FIX

in User#authenticate: * make search by username case sensitive as in prod there already are usernames diffing only in case * use guard clause instead of nesting
2025-01-28 20:20:46 +00:00 · 2020-04-13 15:34:12 +00:00 · 2020-04-13 15:34:12 +00:00 · 6f05d47a8d
commit 6f05d47a8d
parent 88a6c697cc
1 changed files with 31 additions and 31 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -429,7 +429,7 @@ class User < ActiveRecord::Base
          break
        end
      end
-      
+
    end
    if errors[:email]
      self.email = "%s@ensl.org" % cleanup_string(username)
@ -449,38 +449,38 @@ class User < ActiveRecord::Base
  end

  def self.authenticate(login)
-    if (user = where("LOWER(username) = LOWER(?)", login[:username]).first)
-      begin
-        case user.password_hash
-        when User::PASSWORD_SCRYPT
-          # FIXME: If exception occurs here, user cannot log in
-          pass = SCrypt::Password.new(user.password)
-          return user if pass == login[:password]
-        when User::PASSWORD_MD5_SCRYPT
-          pass = SCrypt::Password.new(user.password)
-          # Match to Scrypt(Md5(password))
-          if pass == Digest::MD5.hexdigest(login[:password])
-            user.raw_password = login[:password]
-            user.update_password
-            user.save!
-            return user
-          end
-        # when User::PASSWORD_MD5
-        else
-          if user.password == Digest::MD5.hexdigest(login[:password])
-            user.raw_password = login[:password]
-            user.update_password
-            user.save!
-            return user
-          end
+    user = where('username = ?', login[:username]).first
+    return nil unless user
+
+    begin
+      case user.password_hash
+      when User::PASSWORD_SCRYPT
+        # FIXME: If exception occurs here, user cannot log in
+        pass = SCrypt::Password.new(user.password)
+        return user if pass == login[:password]
+      when User::PASSWORD_MD5_SCRYPT
+        pass = SCrypt::Password.new(user.password)
+        # Match to Scrypt(Md5(password))
+        if pass == Digest::MD5.hexdigest(login[:password])
+          user.raw_password = login[:password]
+          user.update_password
+          user.save!
+          return user
+        end
+      # when User::PASSWORD_MD5
+      else
+        if user.password == Digest::MD5.hexdigest(login[:password])
+          user.raw_password = login[:password]
+          user.update_password
+          user.save!
+          return user
        end
-      # TODO: controller needs to handle this
-      #rescue Exception => ex
-      #  user.errors.add(:password, "%s (%s)" % [I18n.t(:password_corrupt), ex.class.to_s])
-      #  return nil
      end
+    # TODO: controller needs to handle this
+    #rescue Exception => ex
+    #  user.errors.add(:password, "%s (%s)" % [I18n.t(:password_corrupt), ex.class.to_s])
+    #  return nil
    end
-    return nil
  end

  def self.get(id)
@ -536,4 +536,4 @@ class User < ActiveRecord::Base
    end
    return nil
  end
-end
+end