Improve on broken MySQL handling of login tokens #1234

2013-02-12 12:02:35 +01:00 · 2013-02-12 12:02:35 +01:00 · 430b6bb442
parent 3f9007b909
commit 430b6bb442
2 changed files with 5 additions and 5 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -37,7 +37,7 @@ class AccountController < ApplicationController
  def lost_password
    redirect_to(home_url) && return unless Setting.lost_password?
    if params[:token]
-      @token = Token.find_by_action_and_value("recovery", params[:token])
+      @token = Token.find_by_action_and_value("recovery", params[:token].to_s)
      redirect_to(home_url) && return unless @token and !@token.expired?
      @user = @token.user
      if request.post?
@ -53,7 +53,7 @@ class AccountController < ApplicationController
      return
    else
      if request.post?
-        user = User.find_by_mail(params[:mail])
+        user = User.find_by_mail(params[:mail].to_s)
        # user not found in db
        (flash.now[:error] = l(:notice_account_unknown_email); return) unless user
        # user uses an external authentification
@ -109,7 +109,7 @@ class AccountController < ApplicationController
  # Token based account activation
  def activate
    redirect_to(home_url) && return unless Setting.self_registration? && params[:token]
-    token = Token.find_by_action_and_value('register', params[:token])
+    token = Token.find_by_action_and_value('register', params[:token].to_s)
    redirect_to(home_url) && return unless token and !token.expired?
    user = token.user
    redirect_to(home_url) && return unless user.registered?
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -82,11 +82,11 @@ class ApplicationController < ActionController::Base
      user
    elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
      # RSS key authentication does not start a session
-      User.find_by_rss_key(params[:key])
+      User.find_by_rss_key(params[:key].to_s)
    elsif Setting.rest_api_enabled? && api_request?
      if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
        # Use API key
-        User.find_by_api_key(key)
+        User.find_by_api_key(key.to_s)
      else
        # HTTP Basic, either username/password or API key/random
        authenticate_with_http_basic do |username, password|