Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

User cannot access sign up and similar pages if he is already signed …

…in through a cookie or token, closes #1036.
  • Loading branch information...
commit 4fd866d113d2de94371afe4798f242c1a453c1ab 1 parent a59410a
@josevalim josevalim authored
View
1  CHANGELOG.rdoc
@@ -3,6 +3,7 @@
* bug fix
* password_required? should not affect length validation
+ * User cannot access sign up and similar pages if he is already signed in through a cookie or token
== 1.3.3
View
11 lib/devise.rb
@@ -43,6 +43,9 @@ module Strategies
STRATEGIES = ActiveSupport::OrderedHash.new
URL_HELPERS = ActiveSupport::OrderedHash.new
+ # Strategies that do not require user input.
+ NO_INPUT = []
+
# True values used to check params
TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
@@ -293,13 +296,17 @@ def self.add_module(module_name, options = {})
options.assert_valid_keys(:strategy, :model, :controller, :route)
if strategy = options[:strategy]
- STRATEGIES[module_name] = (strategy == true ? module_name : strategy)
+ strategy = (strategy == true ? module_name : strategy)
+ STRATEGIES[module_name] = strategy
end
if controller = options[:controller]
- CONTROLLERS[module_name] = (controller == true ? module_name : controller)
+ controller = (controller == true ? module_name : controller)
+ CONTROLLERS[module_name] = controller
end
+ NO_INPUT << strategy if strategy && controller != :sessions
+
if route = options[:route]
case route
when TrueClass
View
3  lib/devise/controllers/internal_helpers.rb
@@ -91,7 +91,8 @@ def build_resource(hash=nil)
# Example:
# before_filter :require_no_authentication, :only => :new
def require_no_authentication
- if warden.authenticated?(resource_name)
+ args = devise_mapping.no_input_strategies.dup.push :scope => resource_name
+ if warden.authenticate?(*args)
resource = warden.user(resource_name)
flash[:alert] = I18n.t("devise.failure.already_authenticated")
redirect_to after_sign_in_path_for(resource)
View
4 lib/devise/mapping.rb
@@ -85,6 +85,10 @@ def strategies
@strategies ||= STRATEGIES.values_at(*self.modules).compact.uniq.reverse
end
+ def no_input_strategies
+ self.strategies & Devise::NO_INPUT
+ end
+
def routes
@routes ||= ROUTES.values_at(*self.modules).compact.uniq
end
View
2  lib/devise/modules.rb
@@ -5,7 +5,7 @@
d.with_options :strategy => true do |s|
routes = [nil, :new, :destroy]
s.add_module :database_authenticatable, :controller => :sessions, :route => { :session => routes }
- s.add_module :token_authenticatable, :controller => :sessions, :route => { :session => routes }
+ s.add_module :token_authenticatable
s.add_module :rememberable
end
View
4 test/controllers/internal_helpers_test.rb
@@ -39,14 +39,14 @@ def setup
end
test 'require no authentication tests current mapping' do
- @mock_warden.expects(:authenticated?).with(:user).returns(true)
+ @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
@mock_warden.expects(:user).with(:user).returns(User.new)
@controller.expects(:redirect_to).with(root_path)
@controller.send :require_no_authentication
end
test 'require no authentication sets a flash message' do
- @mock_warden.expects(:authenticated?).with(:user).returns(true)
+ @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
@mock_warden.expects(:user).with(:user).returns(User.new)
@controller.expects(:redirect_to).with(root_path)
@controller.send :require_no_authentication
View
7 test/integration/rememberable_test.rb
@@ -72,6 +72,13 @@ def cookie_expires(key)
assert_match /remember_user_token[^\n]*HttpOnly\n/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
end
+ test 'remember the user before sign up and redirect him to his home' do
+ user = create_user_and_remember
+ get new_user_registration_path
+ assert warden.authenticated?(:user)
+ assert_redirected_to root_path
+ end
+
test 'cookies are destroyed on unverified requests' do
swap ApplicationController, :allow_forgery_protection => true do
user = create_user_and_remember
View
5 test/mapping_test.rb
@@ -50,6 +50,11 @@ def fake_request(path, params={})
assert_equal [:rememberable, :database_authenticatable], Devise.mappings[:admin].strategies
end
+ test 'has no input strategies depending on the model declaration' do
+ assert_equal [:rememberable, :token_authenticatable], Devise.mappings[:user].no_input_strategies
+ assert_equal [:rememberable], Devise.mappings[:admin].no_input_strategies
+ end
+
test 'find scope for a given object' do
assert_equal :user, Devise::Mapping.find_scope!(User)
assert_equal :user, Devise::Mapping.find_scope!(:user)

0 comments on commit 4fd866d

Please sign in to comment.
Something went wrong with that request. Please try again.