use :sign_out_via to control the method(s) for the destroy_*_session_…

…path route
heartcombo · Aug 13, 2010 · f3385e9 · f3385e9
1 parent f04e633
commit f3385e9
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 3 deletions.
diff --git a/lib/devise/rails/routes.rb b/lib/devise/rails/routes.rb
@@ -69,6 +69,13 @@ class Mapper
     #
     #      devise_for :users, :controllers => { :sessions => "users/sessions" }
     #
+    #  * :sign_out_via => the HTTP method(s) accepted for the :sign_out action (default: :get),
+    #    if you wish to restrict this to accept only :post or :delete requests you should do:
+    #
+    #      devise_for :users, :sign_out_via => [ :post, :delete ]
+    #
+    #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
+    #
     #  * :module => the namespace to find controlers. By default, devise will access devise/sessions,
     #    devise/registrations and so on. If you want to namespace all at once, use module:
     #
@@ -192,9 +199,9 @@ def devise_scope(scope)
 
       def devise_session(mapping, controllers) #:nodoc:
         scope :controller => controllers[:sessions], :as => :session do
-          get  :new,     :path => mapping.path_names[:sign_in]
-          post :create,  :path => mapping.path_names[:sign_in], :as => ""
-          get  :destroy, :path => mapping.path_names[:sign_out]
+          get   :new,     :path => mapping.path_names[:sign_in]
+          post  :create,  :path => mapping.path_names[:sign_in], :as => ""
+          match :destroy, :path => mapping.path_names[:sign_out], :via => mapping.sign_out_via
         end
       end
 

diff --git a/test/integration/authenticatable_test.rb b/test/integration/authenticatable_test.rb
@@ -332,3 +332,52 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert_not warden.authenticated?(:admin)
   end
 end
+
+class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+  def sign_in!(scope)
+    sign_in_as_user(:visit => send("new_#{scope}_session_path"))
+    assert warden.authenticated?(scope)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    delete destroy_sign_out_via_delete_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'allow sign out via post when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    post destroy_sign_out_via_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    delete destroy_sign_out_via_delete_or_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete_or_post)
+  end
+
+  test 'allow sign out via post when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    post destroy_sign_out_via_delete_or_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete_or_post)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    get destroy_sign_out_via_delete_or_post_session_path
+    assert warden.authenticated?(:sign_out_via_delete_or_post)
+  end
+end
diff --git a/test/routes_test.rb b/test/routes_test.rb
@@ -153,6 +153,27 @@ class CustomizedRoutingTest < ActionController::TestCase
     assert_recognizes({:controller => 'devise/registrations', :action => 'cancel', :locale => 'en'}, '/en/accounts/management/giveup')
   end
 
+  test 'map deletes with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/deletes/sign_out', :method => :delete})
+    assert_raise ActionController::RoutingError do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/deletes/sign_out', :method => :get})
+    end
+  end
+
+  test 'map posts with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/posts/sign_out', :method => :post})
+    assert_raise ActionController::RoutingError do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/posts/sign_out', :method => :get})
+    end
+  end
+
+  test 'map delete_or_posts with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :post})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :delete})
+    assert_raise ActionController::RoutingError do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :get})
+    end
+  end
 end
 
 class ScopedRoutingTest < ActionController::TestCase