Fix: Handle nil 'queried_user' in forgot-password POST request#466
Open
cycomachead wants to merge 1 commit into
Open
Fix: Handle nil 'queried_user' in forgot-password POST request#466cycomachead wants to merge 1 commit into
cycomachead wants to merge 1 commit into
Conversation
Add a guard to check if queried_user exists before accessing its username property. This prevents a 500 error when a request provides a non-existent user_id, which previously caused a nil-index exception in the global before_filter. Co-authored-by: Claude Code <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix: Guard against nil
queried_userin global before_filterPrevents a 500 crash when the global before_filter receives a request with a
user_idthat doesn't match any database record. Without this guard, any request carrying a non-existentuser_idwould crash before the route handler even ran.Changes
self.queried_user.usernamein the globalbefore_filter, bringing theuser_idbranch into parity with theusernamebranch which already handles nil lookups safelyContext
This was surfaced by an automated security scanner sending
POST /forgot-password/?user_id=1&hash_check=%25C0— not a real user action. The legitimate forgot-password form posts to a different URL with a different parameter set and would never trigger this path. However, the bug is real: any request to any route on the site with a stale or non-existentuser_idwould have hit this crash, so the guard is warranted regardless of the source.Superconductor Ticket Implementation | App Preview | Guided Review