User summary method is now more secure. Email change method prtects account SQL injec...

author justin <tr0phy13@gmail.com>

Thu, 14 Apr 2011 07:44:08 +0000 (00:44 -0700)

committer justin <tr0phy13@gmail.com>

Thu, 14 Apr 2011 07:44:08 +0000 (00:44 -0700)
author justin <tr0phy13@gmail.com>
Thu, 14 Apr 2011 07:44:08 +0000 (00:44 -0700)
committer justin <tr0phy13@gmail.com>
Thu, 14 Apr 2011 07:44:08 +0000 (00:44 -0700)
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb

index ce4303dde9694e64a1c00d9293ba291e5abcf85e..4b7fea9fc17451bdb11fde5be136ee7b022ccd1c 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -60,7 +60,17 @@ class AccountController < ApplicationController
    
    #The following methods are for selectricity specific uses
    def summary
-    @user = User.find(params[:id])
+    #@user = User.find(params[:id])
+    
+    #constrain the find command such that it only returns the user if it's the currently
+    #logged in user, otherwise, redirect to the front page
+    id = params[:id]
+    user_id = session[:user][:id]
+    @user = User.find(id, :conditions => ["id = ?", user_id])
+    
+    rescue
+      redirect_to :controller =>'front'
+    
    end
    
    def change_contact
author	justin <tr0phy13@gmail.com>
	Thu, 14 Apr 2011 07:44:08 +0000 (00:44 -0700)
committer	justin <tr0phy13@gmail.com>
	Thu, 14 Apr 2011 07:44:08 +0000 (00:44 -0700)