Why returns nil?

Hi everyone, I’d like some help to understand this method:

def self.authenticate(email, submitted_password)
user = find_by_email(email)
return nil if user.nil?
return user if user.has_password?(submitted_password)
# Don’t understand why it doesn’t return user instead of nil
# since ‘user = find_by_email(email)’ was the last evaluated

like the comment, I just don’t get it, if anyone could explain it to me,
please do it.

Thank you

Because returning a user would mean that the answer was ambiguous,
since it is both true-ish (yes, there’s a user at that name) and false
(no, that’s not the right password for that user) at the same time. I
can see why the decision was made to do things that way, since if
authentication fails, you want to return false, not user, since user
is apparently the signature of a successful login. In at least two
authentication frameworks I have looked at, the authors are very clear
about the sort of “no-answer” they give if you fail to log in. They
don’t say which was wrong – username or password – so that there’s
less evidence to go on in a dictionary attack.


since ‘user = find_by_email(email)’ was the last evaluated expression

Wrong. In case user doesn’t match password then last evaluated statement

if user.has_password?(submitted_password)

which is a ‘if modifier’ for ‘return user’ statement; and it returned
nil. See from irb session:

ruby-1.9.2-p0 > true if false
=> nil
ruby-1.9.2-p0 > true if true
=> true

In case ‘if modifier’ evaluates to false it will return nil - which is
exactly your case.


Thank you, I got it now =), I didn’t know that inside if evaluations

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs