Changes to support abtesting output. Security

- Users can now export the number of votes from specific vistors (sessions) - Users must now authenticate before accessing protected resources

Changes to support abtesting output. Security
- Users can now export the number of votes from specific vistors (sessions) - Users must now authenticate before accessing protected resources
Dhruv Kapadia
1 parent 1d31c2c6
Showing 5 changed files with 30 additions and 92 deletions Show diff stats
app/controllers/questions_controller.rb
app/controllers/visitors_controller.rb
app/models/visitor.rb
app/models/vote.rb
config/routes.rb
 require 'fastercsv'
 class QuestionsController < InheritedResources::Base
+  before_filter :authenticate
   respond_to :xml, :json
   respond_to :csv, :only => :export #leave the option for xml export here
   belongs_to :site, :optional => true
@@ -49,7 +50,6 @@ class QuestionsController &lt; InheritedResources::Base
   end
   def create
-    authenticate
     logger.info "all params are #{params.inspect}"
     logger.info "vi is #{params['question']['visitor_identifier']} and local are #{params['question']['local_identifier']}."
     if @question = current_user.create_question(params['question']['visitor_identifier'], :name => params['question']['name'], :local_identifier => params['question']['local_identifier'], :ideas => (params['question']['ideas'].lines.to_a.delete_if {|i| i.blank?}))
@@ -66,7 +66,6 @@ class QuestionsController &lt; InheritedResources::Base
   def set_autoactivate_ideas_from_abroad
-    authenticate
     expire_page :action => :index
     logger.info("INSIDE autoactivate ideas")
@@ -88,8 +87,6 @@ class QuestionsController &lt; InheritedResources::Base
   end
   def export
-    authenticate
-
     type = params[:type]
     if type == 'votes'
@@ -104,8 +101,6 @@ class QuestionsController &lt; InheritedResources::Base
   end
   def num_votes_by_visitor_id
-    authenticate
-
     @question = current_user.questions.find(params[:id])
     hash = Vote.count(:conditions => "question_id = #{@question.id}", :group => "voter_id")
     visitor_id_hash = {}
-class VisitorsController < ApplicationController
-  # GET /visitors
-  # GET /visitors.xml
-  def index
-    @visitors = Visitor.all
+class VisitorsController < InheritedResources::Base
+        respond_to :xml, :json
+	before_filter :authenticate
+	def votes_by_session_ids
+		session_ids = params[:session_ids]
+
+		visitor_ids = Visitor.find(:all, :conditions => { :identifier => session_ids})
+		votes_by_visitor_id = Vote.with_voter_ids(visitor_ids).count(:group => :voter_id) 
+
+		votes_by_session_id = {}
+		
+		visitor_ids.each do |e| 
+			if votes_by_visitor_id.has_key?(e.id)
+				votes_by_session_id[e.identifier] = votes_by_visitor_id[e.id]
+			end
+		end
+    		
+		respond_to do |format|
+    			format.xml{ render :xml => votes_by_session_id.to_xml and return}
+    		end
+	end
-    respond_to do |format|
-      format.html # index.html.erb
-      format.xml  { render :xml => @visitors }
-    end
-  end
-
-  # GET /visitors/1
-  # GET /visitors/1.xml
-  def show
-    @visitor = Visitor.find(params[:id])
-
-    respond_to do |format|
-      format.html # show.html.erb
-      format.xml  { render :xml => @visitor }
-    end
-  end
-
-  # GET /visitors/new
-  # GET /visitors/new.xml
-  def new
-    @visitor = Visitor.new
-
-    respond_to do |format|
-      format.html # new.html.erb
-      format.xml  { render :xml => @visitor }
-    end
-  end
-
-  # GET /visitors/1/edit
-  def edit
-    @visitor = Visitor.find(params[:id])
-  end
-
-  # POST /visitors
-  # POST /visitors.xml
-  def create
-    @visitor = Visitor.new(params[:visitor])
-
-    respond_to do |format|
-      if @visitor.save
-        flash[:notice] = 'Visitor was successfully created.'
-        format.html { redirect_to(@visitor) }
-        format.xml  { render :xml => @visitor, :status => :created, :location => @visitor }
-      else
-        format.html { render :action => "new" }
-        format.xml  { render :xml => @visitor.errors, :status => :unprocessable_entity }
-      end
-    end
-  end
-
-  # PUT /visitors/1
-  # PUT /visitors/1.xml
-  def update
-    @visitor = Visitor.find(params[:id])
-
-    respond_to do |format|
-      if @visitor.update_attributes(params[:visitor])
-        flash[:notice] = 'Visitor was successfully updated.'
-        format.html { redirect_to(@visitor) }
-        format.xml  { head :ok }
-      else
-        format.html { render :action => "edit" }
-        format.xml  { render :xml => @visitor.errors, :status => :unprocessable_entity }
-      end
-    end
-  end
-
-  # DELETE /visitors/1
-  # DELETE /visitors/1.xml
-  def destroy
-    @visitor = Visitor.find(params[:id])
-    @visitor.destroy
-
-    respond_to do |format|
-      format.html { redirect_to(visitors_url) }
-      format.xml  { head :ok }
-    end
-  end
 end
@@ -7,8 +7,10 @@ class Visitor &lt; ActiveRecord::Base
   has_many :clicks
   validates_presence_of :site, :on => :create, :message => "can't be blank"
-  validates_uniqueness_of :identifier, :on => :create, :message => "must be unique", :scope => :site_id
-  
+# validates_uniqueness_of :identifier, :on => :create, :message => "must be unique", :scope => :site_id
+
+ named_scope :with_tracking, lambda { |*args| {:include => :votes, :conditions => { :identifier => args.first } }}
+
   def owns?(question)
     questions.include? question
   end
@@ -8,4 +8,5 @@ class Vote &lt; ActiveRecord::Base
   named_scope :recent, lambda { |*args| {:conditions => ["created_at > ?", (args.first || Date.today.beginning_of_day)]} }
   named_scope :with_question, lambda { |*args| {:conditions => {:question_id => args.first }} }
+  named_scope :with_voter_ids, lambda { |*args| {:conditions => {:voter_id=> args.first }} }
 end
 ActionController::Routing::Routes.draw do |map|
-  map.resources :clicks
+  #map.resources :clicks
+  map.resources :visitors, :collection => {:votes_by_session_ids => :get}
   map.resources :questions, :member => { :num_votes_by_visitor_id => :get, :export => :post, :set_autoactivate_ideas_from_abroad => :put,  :activate => :put, :suspend => :put}, :collection => {:recent_votes_by_question_id => :get} do |question|
     question.resources :items
     question.resources :prompts, :member => {:vote_left => :post, :vote_right => :post, :skip => :post, :vote => :post}, 
@@ -8,6 +9,7 @@ ActionController::Routing::Routes.draw do |map|
   end
   map.resources :algorithms
   map.connect "/questions/:question_id/prompts/:id/vote/:index", :controller => 'prompts', :action => 'vote'
+
1	-class VisitorsController < ApplicationController
2	- # GET /visitors
3	- # GET /visitors.xml
4	- def index
5	- @visitors = Visitor.all	1	+class VisitorsController < InheritedResources::Base
		2	+ respond_to :xml, :json
		3	+ before_filter :authenticate
		4	+ def votes_by_session_ids
		5	+ session_ids = params[:session_ids]
		6	+
		7	+ visitor_ids = Visitor.find(:all, :conditions => { :identifier => session_ids})
		8	+ votes_by_visitor_id = Vote.with_voter_ids(visitor_ids).count(:group => :voter_id)
		9	+
		10	+ votes_by_session_id = {}
		11	+
		12	+ visitor_ids.each do \|e\|
		13	+ if votes_by_visitor_id.has_key?(e.id)
		14	+ votes_by_session_id[e.identifier] = votes_by_visitor_id[e.id]
		15	+ end
		16	+ end
		17	+
		18	+ respond_to do \|format\|
		19	+ format.xml{ render :xml => votes_by_session_id.to_xml and return}
		20	+ end
		21	+ end
6		22
7	- respond_to do \|format\|
8	- format.html # index.html.erb
9	- format.xml { render :xml => @visitors }
10	- end
11	- end
12	-
13	- # GET /visitors/1
14	- # GET /visitors/1.xml
15	- def show
16	- @visitor = Visitor.find(params[:id])
17	-
18	- respond_to do \|format\|
19	- format.html # show.html.erb
20	- format.xml { render :xml => @visitor }
21	- end
22	- end
23	-
24	- # GET /visitors/new
25	- # GET /visitors/new.xml
26	- def new
27	- @visitor = Visitor.new
28	-
29	- respond_to do \|format\|
30	- format.html # new.html.erb
31	- format.xml { render :xml => @visitor }
32	- end
33	- end
34	-
35	- # GET /visitors/1/edit
36	- def edit
37	- @visitor = Visitor.find(params[:id])
38	- end
39	-
40	- # POST /visitors
41	- # POST /visitors.xml
42	- def create
43	- @visitor = Visitor.new(params[:visitor])
44	-
45	- respond_to do \|format\|
46	- if @visitor.save
47	- flash[:notice] = 'Visitor was successfully created.'
48	- format.html { redirect_to(@visitor) }
49	- format.xml { render :xml => @visitor, :status => :created, :location => @visitor }
50	- else
51	- format.html { render :action => "new" }
52	- format.xml { render :xml => @visitor.errors, :status => :unprocessable_entity }
53	- end
54	- end
55	- end
56	-
57	- # PUT /visitors/1
58	- # PUT /visitors/1.xml
59	- def update
60	- @visitor = Visitor.find(params[:id])
61	-
62	- respond_to do \|format\|
63	- if @visitor.update_attributes(params[:visitor])
64	- flash[:notice] = 'Visitor was successfully updated.'
65	- format.html { redirect_to(@visitor) }
66	- format.xml { head :ok }
67	- else
68	- format.html { render :action => "edit" }
69	- format.xml { render :xml => @visitor.errors, :status => :unprocessable_entity }
70	- end
71	- end
72	- end
73	-
74	- # DELETE /visitors/1
75	- # DELETE /visitors/1.xml
76	- def destroy
77	- @visitor = Visitor.find(params[:id])
78	- @visitor.destroy
79	-
80	- respond_to do \|format\|
81	- format.html { redirect_to(visitors_url) }
82	- format.xml { head :ok }
83	- end
84	- end
85	end	23	end
	@@ -8,4 +8,5 @@ class Vote < ActiveRecord::Base		@@ -8,4 +8,5 @@ class Vote < ActiveRecord::Base
8		8
9	named_scope :recent, lambda { \|*args\| {:conditions => ["created_at > ?", (args.first \|\| Date.today.beginning_of_day)]} }	9	named_scope :recent, lambda { \|*args\| {:conditions => ["created_at > ?", (args.first \|\| Date.today.beginning_of_day)]} }
10	named_scope :with_question, lambda { \|*args\| {:conditions => {:question_id => args.first }} }	10	named_scope :with_question, lambda { \|*args\| {:conditions => {:question_id => args.first }} }
		11	+ named_scope :with_voter_ids, lambda { \|*args\| {:conditions => {:voter_id=> args.first }} }
11	end	12	end