Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Authlogic can make some usernames impossible to log in to #61

Closed
alekseyg opened this Issue Oct 17, 2009 · 7 comments

Comments

Projects
None yet
5 participants

Authlogic allows people to register with the same login plus a trailing space. I don't know about other databases, but this makes it impossible to log in with the second login using MySQL. Example:

User1 signs up with login "John"
User2 signs up with login "John "

first(:conditions => ["LOWER(users.login) = ?", "John ".downcase])
returns User1 rather than User2.

Also, Authlogic allows the login to be an email address by default, which can cause problems if you enable email or login to log in.

hansef commented Dec 16, 2010

Use strip? I don't think Authlogic should be responsible for decisions about how to clean the login argument.

Contributor

nathany commented Jun 2, 2014

Ran into the second issue recently. Should Authlogic have a validation ensure the username is not an email address of another user? (which prevents that user from logging in)

Maybe the existing Rails validation tools can help:
validates :email, presence: true, uniqueness: true

Contributor

nathany commented Jun 3, 2014

@danlaffan That's not exactly the problem.

It's an issue where the email == username of a different user. I don't think Rails has a built in validation for that, but I could certainly write a custom validation in our app instead of adding it to authlogic.

Something like this?

# user.rb
validates :login_cant_already_be_email

def login_cant_already_be_email
  if User.where(email: self.login).count > 0
    errors.add(:login, 'has already been taken')
  end
end
Collaborator

jaredbeck commented Dec 25, 2016

To deal with trailing whitespace, I'd recommend using validates_format_of_login_field_options.

Should Authlogic have a validation ensure the username is not an email address of another user? (which prevents that user from logging in)

Can someone please confirm that this is still an issue with the latest version of authlogic (currenly 3.5)? Thanks.

Contributor

nathany commented Dec 26, 2016

Sorry, I can't confirm. I no longer do any work with Rails, much less Authlogic.

@jaredbeck jaredbeck closed this Dec 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment