From b87753c90d2b2b077fcb0a95d778d8ad5b48ed6c Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Wed, 13 May 2009 16:56:31 +0000
Subject: [PATCH] Do not autologin if more that one token is found (#3351).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2742 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/user.rb | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 3c6f7238..7bcf999f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -128,10 +128,14 @@ class User < ActiveRecord::Base
   
   # Returns the user who matches the given autologin +key+ or nil
   def self.try_to_autologin(key)
-    token = Token.find_by_action_and_value('autologin', key)
-    if token && (token.created_on > Setting.autologin.to_i.day.ago) && token.user && token.user.active?
-      token.user.update_attribute(:last_login_on, Time.now)
-      token.user
+    tokens = Token.find_all_by_action_and_value('autologin', key)
+    # Make sure there's only 1 token that matches the key
+    if tokens.size == 1
+      token = tokens.first
+      if (token.created_on > Setting.autologin.to_i.day.ago) && token.user && token.user.active?
+        token.user.update_attribute(:last_login_on, Time.now)
+        token.user
+      end
     end
   end