couchrest_session_store 0.0.9 → 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (2) hide show
  1. data/lib/couchrest_session_store.rb +10 -4
  2. metadata +2 -2
data/lib/couchrest_session_store.rb CHANGED
@@ -51,7 +51,7 @@ class CouchRestSessionStore < ActionDispatch::Session::AbstractStore
51
51
 
52
52
  def get_session(env, sid)
53
53
  if sid
54
- doc = database.get(sid)
54
+ doc = secure_get(sid)
55
55
  session = self.class.unmarshal(doc["data"])
56
56
  [sid, session]
57
57
  else
@@ -69,21 +69,27 @@ class CouchRestSessionStore < ActionDispatch::Session::AbstractStore
69
69
  end
70
70
 
71
71
  def destroy_session(env, sid, options)
72
- doc = database.get(sid)
72
+ doc = secure_get(sid)
73
73
  database.delete_doc(doc)
74
74
  options[:drop] ? nil : generate_sid
75
75
  rescue RestClient::ResourceNotFound
76
76
  # already destroyed - we're done.
77
77
  end
78
78
 
79
-
80
79
  def build_or_update_doc(sid, data)
81
- doc = database.get(sid)
80
+ doc = secure_get(sid)
82
81
  doc["data"] = data
83
82
  return doc
84
83
  rescue RestClient::ResourceNotFound
85
84
  return CouchRest::Document.new "_id" => sid, "data" => data
86
85
  end
87
86
 
87
+ # prevent access to design docs
88
+ # this should be prevented on a couch permission level as well.
89
+ # but better be save than sorry.
90
+ def secure_get(sid)
91
+ raise RestClient::ResourceNotFound if /^_design\/(.*)/ =~ sid
92
+ database.get(sid)
93
+ end
88
94
  end
89
95
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: couchrest_session_store
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.9
4
+ version: 0.1.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-02-09 00:00:00.000000000 Z
12
+ date: 2013-02-25 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: couchrest