Ignore non-String shop params in login_again_if_different_shop #477
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reverts #430, and adds a test to prevent regression.
In #430, I removed the
params[:shop].is_a?(String)
check fromLoginProtection:: login_again_if_different_shop
because we didn't think it was needed.While working on another project I found out that this check is needed. Consider the case where someone has a
Shop
model in Rails. When they use form_for in a controller, Rails passes along the params under theshop
hash, so:If this hash is passed to
login_again_if_different_shop
, the following check is always true:shop_session.url != params[:shop]
. Of course, using the non-default param gets around this.