Upgraded to Rails 3.1. as_json serialization changed to where only su…

…bresources use to_xml/serializable_hash so there's a slight security problem where as_json objects return protected attributres. Majorly refactored to some more Rails 3 type conventions and got rid of custom mass assignment authorizer and now using ActiveModel::MassAssignmentSecurity.
austinonrails · Sep 11, 2011 · 62798c8 · 62798c8
1 parent 677e401
commit 62798c8
Show file tree

Hide file tree

Showing 40 changed files with 319 additions and 211 deletions.
diff --git a/.rvmrc b/.rvmrc
@@ -0,0 +1,3 @@
+rvm_gemset_create_on_use_flag=1
+rvm ruby-1.9.2@raor
+echo "Switching to" `rvm current`
diff --git a/Gemfile b/Gemfile
@@ -1,19 +1,19 @@
 source 'http://rubygems.org'
 source "http://gems.github.com"
 
-gem 'rails', '3.0.9'
+gem 'rails', '3.1.0'
 
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
 
 #gem 'sqlite3'
-gem 'pg'
-gem 'devise', '1.4.2'
-gem 'omniauth', '0.2.6'
-gem "oa-oauth", '0.2.6', :require => "omniauth/oauth"
-gem 'devise-twitter', '0.1.1'
-gem 'cancan', '1.6.5'
-gem 'will_paginate', '3.0.0'
+gem 'pg', '~>0.11.0'
+gem 'devise', '~>1.4.5'
+gem 'omniauth', '~>0.2.6'
+gem "oa-oauth", '~>0.2.6', :require => "omniauth/oauth"
+gem 'devise-twitter', '~>0.1.1'
+gem 'cancan', '~>1.6.5'
+gem 'will_paginate', '~>3.0.0'
 
 # Use unicorn as the web server
 gem 'unicorn'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -2,38 +2,40 @@ GEM
   remote: http://rubygems.org/
   remote: http://gems.github.com/
   specs:
-    abstract (1.0.0)
-    actionmailer (3.0.9)
-      actionpack (= 3.0.9)
-      mail (~> 2.2.19)
-    actionpack (3.0.9)
-      activemodel (= 3.0.9)
-      activesupport (= 3.0.9)
-      builder (~> 2.1.2)
-      erubis (~> 2.6.6)
-      i18n (~> 0.5.0)
-      rack (~> 1.2.1)
-      rack-mount (~> 0.6.14)
-      rack-test (~> 0.5.7)
-      tzinfo (~> 0.3.23)
-    activemodel (3.0.9)
-      activesupport (= 3.0.9)
-      builder (~> 2.1.2)
-      i18n (~> 0.5.0)
-    activerecord (3.0.9)
-      activemodel (= 3.0.9)
-      activesupport (= 3.0.9)
-      arel (~> 2.0.10)
-      tzinfo (~> 0.3.23)
-    activeresource (3.0.9)
-      activemodel (= 3.0.9)
-      activesupport (= 3.0.9)
-    activesupport (3.0.9)
+    actionmailer (3.1.0)
+      actionpack (= 3.1.0)
+      mail (~> 2.3.0)
+    actionpack (3.1.0)
+      activemodel (= 3.1.0)
+      activesupport (= 3.1.0)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      i18n (~> 0.6)
+      rack (~> 1.3.2)
+      rack-cache (~> 1.0.3)
+      rack-mount (~> 0.8.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.0.0)
+    activemodel (3.1.0)
+      activesupport (= 3.1.0)
+      bcrypt-ruby (~> 3.0.0)
+      builder (~> 3.0.0)
+      i18n (~> 0.6)
+    activerecord (3.1.0)
+      activemodel (= 3.1.0)
+      activesupport (= 3.1.0)
+      arel (~> 2.2.1)
+      tzinfo (~> 0.3.29)
+    activeresource (3.1.0)
+      activemodel (= 3.1.0)
+      activesupport (= 3.1.0)
+    activesupport (3.1.0)
+      multi_json (~> 1.0)
     addressable (2.2.4)
     archive-tar-minitar (0.5.2)
-    arel (2.0.10)
-    bcrypt-ruby (2.1.4)
-    builder (2.1.2)
+    arel (2.2.1)
+    bcrypt-ruby (3.0.0)
+    builder (3.0.0)
     cancan (1.6.5)
     capistrano (2.8.0)
       highline
@@ -42,26 +44,25 @@ GEM
       net-ssh (>= 2.0.14)
       net-ssh-gateway (>= 1.1.0)
     columnize (0.3.4)
-    devise (1.4.2)
-      bcrypt-ruby (~> 2.1.2)
+    devise (1.4.5)
+      bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.0.3)
       warden (~> 1.0.3)
     devise-twitter (0.1.1)
       devise (>= 1.1.0)
       warden_oauth (~> 0.1.1)
-    erubis (2.6.6)
-      abstract (>= 1.0.0)
+    erubis (2.7.0)
     faraday (0.6.1)
       addressable (~> 2.2.4)
       multipart-post (~> 1.1.0)
       rack (>= 1.1.0, < 2)
     highline (1.6.2)
-    i18n (0.5.0)
+    hike (1.2.1)
+    i18n (0.6.0)
     kgio (2.6.0)
     linecache19 (0.5.12)
       ruby_core_source (>= 0.1.4)
-    mail (2.2.19)
-      activesupport (>= 2.3.6)
+    mail (2.3.0)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
@@ -74,7 +75,7 @@ GEM
       net-ssh (>= 1.99.1)
     net-sftp (2.0.5)
       net-ssh (>= 2.0.9)
-    net-ssh (2.2.0)
+    net-ssh (2.2.1)
     net-ssh-gateway (1.1.0)
       net-ssh (>= 1.99.1)
     nokogiri (1.4.7)
@@ -119,32 +120,37 @@ GEM
     pg (0.11.0)
     polyglot (0.3.2)
     pyu-ruby-sasl (0.0.3.3)
-    rack (1.2.3)
-    rack-mount (0.6.14)
+    rack (1.3.2)
+    rack-cache (1.0.3)
+      rack (>= 0.4)
+    rack-mount (0.8.3)
       rack (>= 1.0.0)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-test (0.5.7)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.0.9)
-      actionmailer (= 3.0.9)
-      actionpack (= 3.0.9)
-      activerecord (= 3.0.9)
-      activeresource (= 3.0.9)
-      activesupport (= 3.0.9)
+    rails (3.1.0)
+      actionmailer (= 3.1.0)
+      actionpack (= 3.1.0)
+      activerecord (= 3.1.0)
+      activeresource (= 3.1.0)
+      activesupport (= 3.1.0)
       bundler (~> 1.0)
-      railties (= 3.0.9)
-    railties (3.0.9)
-      actionpack (= 3.0.9)
-      activesupport (= 3.0.9)
+      railties (= 3.1.0)
+    railties (3.1.0)
+      actionpack (= 3.1.0)
+      activesupport (= 3.1.0)
+      rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
-      thor (~> 0.14.4)
+      thor (~> 0.14.6)
     raindrops (0.7.0)
     rake (0.9.2)
-    rdoc (3.9.1)
-    rest-client (1.6.3)
+    rdoc (3.9.4)
+    rest-client (1.6.7)
       mime-types (>= 1.16)
     ruby-debug-base19 (0.11.25)
       columnize (>= 0.3.1)
@@ -160,12 +166,17 @@ GEM
     ruby_core_source (0.1.5)
       archive-tar-minitar (>= 0.5.2)
     rubyntlm (0.1.1)
+    sprockets (2.0.0)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (!= 1.3.0, ~> 1.1)
     thor (0.14.6)
+    tilt (1.3.3)
     treetop (1.4.10)
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.29)
-    unicorn (4.1.0)
+    unicorn (4.1.1)
       kgio (~> 2.4)
       rack
       raindrops (~> 0.6)
@@ -180,14 +191,14 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  cancan (= 1.6.5)
+  cancan (~> 1.6.5)
   capistrano
-  devise (= 1.4.2)
-  devise-twitter (= 0.1.1)
-  oa-oauth (= 0.2.6)
-  omniauth (= 0.2.6)
-  pg
-  rails (= 3.0.9)
+  devise (~> 1.4.5)
+  devise-twitter (~> 0.1.1)
+  oa-oauth (~> 0.2.6)
+  omniauth (~> 0.2.6)
+  pg (~> 0.11.0)
+  rails (= 3.1.0)
   ruby-debug19
   unicorn
-  will_paginate (= 3.0.0)
+  will_paginate (~> 3.0.0)
diff --git a/public/javascripts/DateTimePicker.js → app/assets/javascripts/DateTimePicker.js b/public/javascripts/DateTimePicker.js → app/assets/javascripts/DateTimePicker.js
diff --git a/public/javascripts/admin.js → app/assets/javascripts/admin.js b/public/javascripts/admin.js → app/assets/javascripts/admin.js
diff --git a/public/javascripts/events.js → app/assets/javascripts/events.js b/public/javascripts/events.js → app/assets/javascripts/events.js
diff --git a/public/javascripts/ext_overrides.js → app/assets/javascripts/ext_overrides.js b/public/javascripts/ext_overrides.js → app/assets/javascripts/ext_overrides.js
diff --git a/public/javascripts/raor.js → app/assets/javascripts/raor.js b/public/javascripts/raor.js → app/assets/javascripts/raor.js
diff --git a/public/javascripts/sencha-touch-debug.js → app/assets/javascripts/sencha-touch-debug.js b/public/javascripts/sencha-touch-debug.js → app/assets/javascripts/sencha-touch-debug.js
diff --git a/public/javascripts/sencha-touch.js → app/assets/javascripts/sencha-touch.js b/public/javascripts/sencha-touch.js → app/assets/javascripts/sencha-touch.js
diff --git a/public/stylesheets/images/fade_down.png → app/assets/stylesheets/images/fade_down.png b/public/stylesheets/images/fade_down.png → app/assets/stylesheets/images/fade_down.png
diff --git a/public/stylesheets/images/lf1m.png → app/assets/stylesheets/images/lf1m.png b/public/stylesheets/images/lf1m.png → app/assets/stylesheets/images/lf1m.png
diff --git a/public/stylesheets/images/lfw.png → app/assets/stylesheets/images/lfw.png b/public/stylesheets/images/lfw.png → app/assets/stylesheets/images/lfw.png
diff --git a/public/stylesheets/images/status_unknown.png → ...ets/stylesheets/images/status_unknown.png b/public/stylesheets/images/status_unknown.png → ...ets/stylesheets/images/status_unknown.png
diff --git a/public/stylesheets/master.css → app/assets/stylesheets/master.css b/public/stylesheets/master.css → app/assets/stylesheets/master.css
diff --git a/public/stylesheets/sencha-touch.css → app/assets/stylesheets/sencha-touch.css b/public/stylesheets/sencha-touch.css → app/assets/stylesheets/sencha-touch.css
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,7 +1,14 @@
 class ApplicationController < ActionController::Base
   include BrowserDetect
+  before_filter :authenticate_user!
   protect_from_forgery
   rescue_from CanCan::AccessDenied do |exception|
     redirect_to root_url, :alert => exception.message
   end
+
+  protected
+  def as_what?
+    klass = self.class.name.sub("Controller", "").underscore.split('/').last.singularize.camelize.constantize
+    self.can?(:manage, klass) ? :admin : :default
+  end
 end
diff --git a/app/controllers/checkins_controller.rb b/app/controllers/checkins_controller.rb
@@ -1,41 +1,33 @@
 class CheckinsController < ApplicationController
-  load_and_authorize_resource
-  before_filter :authenticate_user!
+  load_and_authorize_resource :event
+  load_and_authorize_resource :checkin, :through => :event
 
-  def index
-    @event = Event.find(params[:event_id])
-    @checkins = @event.checkins.page(params[:page])
+  respond_to :html, :json
 
-    respond_to do |format|
-      format.html
+  def index
+    respond_with(@checkins) do |format|
       format.json do
-        render :json => {:success => true, :total => @checkins.total_entries, :checkins => @checkins.as_json(:include => {:user => {:only => :name}})}
+        render :json => {:success => true, :total => @checkins.page(params[:page]).total_entries, :checkins => @checkins.page(params[:page]).as_json(:include => {:user => {:only => :name}}, :as => as_what?)}
       end
     end
   end
 
   def show
-    @event = Event.find(params[:event_id])
-    @checkin = @event.checkins.find_by_id(params[:id]) unless @event.blank?
-
-    respond_to do |format|
-      format.html
+    respond_with(@checkin) do |format|
       format.json do
-        render :json => {:success => true, :checkin => @checkin.as_json(:include => {:user => {:only => :name}})}
+        render :json => {:success => true, :checkin => @checkin.as_json(:include => {:user => {:only => :name}}, :as => as_what?)}
       end
     end
   end
 
   def new
-    @event = Event.find(params[:event_id])
-    @checkin = Checkin.new
+    respond_with(@checkin)
   end
 
   def create
-    event = Event.find(params[:event_id])
-    respond_to do |format|
+    respond_with(@checkin) do |format|
       format.html do
-        if event && (checkin = event.checkin(current_user))
+        if @event && (checkin = @event.checkin(current_user))
           flash[:notice] = "Successfully checked in to event #{event.name}"
           redirect_to edit_checkin_path(checkin)
         else
@@ -47,8 +39,8 @@ def create
       format.json do
         options = params[:checkin] || {}
         options["user_id"] = current_user.id
-        
-        if event && event.checkins.create(options.symbolize_keys)
+
+        if @event.checkins.create(options.symbolize_keys, :as => as_what?)
           render :json => {:success => true}
         else
           render :json => {:success => false}
@@ -58,33 +50,36 @@ def create
   end
 
   def edit
-    @checkin = Checkin.find(params[:id])
+    respond_with(@checkin)
   end
 
   def update
-    if params[:checkin]
-      @checkin = Checkin.find(params[:id])
-      if @checkin.update_attributes(params[:checkin])
-        flash[:notice] = "Successfully updated checkin status for #{@checkin.event.name}"
-        redirect_to event_path(@checkin.event)
-      else
-        flash[:error] = "Failed to update checkin status"
-        redirect_to new_event_path
-      end
-    else
-      @event = Event.find(params[:event_id])
-      if @event && @event.checkin(current_user)
-        flash[:notice] = "Successfully checked in to event #{@event.name}"
-        redirect_to event_path(@event)
-      else
-        flash[:error] = "Failed to check in to event #{@event.name}"
-        redirect_to new_event_path
+    respond_with(@checkin) do |format|
+      format.html do
+        if params[:checkin]
+          if @checkin.update_attributes(params[:checkin])
+            flash[:notice] = "Successfully updated checkin status for #{@checkin.event.name}"
+            redirect_to event_path(@checkin.event)
+          else
+            flash[:error] = "Failed to update checkin status"
+            redirect_to new_event_path
+          end
+        else
+          @event = Event.find(params[:event_id])
+          if @event && @event.checkin(current_user)
+            flash[:notice] = "Successfully checked in to event #{@event.name}"
+            redirect_to event_path(@event)
+          else
+            flash[:error] = "Failed to check in to event #{@event.name}"
+            redirect_to new_event_path
+          end
+        end
       end
     end
   end
 
   def destroy
-    @event = Event.find(params[:id])
     @event.checkout(current_user) unless @event.blank?
+    respond_with(@checkin)
   end
 end