diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c54bb4421..61f357cd0 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -445,9 +445,9 @@ class ApplicationController < ActionController::Base # Returns the API key present in the request def api_key_from_request if params[:key].present? - params[:key] + params[:key].to_s elsif request.headers["X-Redmine-API-Key"].present? - request.headers["X-Redmine-API-Key"] + request.headers["X-Redmine-API-Key"].to_s end end diff --git a/app/models/user.rb b/app/models/user.rb index 904420315..d0d1df834 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -130,8 +130,11 @@ class User < Principal # Returns the user that matches provided login and password, or nil def self.try_to_login(login, password) + login = login.to_s + password = password.to_s + # Make sure no one can sign in with an empty password - return nil if password.to_s.empty? + return nil if password.empty? user = find_by_login(login) if user # user is already in local database @@ -164,7 +167,7 @@ class User < Principal # Returns the user who matches the given autologin +key+ or nil def self.try_to_autologin(key) - tokens = Token.find_all_by_action_and_value('autologin', key) + tokens = Token.find_all_by_action_and_value('autologin', key.to_s) # Make sure there's only 1 token that matches the key if tokens.size == 1 token = tokens.first @@ -338,12 +341,12 @@ class User < Principal end def self.find_by_rss_key(key) - token = Token.find_by_value(key) + token = Token.find_by_action_and_value('feeds', key.to_s) token && token.user.active? ? token.user : nil end def self.find_by_api_key(key) - token = Token.find_by_action_and_value('api', key) + token = Token.find_by_action_and_value('api', key.to_s) token && token.user.active? ? token.user : nil end