Do not autologin if more that one token is found (#3351).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Wed, 13 May 2009 16:56:31 +0000 (16:56 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Wed, 13 May 2009 16:56:31 +0000 (16:56 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Wed, 13 May 2009 16:56:31 +0000 (16:56 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Wed, 13 May 2009 16:56:31 +0000 (16:56 +0000)
diff --git a/app/models/user.rb b/app/models/user.rb

index 3c6f7238746d9d6def7175ee35c20edd8f22190d..7bcf999f2f25cdc24623a01c4eb0818847314b83 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -128,10 +128,14 @@ class User < ActiveRecord::Base
    
    # Returns the user who matches the given autologin +key+ or nil
    def self.try_to_autologin(key)
-    token = Token.find_by_action_and_value('autologin', key)
-    if token && (token.created_on > Setting.autologin.to_i.day.ago) && token.user && token.user.active?
-      token.user.update_attribute(:last_login_on, Time.now)
-      token.user
+    tokens = Token.find_all_by_action_and_value('autologin', key)
+    # Make sure there's only 1 token that matches the key
+    if tokens.size == 1
+      token = tokens.first
+      if (token.created_on > Setting.autologin.to_i.day.ago) && token.user && token.user.active?
+        token.user.update_attribute(:last_login_on, Time.now)
+        token.user
+      end
      end
    end
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Wed, 13 May 2009 16:56:31 +0000 (16:56 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Wed, 13 May 2009 16:56:31 +0000 (16:56 +0000)