From b82ac70a3367072882aa259dae0b6a1b6e3288fa Mon Sep 17 00:00:00 2001 From: justin Date: Thu, 14 Apr 2011 00:44:08 -0700 Subject: [PATCH 1/1] User summary method is now more secure. Email change method prtects account SQL injection and meta characters, but doesn't do address validation. --- app/controllers/account_controller.rb | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index ce4303d..4b7fea9 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -60,7 +60,17 @@ class AccountController < ApplicationController #The following methods are for selectricity specific uses def summary - @user = User.find(params[:id]) + #@user = User.find(params[:id]) + + #constrain the find command such that it only returns the user if it's the currently + #logged in user, otherwise, redirect to the front page + id = params[:id] + user_id = session[:user][:id] + @user = User.find(id, :conditions => ["id = ?", user_id]) + + rescue + redirect_to :controller =>'front' + end def change_contact -- 2.39.5