From 036a3a37207f4a89d01aad6361e59bd7d7297ba9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karl=20Erik=20=C3=95unapuu?= <karlerik@kreative.ee>
Date: Fri, 18 Sep 2020 10:52:14 +0300
Subject: [PATCH] Return empty user object when authorized user not found

---
 app/controllers/registrar/sessions_controller.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index 5bebe5619..709e66955 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -158,12 +158,15 @@ class Registrar
 
     def find_user_by_idc_and_allowed(idc)
       return User.new unless idc
+
       possible_users = ApiUser.where(identity_code: idc) || User.new
       possible_users.each do |selected_user|
-        if selected_user.registrar.white_ips.registrar_area.include_ip?(request.ip)
-          return selected_user
-        end
+        next unless selected_user.registrar.white_ips.registrar_area.include_ip?(request.ip)
+
+        return selected_user
       end
+
+      User.new
     end
 
     def check_ip_restriction