt
index ab0060465..983238df1 100644
--- a/todo.txt
+++ b/todo.txt
@@ -1,4 +1,5 @@
-remove is_bounce
+:user_authtype is crappy
+:submitted_signchange_email is wrong
 
 Search:
author	francis <francis>	2008-03-21 14:45:38 +0000
committer	francis <francis>	2008-03-21 14:45:38 +0000
commit	53b0da179b7bd8fc5c47a00c1b44673a436b35d9 (patch)
tree	f02d44b8515d35f9dc35fca81b55155e7d76c68e
parent	426be7f2c0eb5cf09bb35bb9d40c67b7af59d7ec (diff)