From 39ed3322990bcd8682d9eeecffb2e1972c996446 Mon Sep 17 00:00:00 2001 From: Lucas Mazza Date: Thu, 18 Sep 2014 18:15:08 -0300 Subject: [PATCH] Ensure that we sanitize any `AC::Parameters` in `find_or_initialize_with_errors`. As we are already slicing the Hash, we must be sure that this method will send a "safe" object down to the other finder methods that will use the Hash entries to do the querying. --- lib/devise/models/authenticatable.rb | 2 +- test/models/authenticatable_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/devise/models/authenticatable.rb b/lib/devise/models/authenticatable.rb index 78be957b..75cb2d0e 100644 --- a/lib/devise/models/authenticatable.rb +++ b/lib/devise/models/authenticatable.rb @@ -253,7 +253,7 @@ module Devise # Find an initialize a group of attributes based on a list of required attributes. def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc: - attributes = attributes.slice(*required_attributes) + attributes = attributes.slice(*required_attributes).with_indifferent_access attributes.delete_if { |key, value| value.blank? } if attributes.size == required_attributes.size diff --git a/test/models/authenticatable_test.rb b/test/models/authenticatable_test.rb index 3d791d44..ba664f3e 100644 --- a/test/models/authenticatable_test.rb +++ b/test/models/authenticatable_test.rb @@ -10,4 +10,14 @@ class AuthenticatableTest < ActiveSupport::TestCase assert_equal User.find_first_by_auth_conditions({ email: "example@example.com" }), user assert_nil User.find_first_by_auth_conditions({ email: "example@example.com" }, id: user.id.to_s.next) end + + if defined?(ActionController::Parameters) + test 'does not passes an ActionController::Parameters to find_first_by_auth_conditions through find_or_initialize_with_errors' do + user = create_user(email: 'example@example.com') + attributes = ActionController::Parameters.new(email: 'example@example.com') + + User.expects(:find_first_by_auth_conditions).with('email' => 'example@example.com').returns(user) + User.find_or_initialize_with_errors([:email], attributes) + end + end end