Stringify api_key

By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs @radar, please take a look at Mr. Outsider's PR Fixes #2492
spree · Jan 26, 2013 · 3c2015e · 3c2015e · runlevel5 · Jan 26, 2013
1 parent 9005432
commit 3c2015e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/api/app/controllers/spree/api/base_controller.rb b/api/app/controllers/spree/api/base_controller.rb
@@ -53,7 +53,7 @@ def check_for_api_key
 
       def authenticate_user
         if requires_authentication? || api_key.present?
-          unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key)
+          unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
             render "spree/api/errors/invalid_api_key", :status => 401 and return
           end
         else