ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

use something more secure than UUID for our unique tokens; fixes #4264 

Change-Id: I407b50b98e44eab4e341b596ebefe9f35af3dc37
Reviewed-on: https://gerrit.instructure.com/3097
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: JT Olds <jt@instructure.com>
This commit is contained in:
Zach Wily 2011-04-14 16:09:37 -06:00
parent 2d7e77a23c
commit df3d4c6351
16 changed files with 22 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/account.rb
View File

@ -155,7 +155,7 @@ class Account < ActiveRecord::Base
end
def ensure_defaults
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
def set_update_account_associations_if_changed

2
app/models/assessment_request.rb
View File

@ -33,7 +33,7 @@ class AssessmentRequest < ActiveRecord::Base
has_a_broadcast_policy
def infer_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
protected :infer_uuid

2
app/models/attachment.rb
View File

@ -317,7 +317,7 @@ class Attachment < ActiveRecord::Base
before_save :assign_uuid
def assign_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
protected :assign_uuid

2
app/models/collaboration.rb
View File

@ -111,7 +111,7 @@ class Collaboration < ActiveRecord::Base
end
def assign_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
protected :assign_uuid

4
app/models/course.rb
View File

@ -595,7 +595,7 @@ class Course < ActiveRecord::Base
end
def self.create_unique(uuid=nil, account_id=nil, root_account_id=nil)
uuid ||= UUIDSingleton.instance.generate
uuid ||= AutoHandle.generate_securish_uuid
course = find_or_initialize_by_uuid(uuid)
course = Course.new if course.deleted?
course.name = "My Course" if course.new_record?
@ -627,7 +627,7 @@ class Course < ActiveRecord::Base
end
def assign_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
protected :assign_uuid

4
app/models/enrollment.rb
View File

@ -469,13 +469,13 @@ class Enrollment < ActiveRecord::Base
}
def assign_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
protected :assign_uuid
def uuid
if !read_attribute(:uuid)
self.update_attribute(:uuid, UUIDSingleton.instance.generate)
self.update_attribute(:uuid, AutoHandle.generate_securish_uuid)
end
read_attribute(:uuid)
end

2
app/models/eportfolio.rb
View File

@ -44,7 +44,7 @@ class Eportfolio < ActiveRecord::Base
before_create :assign_uuid
def assign_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
protected :assign_uuid

4
app/models/group.rb
View File

@ -240,8 +240,8 @@ class Group < ActiveRecord::Base
end
def ensure_defaults
self.name ||= UUIDSingleton.instance.generate
self.uuid ||= UUIDSingleton.instance.generate
self.name ||= AutoHandle.generate_securish_uuid
self.uuid ||= AutoHandle.generate_securish_uuid
self.category ||= Group.student_organized_category
self.join_level ||= 'invitation_only'
if self.context && self.context.is_a?(Course)

2
app/models/group_membership.rb
View File

@ -66,7 +66,7 @@ class GroupMembership < ActiveRecord::Base
end
def assign_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
self.workflow_state = 'accepted' if self.requested? && self.group && self.group.auto_accept?(self.user)
end
protected :assign_uuid

2
app/models/report_snapshot.rb
View File

@ -90,7 +90,7 @@ class ReportSnapshot < ActiveRecord::Base
installation_uuid = Setting.get("installation_uuid", "")
if installation_uuid == ""
installation_uuid = UUIDSingleton.instance.generate
installation_uuid = AutoHandle.generate_securish_uuid
Setting.set("installation_uuid", installation_uuid)
end

2
app/models/scribd_account.rb
View File

@ -23,7 +23,7 @@ class ScribdAccount < ActiveRecord::Base
before_create :assure_uuid
def assure_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
private :assure_uuid

4
app/models/user.rb
View File

@ -285,7 +285,7 @@ class User < ActiveRecord::Base
end
def assign_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
protected :assign_uuid
@ -1054,7 +1054,7 @@ class User < ActiveRecord::Base
def uuid
if !read_attribute(:uuid)
self.update_attribute(:uuid, UUIDSingleton.instance.generate)
self.update_attribute(:uuid, AutoHandle.generate_securish_uuid)
end
read_attribute(:uuid)
end

2
app/models/web_conference.rb
View File

@ -47,7 +47,7 @@ class WebConference < ActiveRecord::Base
end
def assign_uuid
self.uuid ||= UUIDSingleton.instance.generate
self.uuid ||= AutoHandle.generate_securish_uuid
end
protected :assign_uuid

4
lib/auto_handle.rb
View File

@ -38,5 +38,9 @@ class AutoHandle
n.times { slug << rand_char }
slug
end
def generate_securish_uuid
Canvas::Security.hmac_sha1("#{UUIDSingleton.instance.generate}#{AutoHandle.generate(nil, 20)}")
end
end
end

2
spec/models/attachment_spec.rb
View File

@ -114,7 +114,7 @@ describe Attachment do
it "should set the uuid" do
attachment_model
@attachment.uuid.should match(uuid_regex)
@attachment.uuid.should_not be_nil
end
context "workflow" do

4
spec/spec_helper.rb
View File

@ -189,10 +189,6 @@ Spec::Runner.configure do |config|
File.read(File.expand_path(File.join(File.dirname(__FILE__), %w(fixtures default_gradebook.csv))))
end
def uuid_regex
/[\d|\w]{8}-[\d|\w]{4}-[\d|\w]{4}-[\d|\w]{4}-[\d|\w]{12}/
end
def factory_with_protected_attributes(ar_klass, attrs, do_save = true)
return ar_klass.create!(attrs) if ar_klass.accessible_attributes.nil?
obj = ar_klass.new(attrs.reject { |k,v| !ar_klass.accessible_attributes.include?(k) })