From d76c2e82328ed2a00add7bdfb528ed4393e640b7 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Fri, 21 Nov 2014 14:54:26 +0000 Subject: Enforce a lifetime on session cookies Problem described in http://seclists.org/fulldisclosure/2013/Sep/145 Pattern taken from https://www.coffeepowered.net/2013/09/26/rails-session-cookies/ --- app/controllers/user_controller.rb | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) (limited to 'app/controllers/user_controller.rb') diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index baeaab18a..9798ff8e2 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -260,16 +260,8 @@ class UserController < ApplicationController do_post_redirect post_redirect end - # Logout form - def _do_signout - session[:user_id] = nil - session[:user_circumstance] = nil - session[:remember_me] = false - session[:using_admin] = nil - session[:admin_name] = nil - end def signout - self._do_signout + clear_session_credentials if params[:r] redirect_to params[:r] else -- cgit v1.2.3 From 9ddfdfff9366793516bc09289a1da6156dfd12ca Mon Sep 17 00:00:00 2001 From: Gareth Rees Date: Thu, 2 Oct 2014 10:17:07 +0100 Subject: Add global protect_from_forgery MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Grepping the git logs didn’t bring up a good reason for this to be excluded. Seems like it came along after the app was initially created so it never got fully added for fear of regressions. The specs pass for this commit. --- app/controllers/user_controller.rb | 7 ------- 1 file changed, 7 deletions(-) (limited to 'app/controllers/user_controller.rb') diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index baeaab18a..108a6e9e5 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -7,15 +7,8 @@ require 'set' class UserController < ApplicationController - layout :select_layout - protect_from_forgery :only => [ :contact, - :set_profile_photo, - :signchangeemail, - :clear_profile_photo, - :set_profile_about_me ] # See ActionController::RequestForgeryProtection for details - # Show page about a user def show long_cache -- cgit v1.2.3 From 362a7b967819ca0a58dd251ab77842ab18aa7f64 Mon Sep 17 00:00:00 2001 From: Gareth Rees Date: Wed, 18 Feb 2015 14:43:58 +0000 Subject: Add specs to AboutMeValidator --- app/controllers/user_controller.rb | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'app/controllers/user_controller.rb') diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index 56f42891d..32b6978ea 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -569,6 +569,12 @@ class UserController < ApplicationController return end + if @user.banned? + flash[:error] = _('Banned users cannot edit their profile') + redirect_to set_profile_about_me_path + return + end + @about_me = AboutMeValidator.new(params[:about_me]) if !@about_me.valid? render :action => 'set_profile_about_me' -- cgit v1.2.3 From d8b9ea8bfe9fdf534504044774f0dcdb4bba20f2 Mon Sep 17 00:00:00 2001 From: Gareth Rees Date: Wed, 18 Feb 2015 15:37:11 +0000 Subject: Fully prevent banned users editing their photo --- app/controllers/user_controller.rb | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'app/controllers/user_controller.rb') diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index 32b6978ea..d66b4aa8e 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -460,6 +460,12 @@ class UserController < ApplicationController return end if !params[:submitted_draft_profile_photo].nil? + if @user.banned? + flash[:error]= _('Banned users cannot edit their profile') + redirect_to set_profile_photo_path + return + end + # check for uploaded image file_name = nil file_content = nil -- cgit v1.2.3