From: justin Date: Thu, 14 Apr 2011 07:44:08 +0000 (-0700) Subject: User summary method is now more secure. Email change method prtects account SQL injec... X-Git-Url: https://projects.mako.cc/source/selectricity-live/commitdiff_plain/b82ac70a3367072882aa259dae0b6a1b6e3288fa?hp=--cc User summary method is now more secure. Email change method prtects account SQL injection and meta characters, but doesn't do address validation. --- b82ac70a3367072882aa259dae0b6a1b6e3288fa diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index ce4303d..4b7fea9 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -60,7 +60,17 @@ class AccountController < ApplicationController #The following methods are for selectricity specific uses def summary - @user = User.find(params[:id]) + #@user = User.find(params[:id]) + + #constrain the find command such that it only returns the user if it's the currently + #logged in user, otherwise, redirect to the front page + id = params[:id] + user_id = session[:user][:id] + @user = User.find(id, :conditions => ["id = ?", user_id]) + + rescue + redirect_to :controller =>'front' + end def change_contact