Permalink
Browse files

Fix for demonstrate security hole if rails version >= 3.0.4

  • Loading branch information...
1 parent f3e3e60 commit 28c3e60858cb37eee9e945b20aaa1d7f03d687a6 @MacksMind committed Apr 6, 2011
Showing with 7 additions and 0 deletions.
  1. +7 −0 lib/clearance/authentication.rb
@@ -92,6 +92,13 @@ def deny_access(flash_message = nil)
protected
+ # Rails <= 3.0.3 raises ActionController::InvalidAuthenticityToken in super
+ # Rails >= 3.0.4 simply resets the session, so we need an extra step
+ def handle_unverified_request
+ super
+ sign_out
+ end
+
def user_from_cookie
if token = cookies[:remember_token]
::User.find_by_remember_token(token)

0 comments on commit 28c3e60

Please sign in to comment.