Handle nil values correctly in User.authenticateUser

2019-11-11 11:07:52 +01:00 · 2019-11-11 11:07:52 +01:00 · 1d9856ff93
parent 241d504a76
commit 1d9856ff93
2 changed files with 7 additions and 1 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -203,7 +203,7 @@ class User < ApplicationRecord

  def self.authenticate(login, password)
    user = find_by_nick(login) || find_by_email(login)
-    if user && user.has_password(password)
+    if user && password && user.has_password(password)
      user
    else
      nil
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -32,6 +32,12 @@ describe User do
    it 'can not authenticate with incorrect password' do
      expect(User.authenticate(user.nick, 'foobar')).to be_nil
    end
+    it 'can not authenticate with nil nick' do
+      expect(User.authenticate(nil, 'blahblah')).to be_nil
+    end
+    it 'can not authenticate with nil password' do
+      expect(User.authenticate(user.nick, nil)).to be_nil
+    end
    it 'can not set a password without matching confirmation' do
      user.password = 'abcdefghij'
      user.password_confirmation = 'foobarxyz'