Don't try to find a user by personal_access_token if the token is nil

Signed-off-by: Rémy Coutable <remy@rymai.me>

Don't try to find a user by personal_access_token if the token is nil
Signed-off-by: Rémy Coutable <remy@rymai.me>
8b6041bc · Rémy Coutable · c62314ab · 8b6041bc · 8b6041bc
Commit 8b6041bc authored Mar 22, 2017 by Rémy Coutable
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

app/controllers/application_controller.rb app/controllers/application_controller.rb +5 -2

app/models/user.rb app/models/user.rb +2 -0

No files found.
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -64,8 +64,11 @@ class ApplicationController < ActionController::Base

  # This filter handles both private tokens and personal access tokens
  def authenticate_user_from_private_token!
-    token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
-    user = User.find_by_authentication_token(token_string) || User.find_by_personal_access_token(token_string)
+    token = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
+
+    return unless token.present?
+
+    user = User.find_by_authentication_token(token) || User.find_by_personal_access_token(token)

    if user && can?(user, :log_in)
      # Notice we are passing store false, so the user is not

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -324,6 +324,8 @@ class User < ActiveRecord::Base
    end

    def find_by_personal_access_token(token_string)
+      return unless token_string
+
      PersonalAccessTokensFinder.new(state: 'active').find_by(token: token_string)&.user
    end