#21 ✓resolved
James B. Byrne

UserSessionsModel attributes setters overridden by acts_as_authentic

Reported by James B. Byrne | January 2nd, 2009 @ 12:38 PM

It is not clear from the documentation whether or not attribute setters in the UserSession model should modify the data used for login user authentication finds. However, correspondence with the authlogic author leads to the inference that it should.

Nonetheless, in user_session.rb, if one defines a setter method corresponding to a user.rb model login attribute then no custom processing contained therein is ever executed. The logic path goes to the model method definition and then passes from the model file never to return.

Specific instance:

Given a user model with the login attribute named "username"

class User < ActiveRecord::Base

  def username=(name)
    # hll_keycase is a local extension of class String.
    # it is equivalent to .strip.squeeze(" ").mb_chars.downcase
    write_attribute(:username, name.hll_keycase)

And the UserSession model.

class UserSession < Authlogic::Session::Base

  def username=(name)
    # debugger if ENV['RAILS_ENV'] == 'development'
    @username = name.strip.squeeze(" ").mb_chars.downcase

  def login=(name)
    # debugger if ENV['RAILS_ENV'] == 'development'
    @login = name.strip.squeeze(" ").mb_chars.downcase


Given a user "myuser" with password "mypassword" when the user "MyUSer" and password "mypassword" is provided at the login page then the user "myuser" should be authenticated.

This fails. Authlogic does not modify the user name provided, "MyUSer", to the normalized version, "myuser", before generating the SQL SELECT on the users table.

Processing UserSessionsController#create (for at 2008-12-25
  Session ID: 768fb2537f6d90a7dd005403b6a721c9
  Parameters: {"commit"=>"Login", "user_session"=>{"remember_me"=>"0",
"=>"MyUSer", "password"=>"[FILTERED]"}, "action"=>"create",
  User Load (0.0ms)   SELECT * FROM "users" WHERE ("users"."username" =
Rendering template within layouts/application
Rendering user_sessions/new
  SQL (0.0ms)   SELECT count(*) AS count_all FROM "users" WHERE
 > '2008-12-25 11:48:03')
Completed in 157ms (View: 141, DB: 15) | 200 OK

When this code is run with script/server --debugger and the debug statements are activated then no breakpoint is ever encountered, indicating that the setter method in UserSession is never executed.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket