diff options
| author | francis <francis> | 2007-11-02 10:28:20 +0000 |
|---|---|---|
| committer | francis <francis> | 2007-11-02 10:28:20 +0000 |
| commit | 935fb0717b5bf1b4b5e5ac47fd5ca057a610c9b1 (patch) | |
| tree | cd5b91debf3cd9cd9f7aabc7212d53bdba2ba379 | |
| parent | 39f4a8cbfa732dad0cc705761bec526de2a4df72 (diff) | |
Token for email confirmations.
| -rw-r--r-- | app/models/post_redirect.rb | 26 | ||||
| -rw-r--r-- | db/migrate/015_add_email_token_to_post_redirects.rb | 9 | ||||
| -rw-r--r-- | db/schema.rb | 3 | ||||
| -rw-r--r-- | spec/controllers/request_controller_spec.rb | 2 | ||||
| -rw-r--r-- | todo.txt | 22 |
5 files changed, 34 insertions, 28 deletions
diff --git a/app/models/post_redirect.rb b/app/models/post_redirect.rb index ab1a365f9..b7cf39092 100644 --- a/app/models/post_redirect.rb +++ b/app/models/post_redirect.rb @@ -5,7 +5,7 @@ # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved. # Email: francis@mysociety.org; WWW: http://www.mysociety.org/ # -# $Id: post_redirect.rb,v 1.1 2007-11-01 14:45:56 francis Exp $ +# $Id: post_redirect.rb,v 1.2 2007-11-02 10:28:20 francis Exp $ require 'openssl' # for random bytes function @@ -18,19 +18,29 @@ class PostRedirect < ActiveRecord::Base YAML.load(self.post_params_yaml) end + # Makes a random token, suitable for using in URLs e.g confirmation messages. + def self.generate_random_token + bits = 12 * 8 + # Make range from value to double value, so number of digits in base 36 + # encoding is quite long always. + rand_num = rand(max = 2**(bits+1)) + 2**bits + rand_num.to_s(base=36) + end + # Make the token def after_initialize + # The token is used to return you to what you are doing after the login form. if not self.token - bytes = OpenSSL::Random.random_bytes(12) - # XXX Ruby has some base function that can do base 62 or 32 more easily? - base64 = [bytes].pack("m9999").strip - base64.gsub("+", "a") - base64.gsub("/", "b") - base64.gsub("=", "c") - self.token = base64 + self.token = PostRedirect.generate_random_token + end + # There is a separate token to use in the URL if we send a confirmation email. + # This is because + if not self.email_token + self.email_token = PostRedirect.generate_random_token end end end + diff --git a/db/migrate/015_add_email_token_to_post_redirects.rb b/db/migrate/015_add_email_token_to_post_redirects.rb new file mode 100644 index 000000000..47d070533 --- /dev/null +++ b/db/migrate/015_add_email_token_to_post_redirects.rb @@ -0,0 +1,9 @@ +class AddEmailTokenToPostRedirects < ActiveRecord::Migration + def self.up + add_column :post_redirects, :email_token, :text + end + + def self.down + remove_column :post_redirects, :email_token + end +end diff --git a/db/schema.rb b/db/schema.rb index 1f0181d25..dce64b418 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -2,7 +2,7 @@ # migrations feature of ActiveRecord to incrementally modify your database, and # then regenerate this schema definition. -ActiveRecord::Schema.define(:version => 14) do +ActiveRecord::Schema.define(:version => 15) do create_table "incoming_messages", :force => true do |t| t.column "info_request_id", :integer @@ -35,6 +35,7 @@ ActiveRecord::Schema.define(:version => 14) do t.column "post_params_yaml", :text t.column "created_at", :datetime t.column "updated_at", :datetime + t.column "email_token", :text end create_table "public_bodies", :force => true do |t| diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 7ba066ad2..3a4bc0a36 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -83,7 +83,7 @@ describe RequestController, "when creating a new request" do response.should redirect_to(:controller => 'user', :action => 'signin', :token => post_redirect.token) end - it "should create the request and outgoing message and redirec to request page when input is good and somebody is logged in" do + it "should create the request and outgoing message and redirect to request page when input is good and somebody is logged in" do session[:user] = users(:bob_smith_user) post :create, :info_request => { :public_body_id => public_bodies(:geraldine_public_body).id, :title => "Why is your quango called Geraldine?"}, @@ -1,8 +1,3 @@ -Online -====== - -Work out how to do controller/view integrated specs and add some - Next ==== @@ -11,22 +6,11 @@ Send email to requestor telling them new information has come in Make it say "dear" as default letter -Shitty using sessions for redirect back - you lose if you click login - link elsewhere in same browser, and then do sign in on original. - It trashes your whole request. - -Use something other than session for post redirect store, so can go via email -If you recently made a request, then a login will try to make it again because - all the stuff for the post redirect is in the session. Consider again - -Write some tests (using rspec) +Work out how to do controller/view integrated specs and add some Tidying ======= -Links to user pages with <sup> etc. in don't work -Check that when on such a page <title> etc. is right - Prevent double posting of same request If summary is blank, says "title must be filled in" grrrr @@ -40,10 +24,12 @@ Add SQL foreign keys to database schema http://www.redhillconsulting.com.au/rails_plugins.html#foreign_key_migrations http://rubyforge.org/projects/mig-constraints/ Call "delete from sessions where now() - updated_at > 3600" (one hour) or whatever - - take care about this if you're still keeping POST requests in sessions during login Do pretty error messages, e.g. on invalid public body name page etc. +404s on all invalid URL parameters +Hook global error message also + Legal/privacy ============= |