Commit graph

262 commits

Author SHA1 Message Date
5601511ad5 xss vulnerability in outfits#show
This one was actually pretty darn clever - nobody's abused it, but
I was reading a blog post where someone described this type of
issue, I realized it was a brilliant attack, and then realized
DTI was vulnerable. Oops. Thanks for the solution, Jamie!

http://jamie-wong.com/2012/08/22/what-i-did-at-khan-academy/#XSS+Fix
2012-10-20 17:56:38 -05:00
270f8caa3d remove sharing beta message - finally 2012-08-23 20:56:00 -05:00
412c401c5f better cache items#show 2012-08-10 00:02:11 -04:00
99669b8e4e cache homepage latest contribution 2012-08-09 22:59:35 -04:00
f6d34841ec cache newest items on homepage and items#index 2012-08-09 22:35:30 -04:00
1e3938eea9 improve closet performance by caching item link 2012-08-09 19:34:56 -04:00
5e89287537 durr, don't cache new items on the homepage 2012-08-08 23:05:32 -04:00
5cec28e29b fix logout bug: stop caching authenticity_token fields
Many forms on the site contain a hidden authenticity_token field,
unique to each visitory. If a user submits a request with an
invalid authenticity_token, Rails assumes that it's a CSRF attempt
and logs out the user. So, if we happen to cache those forms with
authenticity_token fields, all users who use that form will have
the same authenticity_token (valid for only the first user who
saw the form, invalid for everyone else), and all requests made
through that form will log out the user. Bad news.

So, we stopped caching those forms. Yay!
2012-08-07 17:32:51 -04:00
72237f225c modeling hub 2012-08-06 21:15:31 -04:00
a6e4398e54 take homepage latest contribution and new items out of cache block - should probably cache them later, but, for now, meh 2012-08-01 15:11:08 -04:00
c2a0c5de74 new frontpage layout, yay 2012-08-01 13:34:54 -04:00
c630cde66c outfit thumbnails beta message 2012-07-31 10:21:20 -04:00
54ca5881fe add thumbnails to outfits#show via open graph 2012-07-29 16:45:12 -04:00
f8aacfba98 put a cog behind outfits whose thumbnails are enqueued 2012-07-29 16:07:18 -04:00
f5cf9aa13b redesign outfits#index with thumbnails 2012-07-29 15:43:28 -04:00
249c493d25 beautiful outfits tab using thumbnails 2012-07-27 03:21:22 -04:00
b02c95c2d9 pretty tab navigation for wardrobe sidebar 2012-07-25 19:02:23 -04:00
b2eac2d1fd sharing url formats 2012-07-17 16:14:05 -04:00
f5ab71dce5 sharing thumbnail 2012-07-17 14:42:31 -04:00
7b5856ebf9 basic sharing
Sharing pane works, everything is great for guests. Logged in
users are on the way, since right now Share Outfit re-saves
anonymously rather than showing sharing data for the existing
outfit.
2012-07-17 12:15:04 -04:00
7c015e2d88 carrierwave for asset swfs 2012-07-16 16:45:26 -04:00
c7c8f3a78e oops. accidentally used trading post url for auctions. fixed 2012-05-23 20:12:17 -04:00
4451800e42 added shop wiz, etc., links to NP item show page 2012-05-23 20:09:35 -04:00
63f503e7a4 keep copyright year up to date 2012-05-15 13:52:15 -05:00
f3d64840d6 filter lists on petpage export 2012-04-08 15:59:51 -05:00
c46d7ae2c0 fix petpage export styles
thumbnails were right-aligned when they really shouldn't have been
2012-04-08 14:50:50 -05:00
b04c5db98a add ajax auth for closet_hangers#index 2012-03-23 16:59:23 -05:00
99a7558dd9 update items#show style 2012-03-23 16:48:00 -05:00
7d0edbf23c closet_hangers#destroy now tied to hanger ID, not item 2012-03-23 16:25:10 -05:00
44156c5b21 can now have the same item in more than one list 2012-03-23 16:25:10 -05:00
19e854b6f8 oops, remove maintenance message 2012-01-26 13:30:12 -06:00
686d6560c4 specify size on image download 2012-01-13 19:37:56 -06:00
696b2aedaf give SWFs real, unique ID numbers
Lots of scary bugs were being caused by the fact that the possibly-duplicate Neopets ID
was being treated as an SWF's real primary key, meaning that a save meant for object swf
number 123 could be saved to biology swf number 123. Which is awful.

This update gives SWFs their own unique internal ID numbers. All external lookups still use
the remote ID and the type, meaning that the client side remains totally unchanged (phew).
However, all database relationships with SWFs use the new ID numbers, making everything
cleaner. Yay.

There are probably a few places where it would be appropriate to optimize certain lookups
that still depend on remote ID and type. Whatever. Today's goal was to remove crazy
glitches that have been floating around like mad. And I think that goal has been met.
2012-01-12 17:17:59 -06:00
70cf262387 remove campaign banner from most pages 2011-10-10 22:06:46 -05:00
df62e3540f copyright 2011 2011-10-10 21:56:12 -05:00
09fcc7fa4b remove timer donation request on outfits#edit 2011-08-07 19:57:11 -04:00
c930397123 edit campaign copy now that image mode is public 2011-08-07 19:52:35 -04:00
04ec18b196 update image mode faq for public release 2011-08-07 19:27:01 -04:00
7358aae680 report broken images 2011-08-07 18:23:44 -04:00
564ba9bdd9 js part of reporting broken images 2011-08-07 17:24:54 -04:00
4c510f91db search by username 2011-08-05 11:28:11 -04:00
f9de777c79 update campaign: upgrade complete 2011-08-05 00:12:17 -04:00
0906e49a72 update campaign progress to say we have exceeded our goal 2011-08-04 15:34:28 -04:00
163d74fe07 donate update, campaign complete 2011-08-04 10:25:57 -04:00
d99a1ad792 newest items 2011-08-04 10:01:44 -04:00
2398f34071 import items from pets 2011-08-03 11:35:06 -04:00
bad1eb13a5 compare Your Items to someone elses list 2011-08-03 10:33:13 -04:00
513711bf60 import sdb as well as closet 2011-08-02 22:42:56 -04:00
374e85f9d0 drop in redirect image url for urls blocked on petpages 2011-08-02 20:01:48 -04:00
8bf9872fbe stop caching items#show for now due to Your Items module 2011-08-02 00:12:44 -04:00
ea7171b322 fix ambiguous item_link partial throwing errors in outfits#show 2011-07-31 23:45:57 -04:00
9422d5d8fe remove redundancy on no hangers in a group 2011-07-31 23:35:57 -04:00
5f4cd9ddbf new! tags to point to Your Items 2011-07-31 22:55:29 -04:00
ceeb59973d move image mode faq to outfits#edit instead of userbar 2011-07-31 22:13:23 -04:00
071ba56ae9 public url on Your Items 2011-07-31 19:24:06 -04:00
90c9c8fe17 hide help for people who have used Your Items before 2011-07-31 19:04:21 -04:00
037cb1e95a your items link on home 2011-07-31 18:45:53 -04:00
359356bcf3 better handle edge cases in petpages 2011-07-31 03:03:26 -04:00
1ac399cc7a link to petpage exporter from Your Items 2011-07-31 02:58:45 -04:00
30096f6b0a items petpage export 2011-07-31 02:52:19 -04:00
4f0e7899b7 Your Items intro text polishing 2011-07-31 00:59:29 -04:00
137aeac8d4 show traders on items#show 2011-07-31 00:19:28 -04:00
28c9d1b3d8 hide list description on drag-n-drop 2011-07-30 23:07:58 -04:00
b9700e3d7c show owns/wanted items on somene elses items list 2011-07-30 23:03:43 -04:00
11b7ae74db list visibility forms on Your Items 2011-07-30 22:47:06 -04:00
0c92bf5987 set list visibility in closet_lists#edit 2011-07-30 22:34:27 -04:00
34a4ef201a privacy dropdowns moved to be more out of the way 2011-07-30 22:08:38 -04:00
0e522fa371 better handle list emptiness for drag-n-drop 2011-07-30 19:47:04 -04:00
75961abc17 privacy for unlisted hangers 2011-07-30 19:45:28 -04:00
9a7b13dc5d drag and drop on Your Items <3 2011-07-30 13:40:41 -04:00
48ee765505 Your Items autocompleter is totally chill with moving items around to different lists 2011-07-29 23:26:48 -04:00
811d6df697 only show Add New List if user has permission 2011-07-29 13:29:32 -04:00
d893b0ab41 Your Items autocomplete supports lists 2011-07-29 11:25:17 -04:00
358840076c closet lists, round one 2011-07-29 10:52:04 -04:00
b86ce67c02 first pass at closet lists, including form 2011-07-26 20:27:23 -04:00
605fb88046 move userbar contributions link to points, since user now has more public profiles 2011-07-26 18:57:44 -04:00
e6c419c7e0 give user paths a canonical tag 2011-07-26 18:56:14 -04:00
c592459d02 improve Your Items copy given the different groups 2011-07-26 18:41:15 -04:00
c3279f0512 keep track of the closet page we are importing, even if it errored out 2011-07-25 14:22:26 -04:00
2983849b1f closet page importer also warns to log in in another window 2011-07-25 14:15:23 -04:00
6203caf186 Your Items autocompleter can add to both owned and wanted 2011-07-25 14:06:07 -04:00
7476314953 show/hide hints on Your Items headers 2011-07-22 18:06:46 -04:00
d9f94ae3fa Your Items page aware of wanting items 2011-07-22 17:55:05 -04:00
12f5b28c94 wardrobe now works with owned/wanted 2011-07-22 17:06:21 -04:00
6d155ecaf1 show owned/wanted icons and search filters 2011-07-22 16:52:40 -04:00
85af53417b distinguish between owning and wanting an item 2011-07-22 15:35:38 -04:00
01ba06b1b4 closet neopets username 2011-07-22 14:02:04 -04:00
8f646b4a10 closet importer gets back to your items link 2011-07-20 15:22:00 -04:00
c5103b6557 neomail link on closets 2011-07-20 15:16:22 -04:00
02ef70f749 simplify closet hangers view, replace user_is?(@user) with !public_perspective? 2011-07-20 12:39:18 -04:00
e0c00cc8ed Your Items link on wardrobe 2011-07-17 17:52:40 -04:00
f2d6a454c5 explain user:owns on item search 2011-07-17 17:28:45 -04:00
884ad2d5b8 user:owns in item search 2011-07-17 17:24:29 -04:00
eac0d327f9 add items to closet via magic autocomplete 2011-07-16 01:09:04 -04:00
77818471c5 closet hangers page has nice remove button 2011-07-15 23:14:26 -04:00
eeb3fc3af9 closet hangers page gets serious ajax action 2011-07-15 22:52:53 -04:00
99e59a2f9b oops. quantity form only shows on current user closet 2011-07-15 19:29:43 -04:00
437b1c052d quantity form on your items page 2011-07-15 17:21:18 -04:00
d782108e00 items link in userbar 2011-07-15 16:59:22 -04:00
1fa9a48ad2 pretty quantities on hangers index 2011-07-15 16:59:15 -04:00