Merge pull request refinery#1704 from resolve/username_uniqueness_cas…

…e_insensitivity Fixes refinery#1703
ghoppe · May 26, 2012 · 629b03e · 629b03e
2 parents e32ba57 + 05d0d1d
commit 629b03e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/authentication/app/models/refinery/user.rb b/authentication/app/models/refinery/user.rb
@@ -13,7 +13,8 @@ class User < Refinery::Core::BaseModel
     # Include default devise modules. Others available are:
     # :token_authenticatable, :confirmable, :lockable and :timeoutable
     if self.respond_to?(:devise)
-      devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :authentication_keys => [:login]
+      devise :database_authenticatable, :registerable, :recoverable, :rememberable,
+             :trackable, :validatable, :authentication_keys => [:login]
     end
 
     # Setup accessible (or protected) attributes for your model
@@ -23,6 +24,7 @@ class User < Refinery::Core::BaseModel
     attr_accessible :email, :password, :password_confirmation, :remember_me, :username, :plugins, :login
 
     validates :username, :presence => true, :uniqueness => true
+    before_validation :downcase_username
 
     class << self
       # Find user by email or username.
@@ -77,7 +79,7 @@ def create_first
         save
         # add refinery role
         add_role(:refinery)
-        # add superuser role
+        # add superuser role if there are no other users
         add_role(:superuser) if ::Refinery::Role[:refinery].users.count == 1
         # add plugins
         self.plugins = Refinery::Plugins.registered.in_menu.names
@@ -95,5 +97,13 @@ def to_param
       to_s.parameterize
     end
 
+    private
+    # To ensure uniqueness without case sensitivity we first downcase the username.
+    # We do this here and not in SQL is that it will otherwise bypass indexes using LOWER:
+    # SELECT 1 FROM "refinery_users" WHERE LOWER("refinery_users"."username") = LOWER('UsErNAME') LIMIT 1
+    def downcase_username
+      self.username = self.username.downcase if self.username?
+    end
+
   end
 end
diff --git a/authentication/spec/models/refinery/user_spec.rb b/authentication/spec/models/refinery/user_spec.rb
@@ -68,6 +68,11 @@ module Refinery
         User.create!(attr)
         User.new(attr.merge(:email => "[email protected]")).should_not be_valid
       end
+
+      it "rejects duplicate usernames regardless of case" do
+        User.create!(attr)
+        User.new(attr.merge(:username => attr[:username].upcase, :email => "[email protected]")).should_not be_valid
+      end
     end
 
     describe ".find_for_database_authentication" do

diff --git a/changelog.md b/changelog.md
@@ -13,6 +13,7 @@
 * Match only &dialog, ?dialog, &width, ?width, &height and ?height in dialog querystrings. [#1397](https://github.com/resolve/refinerycms/issues/1397). [Philip Arndt](https://github.com/parndt)
 * Added multiple language support (specified by `Refinery::I18n.frontend_locales`) in `Refinery::Page` seeds file. [#1694](https://github.com/resolve/refinerycms/pull/1694). [Ole Reifschneider](https://github.com/Tranquility)
 * Added `Refinery::Page#canonical` support which allows multiple translations to have one canonical version. [Philip Arndt](https://github.com/parndt)
+* Usernames are validated case insensitively to ensure true uniqueness. [#1703](https://github.com/resolve/refinerycms/issues/1703) [Philip Arndt](https://github.com/parndt)
 
 ## 2.0.4 [14 May 2012]
 * IMPORTANT: Fixed a security issue whereby the user could bypass some access restrictions in the backend. [#1636](https://github.com/resolve/refinerycms/pull/1636). [Rob Yurkowski](https://github.com/robyurkowski) and [Uģis Ozols](https://github.com/ugisozols)