projects
/
selectricity-live
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
b6c33d4
)
User summary method is now more secure. Email change method prtects account SQL injec...
author
justin
<tr0phy13@gmail.com>
Thu, 14 Apr 2011 07:44:08 +0000
(
00:44
-0700)
committer
justin
<tr0phy13@gmail.com>
Thu, 14 Apr 2011 07:44:08 +0000
(
00:44
-0700)
app/controllers/account_controller.rb
patch
|
blob
|
history
diff --git
a/app/controllers/account_controller.rb
b/app/controllers/account_controller.rb
index ce4303dde9694e64a1c00d9293ba291e5abcf85e..4b7fea9fc17451bdb11fde5be136ee7b022ccd1c 100644
(file)
--- a/
app/controllers/account_controller.rb
+++ b/
app/controllers/account_controller.rb
@@
-60,7
+60,17
@@
class AccountController < ApplicationController
#The following methods are for selectricity specific uses
def summary
#The following methods are for selectricity specific uses
def summary
- @user = User.find(params[:id])
+ #@user = User.find(params[:id])
+
+ #constrain the find command such that it only returns the user if it's the currently
+ #logged in user, otherwise, redirect to the front page
+ id = params[:id]
+ user_id = session[:user][:id]
+ @user = User.find(id, :conditions => ["id = ?", user_id])
+
+ rescue
+ redirect_to :controller =>'front'
+
end
def change_contact
end
def change_contact
Benjamin Mako Hill
||
Want to submit a patch?