Fix handle unverified request.

heartcombo · Feb 16, 2011 · d8dedec · d8dedec
1 parent b328655
commit d8dedec
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/lib/devise/controllers/helpers.rb b/lib/devise/controllers/helpers.rb
@@ -182,6 +182,12 @@ def sign_out_and_redirect(resource_or_scope)
         redirect_to after_sign_out_path_for(scope)
       end
 
+      # Override Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
+
       # Define authentication filters and accessor helpers based on mappings.
       # These filters should be used inside the controllers as before_filters,
       # so you can control the scope of the user who should be signed in to

diff --git a/test/integration/rememberable_test.rb b/test/integration/rememberable_test.rb
@@ -48,6 +48,16 @@ def cookie_expires(key)
     end
   end
 
+  test 'cookies are destroyed on unverified requests' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
   test 'remember the user before sign in' do
     user = create_user_and_remember
     get users_path