2016-09-25 52 views
0

我有設計的Rails 4應用程序。Humanizer人工驗證不工作設計用戶單獨的行動,Rails 4

最近,我發現對於某些操作Humanizer功能不起作用。

問題:基本上它不檢查我關於安全問題的輸入,並允許前進並採取行動(但不應該)。不顯示錯誤消息。

注意:Humanizer完全在用戶註冊過程中,但不會像編輯,密碼恢復等

我的代碼的行爲在所有的工作:

User.rb:

class User < ActiveRecord::Base 

    devise :database_authenticatable, :registerable, 
     :recoverable, :rememberable, :trackable, :validatable, :lockable, :confirmable 
    include Humanizer 

    attr_accessor :bypass_humanizer 
    require_human_on :create, :unless => :bypass_humanizer 


... 

end 

的routes.rb

devise_for :users, :controllers => {:registrations=> "registrations", :confirmations=> "confirmations", :passwords => "passwords", :sessions => "sessions"} 

Registrations_controller.rb

class RegistrationsController < Devise::RegistrationsController 

    clear_respond_to 
    respond_to :json 

    def sign_up_params 
    params.require(:user).permit(:email, :password, :country_id, :password_confirmation,:name, :not_a_robot,:current_password,:bypass_humanizer,:role, :humanizer_question_id, :humanizer_answer) 
    end 

    def account_update_params 
    params.require(:user).permit(:name, :email, :password, :country_id,:humanizer_answer, :password_confirmation, :current_password, :not_a_robot, :bypass_humanizer,:confirmation_token, :humanizer_question_id) 
    end 


    def destroy 
    #@p = current_user.id 

    @user = User.find(current_user.id) 
    @user.destroy 

    if @user.destroy 
     redirect_to root_path, notice: "User deleted." 
    end 

    end 

    private :sign_up_params 
    private :account_update_params 


    protected 

    def update_resource(resource, params) 
    resource.update_without_password(params) 
    end 

end 

Passwords_controller.rb

class PasswordsController < Devise::PasswordsController 

    respond_to :json, only: [:create] 
    skip_before_filter :age_check 


    def create 
       user = resource_class.send_reset_password_instructions(resource_params) 

       if successfully_sent?(user) 
        render json: { data: "something" }, status: 200 
       else 
        render json: { data: "something bad" }, status: 400 
       end 
    end 

    def update 
    self.resource = resource_class.reset_password_by_token(resource_params) 
    yield resource if block_given? 

    if resource.errors.empty? 
     resource.unlock_access! if unlockable?(resource) 
     if Devise.sign_in_after_reset_password 
     flash_message = resource.active_for_authentication? ? :updated : :updated_not_active 
     # set_flash_message!(:notice, flash_message) 
     sign_in(resource_name, resource) 
     else 
    # set_flash_message!(:notice, :updated_not_active) 
     end 
    # respond_with resource, location: after_resetting_password_path_for(resource) 
    redirect_to root_path 
    else 
     set_minimum_password_length 
     respond_with resource 
    end 
    end 

end 

密碼恢復表單(Humanizer不工作):

 <%= form_for(@user,:html => {"data-parsley-validate" => true,:id=>"password-recover-modal",:class=>"password-recover-modal"},:remote=> true,format: :json,as: @user, url: password_path(@user)) do |f| %> 

     <div class="form-group"> 

      <%= f.email_field :email, autofocus: true ,:class=> "user-input form-control", :id=>"email",:placeholder=>t('email'),required: true%> 

     </div> 



       <div class="question-content" style="position:relative;top:1px;"> 

         <span class="question"><%= t('question') %>:</span> 

          <%= f.hidden_field :humanizer_question_id %> 

         <span class="answer" > 
           <%= f.label :humanizer_answer, @user.humanizer_question %> 
         </span> 


           <div class="form-group" style="margin-bottom:21px;"> 

           <span class="question" style="margin-top:8px;"><%= t('answer') %>: *</span> 
             <%= f.text_field :humanizer_answer ,:class=> "form-control",:required => true, :id=>"answer"%> 
           </div>       

      </div> 


     <%= f.submit t('recover_pass'),:class=> "blue-button btn btn-default"%> 


<%end%> 

用戶登記表(Humanizer完美的作品):

<%= form_for(@user, :html => {:id=>"sign_up_user" ,:class=>"registration-form-modalc","data-parsley-validate" => true},remote: true, format: :json,as: @user, url: registration_path(@user)) do |f| %> 

      <div class="form-group">          
       <%= f.text_field :name,:class=> "user-input form-control", :id=>"user-name",autofocus: true ,:placeholder=> t('username_2'),:required => true,:'data-parsley-minlength'=>"3"%>         
      </div> 

      <div class="form-group">       
       <%= f.password_field :password,:id=>"passwordis",:class=> "user-input form-control", autocomplete: "off" ,:placeholder=> t('new_password'),:required => true,:'data-parsley-minlength'=>"8" %>         
      </div> 

      <div class="form-group"> 
       <%= f.password_field :password_confirmation, :id=>"password-again",:class=> "user-input form-control", autocomplete: "off" ,:'data-parsley-equalto'=>"input#passwordis",:placeholder=> t('new_password_2'),:required => true,:'data-parsley-minlength'=>"8"%> 
       <%= f.hidden_field :role, :value => "user"%> 
       <%= f.hidden_field :country_id, :value => @location.id%> 

      </div> 

      <div class="form-group"> 
       <%= f.email_field :email ,:class=>"user-input form-control" ,:'data-validatess' => '/blocked/checkemail',:id=>"emailito",:placeholder=> t('email'),:required => true%> 
      <h3 id="email-taken-message" style="display:none;margin-left:140px;color:red;padding-top:7px;"> <%= t('email_not_available') %> </h3>                             
      </div> 

       <%= f.hidden_field :humanizer_question_id %> 



     <div class="question-content" style="position:relative;top:1px;"> 

      <span class="question"><%= t('question') %>:</span> 

      <span class="answer" > 
        <%= f.label :humanizer_answer, @user.humanizer_question %> 
      </span> 

      <div class="form-group" style="margin-bottom:21px;"> 
        <span class="question" style="margin-top:8px;"><%= t('answer') %>: *</span>        
         <%= f.text_field :humanizer_answer ,:class=> "form-control",:required => true, :id=>"answer"%> 
      </div>           
     </div> 

    <%= f.submit t('confirm'),:class=> "blue-button btn btn-default"%> 




    <%end%> 

從我的日誌提取,當我嘗試使用密碼恢復:

Started POST "/lv/users/password" for 85.254.76.76 at 2016-09-25 14:14:59 +0300 
Processing by PasswordsController#create as JS 
    Parameters: {"utf8"=>"✓", "user"=>{"email"=>"[email protected]", "humanizer_question_id"=>"1", "humanizer_answer"=>"155"}, "commit"=>"ATGŪT PAROLI", "locale"=>"lv"} 
    [1m[36mCountry Load (0.4ms)[0m [1mSELECT `countries`.* FROM `countries` WHERE `countries`.`id` = 1 LIMIT 1[0m 
    [1m[35mRegion Load (0.5ms)[0m SELECT `regions`.* FROM `regions` WHERE `regions`.`country_id` = 1 
    [1m[36mPartner Load (0.4ms)[0m [1mSELECT `partners`.* FROM `partners` WHERE `partners`.`id` = 1 LIMIT 1[0m 
    [1m[35mUser Load (0.5ms)[0m SELECT `users`.* FROM `users` WHERE `users`.`email` = '[email protected]' ORDER BY `users`.`id` ASC LIMIT 1 
    [1m[36mUser Load (247.6ms)[0m [1mSELECT `users`.* FROM `users` WHERE `users`.`reset_password_token` = '8ffe8d2b729cd77dd8f3b3df061e19076b87784edb5d4c10ee1466ee978257f7' ORDER BY `users`.`id` ASC LIMIT 1[0m 
    [1m[35m (0.3ms)[0m BEGIN 
    [1m[36mSQL (0.5ms)[0m [1mUPDATE `users` SET `reset_password_sent_at` = '2016-09-25 14:15:00', `reset_password_token` = '8ffe8d2b729cd77dd8f3b3df061e19076b87784edb5d4c10ee1466ee978257f7', `updated_at` = '2016-09-25 14:15:00' WHERE `users`.`id` = 169[0m 
    [1m[35m (0.3ms)[0m COMMIT 
    Rendered devise/mailer/reset_password_instructions.html.erb (4.5ms) 

Devise::Mailer#reset_password_instructions: processed outbound mail in 268.7ms 

Sent mail to [email protected] (129.2ms) 
Date: Sun, 25 Sep 2016 14:15:00 +0300 
From: [email protected] 
Reply-To: [email protected] 
To: @gmail.com 
Message-ID: <[email protected]> 
Subject: Reset password instructions 
Mime-Version: 1.0 
Content-Type: text/html; 
charset=UTF-8 
Content-Transfer-Encoding: quoted-printable 

<html> 
    <head> 
    <meta content=3D'text/html; charset=3DUTF-8' http-equiv=3D'Content-Ty= 
pe' /> 
    </head> 
    <body> 
     <h3> Sveicin=C4=81ti, admins !</h3> 
    = 

     <p> K=C4=81ds ir piepras=C4=ABjis saiti, lai main=C4=ABtu paroli. To= 
var izdar=C4=ABt, izmantojot zem=C4=81k nor=C4=81d=C4=ABto saiti.</p> 
    = 

     <p><a href=3D"http://www.individualki.eu/users/password/edit?reset_p= 
assword_token=3Dpq9s-yq74P1mwRFui13L">Main=C4=ABt savu paroli</a></p> 
     <p></p> 
     <p>Ja J=C5=ABs neesat piepras=C4=ABjis =C5=A1o, l=C5=ABdzu, ne=C5=86= 
emiet v=C4=93r=C4=81 =C5=A1o e-pasta zi=C5=86ojumu.</p> 
    = 

     <p></p> 
     <p>Parole nemain=C4=ABsies, ja J=C5=ABs nespied=C4=ABsiet uz saites a= 
ug=C5=A1=C4=81 un nemain=C4=ABsiet to.</p> 
    </body> 
</html> 

Completed 200 OK in 1616ms (Views: 0.7ms | ActiveRecord: 260.9ms) 

回答

0

,因爲我無法找出原因爲什麼人性化者默認行爲不起作用,所以我強迫像這樣的人性化驗證example

def create 

    ad = User.new 
    ad.humanizer_question_id = params[:user][:humanizer_question_id] 
    ad.humanizer_answer = params[:user][:humanizer_answer] 

    if ad.humanizer_answer.present? && ad.humanizer_question_id.present? 

     if ad.humanizer_correct_answer? 

      usero = resource_class.send_reset_password_instructions(resource_params)  
       if successfully_sent?(usero) 
        render json: { data: "something good" }, status: 200 
       else 
        render json: { data: "something bad successfully_sent?(usero)" }, status: 400 
       end  

     else 
      render json: { data: "Humanizer wrong ad.humanizer_correct_answer?" }, status: 400 
     end 

    else 
     render json: { data: "ad.humanizer_answer.present? || ad.humanizer_question_id.present?" }, status: 400 
    end 


end