0
我有設計的Rails 4應用程序。Humanizer人工驗證不工作設計用戶單獨的行動,Rails 4
最近,我發現對於某些操作Humanizer功能不起作用。
問題:基本上它不檢查我關於安全問題的輸入,並允許前進並採取行動(但不應該)。不顯示錯誤消息。
注意:Humanizer完全在用戶註冊過程中,但不會像編輯,密碼恢復等
我的代碼的行爲在所有的工作:
User.rb:
class User < ActiveRecord::Base
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable, :lockable, :confirmable
include Humanizer
attr_accessor :bypass_humanizer
require_human_on :create, :unless => :bypass_humanizer
...
end
的routes.rb
devise_for :users, :controllers => {:registrations=> "registrations", :confirmations=> "confirmations", :passwords => "passwords", :sessions => "sessions"}
Registrations_controller.rb
class RegistrationsController < Devise::RegistrationsController
clear_respond_to
respond_to :json
def sign_up_params
params.require(:user).permit(:email, :password, :country_id, :password_confirmation,:name, :not_a_robot,:current_password,:bypass_humanizer,:role, :humanizer_question_id, :humanizer_answer)
end
def account_update_params
params.require(:user).permit(:name, :email, :password, :country_id,:humanizer_answer, :password_confirmation, :current_password, :not_a_robot, :bypass_humanizer,:confirmation_token, :humanizer_question_id)
end
def destroy
#@p = current_user.id
@user = User.find(current_user.id)
@user.destroy
if @user.destroy
redirect_to root_path, notice: "User deleted."
end
end
private :sign_up_params
private :account_update_params
protected
def update_resource(resource, params)
resource.update_without_password(params)
end
end
Passwords_controller.rb
class PasswordsController < Devise::PasswordsController
respond_to :json, only: [:create]
skip_before_filter :age_check
def create
user = resource_class.send_reset_password_instructions(resource_params)
if successfully_sent?(user)
render json: { data: "something" }, status: 200
else
render json: { data: "something bad" }, status: 400
end
end
def update
self.resource = resource_class.reset_password_by_token(resource_params)
yield resource if block_given?
if resource.errors.empty?
resource.unlock_access! if unlockable?(resource)
if Devise.sign_in_after_reset_password
flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
# set_flash_message!(:notice, flash_message)
sign_in(resource_name, resource)
else
# set_flash_message!(:notice, :updated_not_active)
end
# respond_with resource, location: after_resetting_password_path_for(resource)
redirect_to root_path
else
set_minimum_password_length
respond_with resource
end
end
end
密碼恢復表單(Humanizer不工作):
<%= form_for(@user,:html => {"data-parsley-validate" => true,:id=>"password-recover-modal",:class=>"password-recover-modal"},:remote=> true,format: :json,as: @user, url: password_path(@user)) do |f| %>
<div class="form-group">
<%= f.email_field :email, autofocus: true ,:class=> "user-input form-control", :id=>"email",:placeholder=>t('email'),required: true%>
</div>
<div class="question-content" style="position:relative;top:1px;">
<span class="question"><%= t('question') %>:</span>
<%= f.hidden_field :humanizer_question_id %>
<span class="answer" >
<%= f.label :humanizer_answer, @user.humanizer_question %>
</span>
<div class="form-group" style="margin-bottom:21px;">
<span class="question" style="margin-top:8px;"><%= t('answer') %>: *</span>
<%= f.text_field :humanizer_answer ,:class=> "form-control",:required => true, :id=>"answer"%>
</div>
</div>
<%= f.submit t('recover_pass'),:class=> "blue-button btn btn-default"%>
<%end%>
用戶登記表(Humanizer完美的作品):
<%= form_for(@user, :html => {:id=>"sign_up_user" ,:class=>"registration-form-modalc","data-parsley-validate" => true},remote: true, format: :json,as: @user, url: registration_path(@user)) do |f| %>
<div class="form-group">
<%= f.text_field :name,:class=> "user-input form-control", :id=>"user-name",autofocus: true ,:placeholder=> t('username_2'),:required => true,:'data-parsley-minlength'=>"3"%>
</div>
<div class="form-group">
<%= f.password_field :password,:id=>"passwordis",:class=> "user-input form-control", autocomplete: "off" ,:placeholder=> t('new_password'),:required => true,:'data-parsley-minlength'=>"8" %>
</div>
<div class="form-group">
<%= f.password_field :password_confirmation, :id=>"password-again",:class=> "user-input form-control", autocomplete: "off" ,:'data-parsley-equalto'=>"input#passwordis",:placeholder=> t('new_password_2'),:required => true,:'data-parsley-minlength'=>"8"%>
<%= f.hidden_field :role, :value => "user"%>
<%= f.hidden_field :country_id, :value => @location.id%>
</div>
<div class="form-group">
<%= f.email_field :email ,:class=>"user-input form-control" ,:'data-validatess' => '/blocked/checkemail',:id=>"emailito",:placeholder=> t('email'),:required => true%>
<h3 id="email-taken-message" style="display:none;margin-left:140px;color:red;padding-top:7px;"> <%= t('email_not_available') %> </h3>
</div>
<%= f.hidden_field :humanizer_question_id %>
<div class="question-content" style="position:relative;top:1px;">
<span class="question"><%= t('question') %>:</span>
<span class="answer" >
<%= f.label :humanizer_answer, @user.humanizer_question %>
</span>
<div class="form-group" style="margin-bottom:21px;">
<span class="question" style="margin-top:8px;"><%= t('answer') %>: *</span>
<%= f.text_field :humanizer_answer ,:class=> "form-control",:required => true, :id=>"answer"%>
</div>
</div>
<%= f.submit t('confirm'),:class=> "blue-button btn btn-default"%>
<%end%>
從我的日誌提取,當我嘗試使用密碼恢復:
Started POST "/lv/users/password" for 85.254.76.76 at 2016-09-25 14:14:59 +0300
Processing by PasswordsController#create as JS
Parameters: {"utf8"=>"✓", "user"=>{"email"=>"[email protected]", "humanizer_question_id"=>"1", "humanizer_answer"=>"155"}, "commit"=>"ATGŪT PAROLI", "locale"=>"lv"}
[1m[36mCountry Load (0.4ms)[0m [1mSELECT `countries`.* FROM `countries` WHERE `countries`.`id` = 1 LIMIT 1[0m
[1m[35mRegion Load (0.5ms)[0m SELECT `regions`.* FROM `regions` WHERE `regions`.`country_id` = 1
[1m[36mPartner Load (0.4ms)[0m [1mSELECT `partners`.* FROM `partners` WHERE `partners`.`id` = 1 LIMIT 1[0m
[1m[35mUser Load (0.5ms)[0m SELECT `users`.* FROM `users` WHERE `users`.`email` = '[email protected]' ORDER BY `users`.`id` ASC LIMIT 1
[1m[36mUser Load (247.6ms)[0m [1mSELECT `users`.* FROM `users` WHERE `users`.`reset_password_token` = '8ffe8d2b729cd77dd8f3b3df061e19076b87784edb5d4c10ee1466ee978257f7' ORDER BY `users`.`id` ASC LIMIT 1[0m
[1m[35m (0.3ms)[0m BEGIN
[1m[36mSQL (0.5ms)[0m [1mUPDATE `users` SET `reset_password_sent_at` = '2016-09-25 14:15:00', `reset_password_token` = '8ffe8d2b729cd77dd8f3b3df061e19076b87784edb5d4c10ee1466ee978257f7', `updated_at` = '2016-09-25 14:15:00' WHERE `users`.`id` = 169[0m
[1m[35m (0.3ms)[0m COMMIT
Rendered devise/mailer/reset_password_instructions.html.erb (4.5ms)
Devise::Mailer#reset_password_instructions: processed outbound mail in 268.7ms
Sent mail to [email protected] (129.2ms)
Date: Sun, 25 Sep 2016 14:15:00 +0300
From: [email protected]
Reply-To: [email protected]
To: @gmail.com
Message-ID: <[email protected]>
Subject: Reset password instructions
Mime-Version: 1.0
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta content=3D'text/html; charset=3DUTF-8' http-equiv=3D'Content-Ty=
pe' />
</head>
<body>
<h3> Sveicin=C4=81ti, admins !</h3>
=
<p> K=C4=81ds ir piepras=C4=ABjis saiti, lai main=C4=ABtu paroli. To=
var izdar=C4=ABt, izmantojot zem=C4=81k nor=C4=81d=C4=ABto saiti.</p>
=
<p><a href=3D"http://www.individualki.eu/users/password/edit?reset_p=
assword_token=3Dpq9s-yq74P1mwRFui13L">Main=C4=ABt savu paroli</a></p>
<p></p>
<p>Ja J=C5=ABs neesat piepras=C4=ABjis =C5=A1o, l=C5=ABdzu, ne=C5=86=
emiet v=C4=93r=C4=81 =C5=A1o e-pasta zi=C5=86ojumu.</p>
=
<p></p>
<p>Parole nemain=C4=ABsies, ja J=C5=ABs nespied=C4=ABsiet uz saites a=
ug=C5=A1=C4=81 un nemain=C4=ABsiet to.</p>
</body>
</html>
Completed 200 OK in 1616ms (Views: 0.7ms | ActiveRecord: 260.9ms)