Conditional string conversion of auth params (Closes #1079)

2022-11-09 12:18:31 -05:00 · 2011-05-26 15:45:03 +02:00 · 2011-05-26 15:45:03 +02:00 · ab3bb9cf4d
commit ab3bb9cf4d
parent 69126a31db
2 changed files with 12 additions and 1 deletions
--- a/lib/devise/models/authenticatable.rb
+++ b/lib/devise/models/authenticatable.rb
@ -152,9 +152,14 @@ module Devise
        # Force keys to be string to avoid injection on mongoid related database.
        def filter_auth_params(conditions)
          conditions.each do |k, v|
-            conditions[k] = v.to_s
+            conditions[k] = v.to_s if auth_param_requires_string_conversion?(v)
          end if conditions.is_a?(Hash)
        end
+        
+        # Determine which values should be transformed to string or passed as-is to the query builder underneath
+        def auth_param_requires_string_conversion?(value)
+          true unless value.is_a?(TrueClass) || value.is_a?(FalseClass) || value.is_a?(Fixnum)
+        end

        # Generate a token by looping and ensuring does not already exist.
        def generate_token(column)
--- a/test/models/database_authenticatable_test.rb
+++ b/test/models/database_authenticatable_test.rb
@ -28,6 +28,12 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase

    assert_equal({ 'login' => 'foo@bar.com' }, conditions)
  end
+  
+  test "filter_auth_params should not convert booleans and integer to strings" do
+    conditions = { 'login' => 'foo@bar.com', "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => (1..10) }
+    conditions = User.__send__(:filter_auth_params, conditions)
+    assert_equal( { 'login' => 'foo@bar.com', "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => "1..10" }, conditions)
+  end

  test 'should respond to password and password confirmation' do
    user = new_user