Merge pull request #516 from jasco/fix/safer-user-lookup

Do exact case insensitive match when looking up user

flask_security/core.py

@@ -14,7 +14,6 @@
 from datetime import datetime
 
 import pkg_resources
-
 from flask import current_app, render_template
 from flask_babelex import Domain
 from flask_login import UserMixin as BaseUserMixin

flask_security/datastore.py

@@ -9,6 +9,9 @@
     :license: MIT, see LICENSE for more details.
 """
 
+from peewee import fn as peeweeFn
+from sqlalchemy import func as alchemyFn
+
 from .utils import get_identity_attributes, string_types
 
 
@@ -236,7 +239,8 @@ def get_user(self, identifier):
         if self._is_numeric(identifier):
             return self.user_model.query.get(identifier)
         for attr in get_identity_attributes():
-            query = getattr(self.user_model, attr).ilike(identifier)
+            query = alchemyFn.lower(getattr(self.user_model, attr)) \
+                == alchemyFn.lower(identifier)
             rv = self.user_model.query.filter(query).first()
             if rv is not None:
                 return rv
@@ -353,7 +357,8 @@ def get_user(self, identifier):
         for attr in get_identity_attributes():
             column = getattr(self.user_model, attr)
             try:
-                return self.user_model.get(column ** identifier)
+                return self.user_model.get(
+                    peeweeFn.Lower(column) == peeweeFn.Lower(identifier))
             except self.user_model.DoesNotExist:
                 pass
 

tests/test_datastore.py

@@ -98,6 +98,10 @@ def test_get_user(app, datastore):
         user = datastore.get_user('matt')
         assert user is not None
 
+        # Regression check
+        user = datastore.get_user('%lp.com')
+        assert user is None
+
 
 def test_find_role(app, datastore):
     init_app_with_options(app, datastore)