Fixes #3316 - X-On-Behalf-Of does not downcase input.

app/controllers/application_controller/has_user.rb

@@ -47,8 +47,7 @@ module ApplicationController::HasUser
 
     # find user for execution based on the header
     %i[id login email].each do |field|
-      search_attributes = {}
+      search_attributes = search_attributes(field)
-      search_attributes[field] = request.headers['X-On-Behalf-Of']
       @_user_on_behalf = User.find_by(search_attributes)
       next if !@_user_on_behalf
 
@@ -59,6 +58,15 @@ module ApplicationController::HasUser
     raise Exceptions::NotAuthorized, "No such user '#{request.headers['X-On-Behalf-Of']}'"
   end
 
+  def search_attributes(field)
+    search_attributes = {}
+    search_attributes[field] = request.headers['X-On-Behalf-Of']
+    if %i[login email].include?(field)
+      search_attributes[field] = search_attributes[field].to_s.downcase.strip
+    end
+    search_attributes
+  end
+
   def current_user_set(user, auth_type = 'session')
     session[:user_id] = user.id
     @_auth_type = auth_type

spec/requests/api_auth_on_behalf_of_spec.rb

@@ -32,6 +32,24 @@ RSpec.describe 'Api Auth On Behalf Of', type: :request do
       expect(customer.id).to eq(json_response['created_by_id'])
     end
 
+    it 'does X-On-Behalf-Of auth - ticket create admin for customer by login (upcase)' do
+      params = {
+        title:       'a new ticket #3',
+        group:       'Users',
+        priority:    '2 normal',
+        state:       'new',
+        customer_id: customer.id,
+        article:     {
+          body: 'some test 123',
+        },
+      }
+      authenticated_as(admin, on_behalf_of: customer.login.upcase)
+      post '/api/v1/tickets', params: params, as: :json
+      expect(response).to have_http_status(:created)
+      expect(json_response).to be_a_kind_of(Hash)
+      expect(customer.id).to eq(json_response['created_by_id'])
+    end
+
     it 'does X-On-Behalf-Of auth - ticket create admin for customer by login' do
       ActivityStream.cleanup(1.year)