[8.x] Protect against ambiguous columns (#43278)

BenWalters · web-flow · commit a6d93077216e · 2022-07-19T08:56:28.000-05:00
* [8.x] Protect against ambiguous columns Resolving #43274 * Updating tests.
diff --git a/src/Illuminate/Auth/EloquentUserProvider.php b/src/Illuminate/Auth/EloquentUserProvider.php
@@ -49,7 +49,7 @@ public function retrieveById($identifier)
         $model = $this->createModel();
 
         return $this->newModelQuery($model)
-                    ->where($model->getAuthIdentifierName(), $identifier)
+                    ->where($model->qualifyColumn($model->getAuthIdentifierName()), $identifier)
                     ->first();
     }
 
@@ -65,7 +65,7 @@ public function retrieveByToken($identifier, $token)
         $model = $this->createModel();
 
         $retrievedModel = $this->newModelQuery($model)->where(
-            $model->getAuthIdentifierName(), $identifier
+            $model->qualifyColumn($model->getAuthIdentifierName()), $identifier
         )->first();
 
         if (! $retrievedModel) {
diff --git a/tests/Auth/AuthEloquentUserProviderTest.php b/tests/Auth/AuthEloquentUserProviderTest.php
@@ -22,7 +22,8 @@ public function testRetrieveByIDReturnsUser()
         $mock = m::mock(stdClass::class);
         $mock->shouldReceive('newQuery')->once()->andReturn($mock);
         $mock->shouldReceive('getAuthIdentifierName')->once()->andReturn('id');
-        $mock->shouldReceive('where')->once()->with('id', 1)->andReturn($mock);
+        $mock->shouldReceive('qualifyColumn')->with('id')->andReturn('users.id');
+        $mock->shouldReceive('where')->once()->with('users.id', 1)->andReturn($mock);
         $mock->shouldReceive('first')->once()->andReturn('bar');
         $provider->expects($this->once())->method('createModel')->willReturn($mock);
         $user = $provider->retrieveById(1);
@@ -39,7 +40,8 @@ public function testRetrieveByTokenReturnsUser()
         $mock = m::mock(stdClass::class);
         $mock->shouldReceive('newQuery')->once()->andReturn($mock);
         $mock->shouldReceive('getAuthIdentifierName')->once()->andReturn('id');
-        $mock->shouldReceive('where')->once()->with('id', 1)->andReturn($mock);
+        $mock->shouldReceive('qualifyColumn')->with('id')->andReturn('users.id');
+        $mock->shouldReceive('where')->once()->with('users.id', 1)->andReturn($mock);
         $mock->shouldReceive('first')->once()->andReturn($mockUser);
         $provider->expects($this->once())->method('createModel')->willReturn($mock);
         $user = $provider->retrieveByToken(1, 'a');
@@ -53,7 +55,8 @@ public function testRetrieveTokenWithBadIdentifierReturnsNull()
         $mock = m::mock(stdClass::class);
         $mock->shouldReceive('newQuery')->once()->andReturn($mock);
         $mock->shouldReceive('getAuthIdentifierName')->once()->andReturn('id');
-        $mock->shouldReceive('where')->once()->with('id', 1)->andReturn($mock);
+        $mock->shouldReceive('qualifyColumn')->with('id')->andReturn('users.id');
+        $mock->shouldReceive('where')->once()->with('users.id', 1)->andReturn($mock);
         $mock->shouldReceive('first')->once()->andReturn(null);
         $provider->expects($this->once())->method('createModel')->willReturn($mock);
         $user = $provider->retrieveByToken(1, 'a');
@@ -78,7 +81,8 @@ public function testRetrieveByBadTokenReturnsNull()
         $mock = m::mock(stdClass::class);
         $mock->shouldReceive('newQuery')->once()->andReturn($mock);
         $mock->shouldReceive('getAuthIdentifierName')->once()->andReturn('id');
-        $mock->shouldReceive('where')->once()->with('id', 1)->andReturn($mock);
+        $mock->shouldReceive('qualifyColumn')->with('id')->andReturn('users.id');
+        $mock->shouldReceive('where')->once()->with('users.id', 1)->andReturn($mock);
         $mock->shouldReceive('first')->once()->andReturn($mockUser);
         $provider->expects($this->once())->method('createModel')->willReturn($mock);
         $user = $provider->retrieveByToken(1, 'a');
