sorcery
sorcery copied to clipboard
NoamB
add_provider_to_user does not check if provider and uid already exists
Here my callback method:
def callback
authorize! :create, :oauth
provider = params[:provider]
begin
if logged_in?
@user = add_provider_to_user(provider)
if @user
redirect_back_or_to root_path, notice: t('oauth.flash.added_success', provider: t("oauth.providers.#{provider}") )
else
redirect_back_or_to root_path, alert: t('oauth.flash.added_fail', provider: t("oauth.providers.#{provider}") )
end
else
if @user = login_from(provider)
redirect_back_or_to root_path, notice: t('oauth.flash.success', provider: t("oauth.providers.#{provider}") )
else
@user = create_and_validate_from(provider)
if @user.errors.size > 0
redirect_to signup_path, notice: t('oauth.flash.not_enough')
else
@user = login_from(provider)
reset_session # protect from session fixation attack
auto_login(@user)
redirect_back_or_to root_path, notice: t('oauth.flash.success', provider: t("oauth.providers.#{provider}") )
end
end
end
rescue
redirect_back_or_to root_path, alert: t('oauth.flash.fail', provider: t("oauth.providers.#{provider}") )
end
end
and db enteries (id, user_id, provider, uid...)
"2";3;"twitter";"168075099";"2013-04-25 12:34:24.120924";"2013-04-25 12:34:24.120924"
"3";1;"twitter";"168075099";"2013-04-25 12:59:02.326164";"2013-04-25 12:59:02.326164"
Scenario:
- Create user from twitter
- Log in as another user
- Add provider to current user
Is this a bug or I am doing something wrong?
Hey,
quite an old issue, but I've checked it as I got it from CodeTriage recently.
Method add_provider_to_user checks if the provider and uid exist for currently logged user. If not, it's added to current_user.
So it is actually possible that a few users have the same OAuth account assigned. I think it's a bug, but I'm not really sure what to do in such case: raise an error? Or just return false?
