We can avoid using `html_safe` in various circumstances, through alternative approaches like i18n keys ending in `_html` or using `safe_join` to avoid converting via unsafe string types.
The `_html` keys approach only work for ActionView helper version of `t`, not the base `I18n.t` method.
It's a convention in rails to name your mailers with a Mailer suffix, and is also common to name the class after the recipient (e.g. User, Admin). So UserMailer seems a reasonable choice.
As we don't have any way to actually find the active sessions for
an account we instead store a fingerprint in the session, and refuse
to use any session with a different fingerprint.
Unfortunately I've had to leave the check disabed as Brakeman
can't see inside the safe_referer method so doesn't realise that
it is cleaning the referer.
This avoids needing to access the session id, which is currently
only working with the memcache store.
The fallback page is preserved for anyone who wants to logout without
using javascript.
Refs #2488
- this adds links to the ToU in the Welcome box and on the About page
- adds a timestamp column to the users table to record acceptance of the ToU
- require ToU to be accepted before signup can proceed
- rearrange and change text on signup page
To avoid Chrom getting upset about sending form data to sites
that our policy doesn't allow, even when it isn't, use Javascript
to jump straight to Omniauth as the direct OpenID based login
buttons were already doing.
Fixes#1909
