clearance 0.16.2 → 0.16.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of clearance might be problematic. Click here for more details.
- data/Gemfile.lock +1 -1
- data/NEWS.md +5 -0
- data/app/controllers/clearance/passwords_controller.rb +4 -4
- data/db/schema.rb +3 -2
- data/gemfiles/3.0.12.gemfile.lock +1 -1
- data/gemfiles/3.1.4.gemfile.lock +1 -1
- data/gemfiles/3.2.3.gemfile.lock +1 -1
- data/lib/clearance/version.rb +1 -1
- data/spec/controllers/passwords_controller_spec.rb +16 -0
- metadata +35 -35
data/Gemfile.lock
CHANGED
data/NEWS.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
New for 0.17.0:
|
|
2
|
+
|
|
3
|
+
* Handle the security issue found in Rails by Ben Murphy. Some details
|
|
4
|
+
can be found on the Rails commit: https://github.com/rails/rails/commit/5f91ea3dc1ed3fa1c6be2cff7de1d1663990b0c3
|
|
5
|
+
|
|
1
6
|
New for 0.16.2:
|
|
2
7
|
|
|
3
8
|
* Change default email sender to deploy@example.com .
|
|
@@ -23,13 +23,13 @@ class Clearance::PasswordsController < ApplicationController
|
|
|
23
23
|
|
|
24
24
|
def edit
|
|
25
25
|
@user = Clearance.configuration.user_model.find_by_id_and_confirmation_token(
|
|
26
|
-
params[:user_id], params[:token])
|
|
26
|
+
params[:user_id], params[:token].to_s)
|
|
27
27
|
render :template => 'passwords/edit'
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
def update
|
|
31
31
|
@user = Clearance.configuration.user_model.find_by_id_and_confirmation_token(
|
|
32
|
-
params[:user_id], params[:token])
|
|
32
|
+
params[:user_id], params[:token].to_s)
|
|
33
33
|
|
|
34
34
|
if @user.update_password(params[:user][:password])
|
|
35
35
|
sign_in(@user)
|
|
@@ -43,7 +43,7 @@ class Clearance::PasswordsController < ApplicationController
|
|
|
43
43
|
private
|
|
44
44
|
|
|
45
45
|
def forbid_missing_token
|
|
46
|
-
if params[:token].blank?
|
|
46
|
+
if params[:token].to_s.blank?
|
|
47
47
|
flash_failure_when_forbidden
|
|
48
48
|
render :template => 'passwords/new'
|
|
49
49
|
end
|
|
@@ -51,7 +51,7 @@ class Clearance::PasswordsController < ApplicationController
|
|
|
51
51
|
|
|
52
52
|
def forbid_non_existent_user
|
|
53
53
|
unless Clearance.configuration.user_model.find_by_id_and_confirmation_token(
|
|
54
|
-
params[:user_id], params[:token])
|
|
54
|
+
params[:user_id], params[:token].to_s)
|
|
55
55
|
flash_failure_when_forbidden
|
|
56
56
|
render :template => 'passwords/new'
|
|
57
57
|
end
|
data/db/schema.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
1
2
|
# This file is auto-generated from the current state of the database. Instead
|
|
2
3
|
# of editing this file, please use the migrations feature of Active Record to
|
|
3
4
|
# incrementally modify your database, and then regenerate this schema definition.
|
|
@@ -18,8 +19,8 @@ ActiveRecord::Schema.define(:version => 20110111224543) do
|
|
|
18
19
|
t.string "salt", :limit => 128
|
|
19
20
|
t.string "confirmation_token", :limit => 128
|
|
20
21
|
t.string "remember_token", :limit => 128
|
|
21
|
-
t.datetime "created_at"
|
|
22
|
-
t.datetime "updated_at"
|
|
22
|
+
t.datetime "created_at", :null => false
|
|
23
|
+
t.datetime "updated_at", :null => false
|
|
23
24
|
end
|
|
24
25
|
|
|
25
26
|
add_index "users", ["email"], :name => "index_users_on_email"
|
data/gemfiles/3.1.4.gemfile.lock
CHANGED
data/gemfiles/3.2.3.gemfile.lock
CHANGED
data/lib/clearance/version.rb
CHANGED
|
@@ -153,6 +153,22 @@ describe Clearance::PasswordsController do
|
|
|
153
153
|
it { should respond_with(:success) }
|
|
154
154
|
it { should render_template(:edit) }
|
|
155
155
|
end
|
|
156
|
+
|
|
157
|
+
describe "on PUT to #update with an empty token after the user sets a password" do
|
|
158
|
+
before do
|
|
159
|
+
put :update,
|
|
160
|
+
:user_id => @user.to_param,
|
|
161
|
+
:token => @user.confirmation_token,
|
|
162
|
+
:user => { :password => 'good password' }
|
|
163
|
+
put :update,
|
|
164
|
+
:user_id => @user.to_param,
|
|
165
|
+
:token => [nil],
|
|
166
|
+
:user => { :password => 'new password' }
|
|
167
|
+
end
|
|
168
|
+
|
|
169
|
+
it { should set_the_flash.to(/double check the URL/i).now }
|
|
170
|
+
it { should render_template(:new) }
|
|
171
|
+
end
|
|
156
172
|
end
|
|
157
173
|
|
|
158
174
|
describe "given two users and user one signs in" do
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: clearance
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.16.
|
|
4
|
+
version: 0.16.3
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -18,11 +18,11 @@ authors:
|
|
|
18
18
|
autorequire:
|
|
19
19
|
bindir: bin
|
|
20
20
|
cert_chain: []
|
|
21
|
-
date: 2012-
|
|
21
|
+
date: 2012-06-01 00:00:00.000000000Z
|
|
22
22
|
dependencies:
|
|
23
23
|
- !ruby/object:Gem::Dependency
|
|
24
24
|
name: rails
|
|
25
|
-
requirement: &
|
|
25
|
+
requirement: &26263740 !ruby/object:Gem::Requirement
|
|
26
26
|
none: false
|
|
27
27
|
requirements:
|
|
28
28
|
- - ! '>='
|
|
@@ -30,10 +30,10 @@ dependencies:
|
|
|
30
30
|
version: '3.0'
|
|
31
31
|
type: :runtime
|
|
32
32
|
prerelease: false
|
|
33
|
-
version_requirements: *
|
|
33
|
+
version_requirements: *26263740
|
|
34
34
|
- !ruby/object:Gem::Dependency
|
|
35
35
|
name: diesel
|
|
36
|
-
requirement: &
|
|
36
|
+
requirement: &26263200 !ruby/object:Gem::Requirement
|
|
37
37
|
none: false
|
|
38
38
|
requirements:
|
|
39
39
|
- - ~>
|
|
@@ -41,10 +41,10 @@ dependencies:
|
|
|
41
41
|
version: 0.1.5
|
|
42
42
|
type: :runtime
|
|
43
43
|
prerelease: false
|
|
44
|
-
version_requirements: *
|
|
44
|
+
version_requirements: *26263200
|
|
45
45
|
- !ruby/object:Gem::Dependency
|
|
46
46
|
name: bundler
|
|
47
|
-
requirement: &
|
|
47
|
+
requirement: &26262720 !ruby/object:Gem::Requirement
|
|
48
48
|
none: false
|
|
49
49
|
requirements:
|
|
50
50
|
- - ~>
|
|
@@ -52,10 +52,10 @@ dependencies:
|
|
|
52
52
|
version: 1.1.0
|
|
53
53
|
type: :development
|
|
54
54
|
prerelease: false
|
|
55
|
-
version_requirements: *
|
|
55
|
+
version_requirements: *26262720
|
|
56
56
|
- !ruby/object:Gem::Dependency
|
|
57
57
|
name: appraisal
|
|
58
|
-
requirement: &
|
|
58
|
+
requirement: &26262240 !ruby/object:Gem::Requirement
|
|
59
59
|
none: false
|
|
60
60
|
requirements:
|
|
61
61
|
- - ~>
|
|
@@ -63,10 +63,10 @@ dependencies:
|
|
|
63
63
|
version: 0.4.1
|
|
64
64
|
type: :development
|
|
65
65
|
prerelease: false
|
|
66
|
-
version_requirements: *
|
|
66
|
+
version_requirements: *26262240
|
|
67
67
|
- !ruby/object:Gem::Dependency
|
|
68
68
|
name: cucumber-rails
|
|
69
|
-
requirement: &
|
|
69
|
+
requirement: &26254940 !ruby/object:Gem::Requirement
|
|
70
70
|
none: false
|
|
71
71
|
requirements:
|
|
72
72
|
- - ~>
|
|
@@ -74,10 +74,10 @@ dependencies:
|
|
|
74
74
|
version: 1.1.1
|
|
75
75
|
type: :development
|
|
76
76
|
prerelease: false
|
|
77
|
-
version_requirements: *
|
|
77
|
+
version_requirements: *26254940
|
|
78
78
|
- !ruby/object:Gem::Dependency
|
|
79
79
|
name: rspec-rails
|
|
80
|
-
requirement: &
|
|
80
|
+
requirement: &26254480 !ruby/object:Gem::Requirement
|
|
81
81
|
none: false
|
|
82
82
|
requirements:
|
|
83
83
|
- - ~>
|
|
@@ -85,10 +85,10 @@ dependencies:
|
|
|
85
85
|
version: 2.9.0
|
|
86
86
|
type: :development
|
|
87
87
|
prerelease: false
|
|
88
|
-
version_requirements: *
|
|
88
|
+
version_requirements: *26254480
|
|
89
89
|
- !ruby/object:Gem::Dependency
|
|
90
90
|
name: sqlite3
|
|
91
|
-
requirement: &
|
|
91
|
+
requirement: &26254100 !ruby/object:Gem::Requirement
|
|
92
92
|
none: false
|
|
93
93
|
requirements:
|
|
94
94
|
- - ! '>='
|
|
@@ -96,10 +96,10 @@ dependencies:
|
|
|
96
96
|
version: '0'
|
|
97
97
|
type: :development
|
|
98
98
|
prerelease: false
|
|
99
|
-
version_requirements: *
|
|
99
|
+
version_requirements: *26254100
|
|
100
100
|
- !ruby/object:Gem::Dependency
|
|
101
101
|
name: bourne
|
|
102
|
-
requirement: &
|
|
102
|
+
requirement: &26253520 !ruby/object:Gem::Requirement
|
|
103
103
|
none: false
|
|
104
104
|
requirements:
|
|
105
105
|
- - ~>
|
|
@@ -107,10 +107,10 @@ dependencies:
|
|
|
107
107
|
version: 1.1.2
|
|
108
108
|
type: :development
|
|
109
109
|
prerelease: false
|
|
110
|
-
version_requirements: *
|
|
110
|
+
version_requirements: *26253520
|
|
111
111
|
- !ruby/object:Gem::Dependency
|
|
112
112
|
name: timecop
|
|
113
|
-
requirement: &
|
|
113
|
+
requirement: &26253100 !ruby/object:Gem::Requirement
|
|
114
114
|
none: false
|
|
115
115
|
requirements:
|
|
116
116
|
- - ! '>='
|
|
@@ -118,10 +118,10 @@ dependencies:
|
|
|
118
118
|
version: '0'
|
|
119
119
|
type: :development
|
|
120
120
|
prerelease: false
|
|
121
|
-
version_requirements: *
|
|
121
|
+
version_requirements: *26253100
|
|
122
122
|
- !ruby/object:Gem::Dependency
|
|
123
123
|
name: capybara
|
|
124
|
-
requirement: &
|
|
124
|
+
requirement: &26252540 !ruby/object:Gem::Requirement
|
|
125
125
|
none: false
|
|
126
126
|
requirements:
|
|
127
127
|
- - ~>
|
|
@@ -129,10 +129,10 @@ dependencies:
|
|
|
129
129
|
version: 1.1.2
|
|
130
130
|
type: :development
|
|
131
131
|
prerelease: false
|
|
132
|
-
version_requirements: *
|
|
132
|
+
version_requirements: *26252540
|
|
133
133
|
- !ruby/object:Gem::Dependency
|
|
134
134
|
name: factory_girl_rails
|
|
135
|
-
requirement: &
|
|
135
|
+
requirement: &26252040 !ruby/object:Gem::Requirement
|
|
136
136
|
none: false
|
|
137
137
|
requirements:
|
|
138
138
|
- - ~>
|
|
@@ -140,10 +140,10 @@ dependencies:
|
|
|
140
140
|
version: 3.1.0
|
|
141
141
|
type: :development
|
|
142
142
|
prerelease: false
|
|
143
|
-
version_requirements: *
|
|
143
|
+
version_requirements: *26252040
|
|
144
144
|
- !ruby/object:Gem::Dependency
|
|
145
145
|
name: shoulda-matchers
|
|
146
|
-
requirement: &
|
|
146
|
+
requirement: &26251580 !ruby/object:Gem::Requirement
|
|
147
147
|
none: false
|
|
148
148
|
requirements:
|
|
149
149
|
- - ~>
|
|
@@ -151,10 +151,10 @@ dependencies:
|
|
|
151
151
|
version: 1.1.0
|
|
152
152
|
type: :development
|
|
153
153
|
prerelease: false
|
|
154
|
-
version_requirements: *
|
|
154
|
+
version_requirements: *26251580
|
|
155
155
|
- !ruby/object:Gem::Dependency
|
|
156
156
|
name: database_cleaner
|
|
157
|
-
requirement: &
|
|
157
|
+
requirement: &26251200 !ruby/object:Gem::Requirement
|
|
158
158
|
none: false
|
|
159
159
|
requirements:
|
|
160
160
|
- - ! '>='
|
|
@@ -162,10 +162,10 @@ dependencies:
|
|
|
162
162
|
version: '0'
|
|
163
163
|
type: :development
|
|
164
164
|
prerelease: false
|
|
165
|
-
version_requirements: *
|
|
165
|
+
version_requirements: *26251200
|
|
166
166
|
- !ruby/object:Gem::Dependency
|
|
167
167
|
name: launchy
|
|
168
|
-
requirement: &
|
|
168
|
+
requirement: &26250740 !ruby/object:Gem::Requirement
|
|
169
169
|
none: false
|
|
170
170
|
requirements:
|
|
171
171
|
- - ! '>='
|
|
@@ -173,10 +173,10 @@ dependencies:
|
|
|
173
173
|
version: '0'
|
|
174
174
|
type: :development
|
|
175
175
|
prerelease: false
|
|
176
|
-
version_requirements: *
|
|
176
|
+
version_requirements: *26250740
|
|
177
177
|
- !ruby/object:Gem::Dependency
|
|
178
178
|
name: aruba
|
|
179
|
-
requirement: &
|
|
179
|
+
requirement: &26250240 !ruby/object:Gem::Requirement
|
|
180
180
|
none: false
|
|
181
181
|
requirements:
|
|
182
182
|
- - ~>
|
|
@@ -184,7 +184,7 @@ dependencies:
|
|
|
184
184
|
version: 0.4.11
|
|
185
185
|
type: :development
|
|
186
186
|
prerelease: false
|
|
187
|
-
version_requirements: *
|
|
187
|
+
version_requirements: *26250240
|
|
188
188
|
description: Rails authentication & authorization with email & password.
|
|
189
189
|
email: support@thoughtbot.com
|
|
190
190
|
executables: []
|
|
@@ -294,7 +294,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
294
294
|
version: '0'
|
|
295
295
|
segments:
|
|
296
296
|
- 0
|
|
297
|
-
hash:
|
|
297
|
+
hash: 1832581337987577676
|
|
298
298
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
299
299
|
none: false
|
|
300
300
|
requirements:
|
|
@@ -303,10 +303,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
303
303
|
version: '0'
|
|
304
304
|
segments:
|
|
305
305
|
- 0
|
|
306
|
-
hash:
|
|
306
|
+
hash: 1832581337987577676
|
|
307
307
|
requirements: []
|
|
308
308
|
rubyforge_project:
|
|
309
|
-
rubygems_version: 1.8.
|
|
309
|
+
rubygems_version: 1.8.10
|
|
310
310
|
signing_key:
|
|
311
311
|
specification_version: 3
|
|
312
312
|
summary: Rails authentication & authorization with email & password.
|