diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index a61a10d94f..514b3f8ee7 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -269,7 +269,7 @@ def login
def logout
@title = t "users.logout.title"
- if params[:session] == session.id
+ if request.post?
if session[:token]
token = UserToken.find_by(:token => session[:token])
token&.destroy
diff --git a/app/views/layouts/_header.html.erb b/app/views/layouts/_header.html.erb
index 6df8f02da2..3963c211e1 100644
--- a/app/views/layouts/_header.html.erb
+++ b/app/views/layouts/_header.html.erb
@@ -102,7 +102,7 @@
<%= yield :greeting %>
- <%= link_to t("layouts.logout"), logout_path(:session => session.id, :referer => request.fullpath), :class => "geolink" %>
+ <%= link_to t("layouts.logout"), logout_path(:referer => request.fullpath), :method => "post", :class => "geolink" %>
diff --git a/app/views/users/logout.html.erb b/app/views/users/logout.html.erb
index 273c7e1b94..5d8e2de492 100644
--- a/app/views/users/logout.html.erb
+++ b/app/views/users/logout.html.erb
@@ -4,6 +4,5 @@
<%= form_tag :action => "logout" do %>
<%= hidden_field_tag("referer", h(params[:referer])) %>
- <%= hidden_field_tag("session", session.id) %>
<%= submit_tag t(".logout_button") %>
<% end %>
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index feca92df56..c40c30b28a 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -344,29 +344,29 @@ def test_save_referer_params
end
def test_logout_without_referer
+ post :logout
+ assert_response :redirect
+ assert_redirected_to root_path
+ end
+
+ def test_logout_with_referer
+ post :logout, :params => { :referer => "/test" }
+ assert_response :redirect
+ assert_redirected_to "/test"
+ end
+
+ def test_logout_fallback_without_referer
get :logout
assert_response :success
assert_template :logout
assert_select "input[name=referer][value=?]", ""
-
- session_id = assert_select("input[name=session]").first["value"]
-
- get :logout, :params => { :session => session_id }
- assert_response :redirect
- assert_redirected_to root_path
end
- def test_logout_with_referer
+ def test_logout_fallback_with_referer
get :logout, :params => { :referer => "/test" }
assert_response :success
assert_template :logout
assert_select "input[name=referer][value=?]", "/test"
-
- session_id = assert_select("input[name=session]").first["value"]
-
- get :logout, :params => { :session => session_id, :referer => "/test" }
- assert_response :redirect
- assert_redirected_to "/test"
end
def test_logout_with_token
@@ -374,16 +374,7 @@ def test_logout_with_token
session[:token] = token.token
- get :logout
- assert_response :success
- assert_template :logout
- assert_select "input[name=referer][value=?]", ""
- assert_equal token.token, session[:token]
- assert_not_nil UserToken.where(:id => token.id).first
-
- session_id = assert_select("input[name=session]").first["value"]
-
- get :logout, :params => { :session => session_id }
+ post :logout
assert_response :redirect
assert_redirected_to root_path
assert_nil session[:token]
diff --git a/test/system/user_logout_test.rb b/test/system/user_logout_test.rb
new file mode 100644
index 0000000000..099d2c0c02
--- /dev/null
+++ b/test/system/user_logout_test.rb
@@ -0,0 +1,48 @@
+require "application_system_test_case"
+
+class UserLogoutTest < ApplicationSystemTestCase
+ test "Sign out via link" do
+ user = create(:user)
+ sign_in_as(user)
+ assert_not page.has_content? "Log In"
+
+ click_on user.display_name
+ click_on "Log Out"
+ assert page.has_content? "Log In"
+ end
+
+ test "Sign out via link with referer" do
+ user = create(:user)
+ sign_in_as(user)
+ visit traces_path
+ assert_not page.has_content? "Log In"
+
+ click_on user.display_name
+ click_on "Log Out"
+ assert page.has_content? "Log In"
+ assert page.has_content? "Public GPS traces"
+ end
+
+ test "Sign out via fallback page" do
+ sign_in_as(create(:user))
+ assert_not page.has_content? "Log In"
+
+ visit logout_path
+ assert page.has_content? "Logout from OpenStreetMap"
+
+ click_button "Logout"
+ assert page.has_content? "Log In"
+ end
+
+ test "Sign out via fallback page with referer" do
+ sign_in_as(create(:user))
+ assert_not page.has_content? "Log In"
+
+ visit logout_path(:referer => "/traces")
+ assert page.has_content? "Logout from OpenStreetMap"
+
+ click_button "Logout"
+ assert page.has_content? "Log In"
+ assert page.has_content? "Public GPS traces"
+ end
+end