From b82ac70a3367072882aa259dae0b6a1b6e3288fa Mon Sep 17 00:00:00 2001
From: justin <tr0phy13@gmail.com>
Date: Thu, 14 Apr 2011 00:44:08 -0700
Subject: [PATCH] User summary method is now more secure. Email change method
 prtects account SQL injection and meta characters, but doesn't do address
 validation.

---
 app/controllers/account_controller.rb | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index ce4303d..4b7fea9 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -60,7 +60,17 @@ class AccountController < ApplicationController
   
   #The following methods are for selectricity specific uses
   def summary
-    @user = User.find(params[:id])
+    #@user = User.find(params[:id])
+    
+    #constrain the find command such that it only returns the user if it's the currently
+    #logged in user, otherwise, redirect to the front page
+    id = params[:id]
+    user_id = session[:user][:id]
+    @user = User.find(id, :conditions => ["id = ?", user_id])
+    
+    rescue
+      redirect_to :controller =>'front'
+    
   end
   
   def change_contact
-- 
2.30.2