From 019b570a70a147011af0dd4b93d3a7144d78993b Mon Sep 17 00:00:00 2001
From: KalabiYau <skullzeek@gmail.com>
Date: Sun, 27 Apr 2014 18:03:47 +0200
Subject: [PATCH 1/4] Remove insecure storage of cookies secret

---
 config/config.yml.example           | 1 +
 config/initializers/secret_token.rb | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/config.yml.example b/config/config.yml.example
index 31ed06bc..f2e72703 100644
--- a/config/config.yml.example
+++ b/config/config.yml.example
@@ -12,6 +12,7 @@ defaults: &defaults
   # errbit configuration, get your own instance: https://github.com/errbit/errbit
   #errbit_key: 123456789101112131415
   #errbit_host: errbit.exmaple.com
+  cookies_secret_token: 'secretstringwhichshouldbechanged'
 
 development:
   <<: *defaults
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 95330c8a..98825f4a 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -4,4 +4,4 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-Osem::Application.config.secret_token = '49fe86302d3297fdccac1614834f3036841416b22d0ea0b04ae140ce512e1d736f4ef796b85097cce902760071838b10d1ac0e3cf02f55fd2d1031d4fce2f956'
+Osem::Application.config.secret_token = CONFIG['cookies_secret_token']

From dd62e83324bcf666598c606a7f1b1c88aad736fd Mon Sep 17 00:00:00 2001
From: Gopesh Tulsyan <gopesh.7500@gmail.com>
Date: Tue, 29 Apr 2014 11:19:55 +0530
Subject: [PATCH 2/4] Fix devise secret key by assigning some random string

---
 config/initializers/devise.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 77208236..c680a026 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -2,7 +2,7 @@
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
   # ==> Secret key, generate one with `rake secret`
-  config.secret_key = CONFIG['devise_secret_key']
+  config.secret_key = "somesecretkey1234"
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,

From 63c890a3f81c84e0ad04476ba88513b7b7eb6550 Mon Sep 17 00:00:00 2001
From: Gopesh Tulsyan <gopesh.7500@gmail.com>
Date: Tue, 29 Apr 2014 11:22:54 +0530
Subject: [PATCH 3/4] Single quoted random string in devise.rb

---
 config/initializers/devise.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index c680a026..8938168d 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -2,7 +2,7 @@
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
   # ==> Secret key, generate one with `rake secret`
-  config.secret_key = "somesecretkey1234"
+  config.secret_key = 'somesecretkey1234'
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,

From 541a2652fef97436ae9fd27f12d075a4a4a50cb8 Mon Sep 17 00:00:00 2001
From: Gopesh Tulsyan <gopesh.7500@gmail.com>
Date: Wed, 30 Apr 2014 10:54:59 +0530
Subject: [PATCH 4/4] Added info in readme for users to generate secret key
 before copying config file

---
 README.md                     | 9 ++++++++-
 config/initializers/devise.rb | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 16d48476..6a5d210f 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,13 @@ git clone https://github.com/openSUSE/osem.git
 bundle install
 ```
 3. Install ImageMagick from your distribution repository
-4. Copy the sample configuration files and adapt them
+4. Generate secret key for devise and the rails app with 
+```
+rake secret
+```
+Look at config/config.yml.example.
+
+5. Copy the sample configuration files and adapt them
 ```
 cp config/config.yml.example config/config.yml
 cp config/database.yml.example config/database.yml
@@ -28,6 +34,7 @@ cp config/database.yml.example config/database.yml
 ```
 bundle exec rake db:setup
 ```
+
 7. Run OSEM
 ```
 rails server
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 8938168d..77208236 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -2,7 +2,7 @@
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
   # ==> Secret key, generate one with `rake secret`
-  config.secret_key = 'somesecretkey1234'
+  config.secret_key = CONFIG['devise_secret_key']
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,