Robin Ward 
							
						 
					 
					
						
						
							
						
						1dac3cfd64 
					 
					
						
						
							
							API endpoint for retrieving the current user  
						
						
						
						
					 
					
						2014-02-05 13:46:24 -05:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						da825451d0 
					 
					
						
						
							
							Invite link can't be used to log in after you set a password or sign in with 3rd party  
						
						
						
						
					 
					
						2014-01-21 16:56:41 -05:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						79087f4e6f 
					 
					
						
						
							
							fix exception in logs  
						
						
						
						
					 
					
						2013-11-28 12:39:59 +11:00 
						 
				 
			
				
					
						
							
							
								railsaholic 
							
						 
					 
					
						
						
							
						
						34bba737ff 
					 
					
						
						
							
							Refactor SessionController#create, reduce complexity.  
						
						... 
						
						
						
						Don't compromise readablity 
						
						
					 
					
						2013-11-15 22:09:03 +05:30 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						0c6f794eb0 
					 
					
						
						
							
							Used the term suspended instead of banned.  
						
						
						
						
					 
					
						2013-11-07 13:53:49 -05:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						92a0729937 
					 
					
						
						
							
							When banning a user, a reason can be provided. The user will see this reason when trying to log in. Also log bans and unbans in the staff action logs.  
						
						
						
						
					 
					
						2013-11-01 10:47:26 -04:00 
						 
				 
			
				
					
						
							
							
								Manoj 
							
						 
					 
					
						
						
							
						
						96ae3cdacc 
					 
					
						
						
							
							Utilize already existing method 'find_by_username_or_email'  
						
						... 
						
						
						
						check presence of email using include, dont use =~ 
						
						
					 
					
						2013-10-24 19:26:06 +05:30 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						7993845bfa 
					 
					
						
						
							
							add current_user_provider so people can override current_user bevior cleanly, see  
						
						... 
						
						
						
						http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278  
					
						2013-10-09 15:11:54 +11:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						c4a0152dc6 
					 
					
						
						
							
							recover from bad CSRF tokens without requiring a hard refresh of the browser  
						
						
						
						
					 
					
						2013-08-27 15:56:12 +10:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						c74da0d262 
					 
					
						
						
							
							Admins who haven't been approved can log in when must_approve_users is enabled  
						
						
						
						
					 
					
						2013-08-06 16:51:29 -04:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						aa6c92922d 
					 
					
						
						
							
							SECURITY: correct our CSRF implementation to be much more aggressive  
						
						
						
						
					 
					
						2013-07-29 15:13:13 +10:00 
						 
				 
			
				
					
						
							
							
								Michael Campagnaro 
							
						 
					 
					
						
						
							
						
						25f8692a79 
					 
					
						
						
							
							Strip leading/trailing spaces from login  
						
						
						
						
					 
					
						2013-07-23 23:03:38 -04:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						c1a39b5a30 
					 
					
						
						
							
							Show date with year in message to banned users who try to log in  
						
						
						
						
					 
					
						2013-06-30 12:49:34 -04:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						5d6ad8f39c 
					 
					
						
						
							
							Show a useful message when a banned user tries to log in  
						
						
						
						
					 
					
						2013-06-27 15:14:42 -04:00 
						 
				 
			
				
					
						
							
							
								Ian Christian Myers 
							
						 
					 
					
						
						
							
						
						0d01c33482 
					 
					
						
						
							
							Enabled strong_parameters across all models/controllers.  
						
						... 
						
						
						
						All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.
The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.
It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments. 
						
						
					 
					
						2013-06-06 00:30:59 -07:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						2dfba8d6de 
					 
					
						
						
							
							we need to be able to do username checks for registration to work  
						
						
						
						
					 
					
						2013-06-05 12:50:42 +10:00 
						 
				 
			
				
					
						
							
							
								Chris Hunt 
							
						 
					 
					
						
						
							
						
						92a4828f72 
					 
					
						
						
							
							Redirect all controllers to login if required  
						
						... 
						
						
						
						We want to skip the filter for sessions controller so that we can login
and we want to skip the filter for static pages because those should be
visible to visitors. 
						
						
					 
					
						2013-06-04 16:10:10 -07:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						42494b5bb1 
					 
					
						
						
							
							we can't trust CSRF for anon the way it is designed.  
						
						... 
						
						
						
						The page they have loaded may be cached we need a different way of delivering the CSRF potentially 
						
						
					 
					
						2013-05-03 16:43:11 +10:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						cbe0168922 
					 
					
						
						
							
							Fix a problem where you might see missing {{sentTo}} value after a failed login  
						
						
						
						
					 
					
						2013-04-18 16:44:56 -04:00 
						 
				 
			
				
					
						
							
							
								Régis Hanol 
							
						 
					 
					
						
						
							
						
						b24c1a1ad9 
					 
					
						
						
							
							better consistency around email case sensitivity  
						
						
						
						
					 
					
						2013-04-15 02:20:33 +02:00 
						 
				 
			
				
					
						
							
							
								Sarah Vessels 
							
						 
					 
					
						
						
							
						
						54c7b1ab63 
					 
					
						
						
							
							Use consistent new-style hashes in render calls *twitch*  
						
						
						
						
					 
					
						2013-03-22 14:08:11 -04:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						213d3e5c10 
					 
					
						
						
							
							Remove unused code and routes that don't exist in session_controller  
						
						
						
						
					 
					
						2013-03-13 15:21:45 -04:00 
						 
				 
			
				
					
						
							
							
								Régis Hanol 
							
						 
					 
					
						
						
							
						
						239cbd2d58 
					 
					
						
						
							
							enforce coding convention  
						
						... 
						
						
						
						replaced every `and` by `&&` and every `or` by `||` 
						
						
					 
					
						2013-03-05 01:42:44 +01:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						ff3e012034 
					 
					
						
						
							
							Add a link that allows you to send activation email again  
						
						
						
						
					 
					
						2013-02-22 11:49:58 -05:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						c18b85873f 
					 
					
						
						
							
							Prevent login until email is confirmed  
						
						
						
						
					 
					
						2013-02-11 11:18:37 -05:00 
						 
				 
			
				
					
						
							
							
								Jakub Arnold 
							
						 
					 
					
						
						
							
						
						61654ab8f0 
					 
					
						
						
							
							Fix all the trailing whitespace  
						
						
						
						
					 
					
						2013-02-07 16:45:24 +01:00 
						 
				 
			
				
					
						
							
							
								Robin Ward 
							
						 
					 
					
						
						
							
						
						21b5628528 
					 
					
						
						
							
							Initial release of Discourse  
						
						
						
						
					 
					
						2013-02-05 14:16:51 -05:00