From: Simon Legner Date: Sun, 11 Feb 2024 20:20:27 +0000 (+0100) Subject: SessionsController: strip username X-Git-Tag: live~784^2 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/a0aef5c7222d35805f5d3690c50e45db5226b2c4 SessionsController: strip username --- diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index ba2858ce4..3c2084a5b 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -20,7 +20,7 @@ class SessionsController < ApplicationController def create session[:remember_me] ||= params[:remember_me] session[:referer] = safe_referer(params[:referer]) if params[:referer] - password_authentication(params[:username], params[:password]) + password_authentication(params[:username].strip, params[:password]) end def destroy diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb index a94a9a158..4234bee70 100644 --- a/test/controllers/sessions_controller_test.rb +++ b/test/controllers/sessions_controller_test.rb @@ -48,6 +48,14 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest post login_path, :params => { :username => user.display_name, :password => "test" } assert_response :redirect assert_redirected_to root_path + + post login_path, :params => { :username => " #{user.display_name}", :password => "test" } + assert_response :redirect + assert_redirected_to root_path + + post login_path, :params => { :username => "#{user.display_name} ", :password => "test" } + assert_response :redirect + assert_redirected_to root_path end def test_logout_without_referer