From 6f05d47a8de4bdf4b03609c10569bcec967fdded Mon Sep 17 00:00:00 2001
From: Absurdon <peter@brodkorb-web.de>
Date: Mon, 13 Apr 2020 15:34:12 +0000
Subject: [PATCH] FIX

in User#authenticate:
* make search by username case sensitive as in prod there already are
  usernames diffing only in case
* use guard clause instead of nesting
---
 app/models/user.rb | 62 +++++++++++++++++++++++-----------------------
 1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index e66d35c..f9264be 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -429,7 +429,7 @@ class User < ActiveRecord::Base
           break
         end
       end
-      
+
     end
     if errors[:email]
       self.email = "%s@ensl.org" % cleanup_string(username)
@@ -449,38 +449,38 @@ class User < ActiveRecord::Base
   end
 
   def self.authenticate(login)
-    if (user = where("LOWER(username) = LOWER(?)", login[:username]).first)
-      begin
-        case user.password_hash
-        when User::PASSWORD_SCRYPT
-          # FIXME: If exception occurs here, user cannot log in
-          pass = SCrypt::Password.new(user.password)
-          return user if pass == login[:password]
-        when User::PASSWORD_MD5_SCRYPT
-          pass = SCrypt::Password.new(user.password)
-          # Match to Scrypt(Md5(password))
-          if pass == Digest::MD5.hexdigest(login[:password])
-            user.raw_password = login[:password]
-            user.update_password
-            user.save!
-            return user
-          end
-        # when User::PASSWORD_MD5
-        else
-          if user.password == Digest::MD5.hexdigest(login[:password])
-            user.raw_password = login[:password]
-            user.update_password
-            user.save!
-            return user
-          end
+    user = where('username = ?', login[:username]).first
+    return nil unless user
+
+    begin
+      case user.password_hash
+      when User::PASSWORD_SCRYPT
+        # FIXME: If exception occurs here, user cannot log in
+        pass = SCrypt::Password.new(user.password)
+        return user if pass == login[:password]
+      when User::PASSWORD_MD5_SCRYPT
+        pass = SCrypt::Password.new(user.password)
+        # Match to Scrypt(Md5(password))
+        if pass == Digest::MD5.hexdigest(login[:password])
+          user.raw_password = login[:password]
+          user.update_password
+          user.save!
+          return user
+        end
+      # when User::PASSWORD_MD5
+      else
+        if user.password == Digest::MD5.hexdigest(login[:password])
+          user.raw_password = login[:password]
+          user.update_password
+          user.save!
+          return user
         end
-      # TODO: controller needs to handle this
-      #rescue Exception => ex
-      #  user.errors.add(:password, "%s (%s)" % [I18n.t(:password_corrupt), ex.class.to_s])
-      #  return nil
       end
+    # TODO: controller needs to handle this
+    #rescue Exception => ex
+    #  user.errors.add(:password, "%s (%s)" % [I18n.t(:password_corrupt), ex.class.to_s])
+    #  return nil
     end
-    return nil
   end
 
   def self.get(id)
@@ -536,4 +536,4 @@ class User < ActiveRecord::Base
     end
     return nil
   end
-end
\ No newline at end of file
+end