User summary method is now more secure. Email change method prtects account SQL injec...

[selectricity] / app / controllers / account_controller.rb

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 6595b9b1144fb017a108233d683dadbd13fb0139..4b7fea9fc17451bdb11fde5be136ee7b022ccd1c 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -1,3 +1,10 @@
+# Selectricity: Voting Machinery for the Masses
+# Copyright (C) 2007, 2008 Benjamin Mako Hill <mako@atdot.cc>
+# Copyright (C) 2007 Massachusetts Institute of Technology
+#
+# This program is free software. Please see the COPYING file for
+# details.
+
 class AccountController < ApplicationController
   layout 'main'
   
@@ -51,9 +58,28 @@ class AccountController < ApplicationController
   end
   #======================================================================
   
-  #The following methods are for slectricity specific uses
+  #The following methods are for selectricity specific uses
   def summary
+    #@user = User.find(params[:id])
+    
+    #constrain the find command such that it only returns the user if it's the currently
+    #logged in user, otherwise, redirect to the front page
+    id = params[:id]
+    user_id = session[:user][:id]
+    @user = User.find(id, :conditions => ["id = ?", user_id])
+    
+    rescue
+      redirect_to :controller =>'front'
+    
+  end
+  
+  def change_contact
     @user = User.find(params[:id])
+    return unless request.post?
+    @user.email=params[:email]
+    @user.save!
+    flash[:notice] = "Email successfully updated"
+    render :action => 'summary'
   end