From 39ed3322990bcd8682d9eeecffb2e1972c996446 Mon Sep 17 00:00:00 2001
From: Lucas Mazza <lucas.mazza@plataformatec.com.br>
Date: Thu, 18 Sep 2014 18:15:08 -0300
Subject: [PATCH] Ensure that we sanitize any `AC::Parameters` in
 `find_or_initialize_with_errors`.

 As we are already slicing the Hash, we must be sure that this method will send
 a "safe" object down to the other finder methods that will use the Hash entries
 to do the querying.
---
 lib/devise/models/authenticatable.rb |  2 +-
 test/models/authenticatable_test.rb  | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/devise/models/authenticatable.rb b/lib/devise/models/authenticatable.rb
index 78be957b..75cb2d0e 100644
--- a/lib/devise/models/authenticatable.rb
+++ b/lib/devise/models/authenticatable.rb
@@ -253,7 +253,7 @@ module Devise
 
         # Find an initialize a group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = attributes.slice(*required_attributes)
+          attributes = attributes.slice(*required_attributes).with_indifferent_access
           attributes.delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
diff --git a/test/models/authenticatable_test.rb b/test/models/authenticatable_test.rb
index 3d791d44..ba664f3e 100644
--- a/test/models/authenticatable_test.rb
+++ b/test/models/authenticatable_test.rb
@@ -10,4 +10,14 @@ class AuthenticatableTest < ActiveSupport::TestCase
     assert_equal User.find_first_by_auth_conditions({ email: "example@example.com" }), user
     assert_nil User.find_first_by_auth_conditions({ email: "example@example.com" }, id: user.id.to_s.next)
   end
+
+  if defined?(ActionController::Parameters)
+    test 'does not passes an ActionController::Parameters to find_first_by_auth_conditions through find_or_initialize_with_errors' do
+      user = create_user(email: 'example@example.com')
+      attributes = ActionController::Parameters.new(email: 'example@example.com')
+
+      User.expects(:find_first_by_auth_conditions).with('email' => 'example@example.com').returns(user)
+      User.find_or_initialize_with_errors([:email], attributes)
+    end
+  end
 end