SECURITY: Query @usernames in bulk

Otherwise you could add many requests at once while composing.
2025-02-25 18:55:32 -06:00 · 2015-06-12 00:31:43 +10:00
parent 9572b28986
commit c58b495e15
5 changed files with 67 additions and 67 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -175,10 +175,12 @@ class UsersController < ApplicationController
  end

  def is_local_username
-    params.require(:username)
-    u = params[:username].downcase
-    r = User.exec_sql('select 1 from users where username_lower = ?', u).values
-    render json: {valid: r.length == 1}
+    users = params[:usernames]
+    users = [params[:username]] if users.blank?
+    users.each(&:downcase!)
+
+    result = User.where(username_lower: users).pluck(:username_lower)
+    render json: {valid: result}
  end

  def render_available_true