Permalink
Browse files

use :sign_out_via to control the method(s) for the destroy_*_session_…

…path route
  • Loading branch information...
1 parent f04e633 commit f3385e96abf50e80d2ae282e1fb9bdad87a83d3c @martinrehfeld martinrehfeld committed with josevalim Aug 13, 2010
Showing with 80 additions and 3 deletions.
  1. +10 −3 lib/devise/rails/routes.rb
  2. +49 −0 test/integration/authenticatable_test.rb
  3. +21 −0 test/routes_test.rb
View
13 lib/devise/rails/routes.rb
@@ -69,6 +69,13 @@ class Mapper
#
# devise_for :users, :controllers => { :sessions => "users/sessions" }
#
+ # * :sign_out_via => the HTTP method(s) accepted for the :sign_out action (default: :get),
+ # if you wish to restrict this to accept only :post or :delete requests you should do:
+ #
+ # devise_for :users, :sign_out_via => [ :post, :delete ]
+ #
+ # You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
+ #
# * :module => the namespace to find controlers. By default, devise will access devise/sessions,
# devise/registrations and so on. If you want to namespace all at once, use module:
#
@@ -192,9 +199,9 @@ def devise_scope(scope)
def devise_session(mapping, controllers) #:nodoc:
scope :controller => controllers[:sessions], :as => :session do
- get :new, :path => mapping.path_names[:sign_in]
- post :create, :path => mapping.path_names[:sign_in], :as => ""
- get :destroy, :path => mapping.path_names[:sign_out]
+ get :new, :path => mapping.path_names[:sign_in]
+ post :create, :path => mapping.path_names[:sign_in], :as => ""
+ match :destroy, :path => mapping.path_names[:sign_out], :via => mapping.sign_out_via
end
end
View
49 test/integration/authenticatable_test.rb
@@ -332,3 +332,52 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
assert_not warden.authenticated?(:admin)
end
end
+
+class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+ def sign_in!(scope)
+ sign_in_as_user(:visit => send("new_#{scope}_session_path"))
+ assert warden.authenticated?(scope)
+ end
+
+ test 'allow sign out via delete when sign_out_via provides only delete' do
+ sign_in!(:sign_out_via_delete)
+ delete destroy_sign_out_via_delete_session_path
+ assert_not warden.authenticated?(:sign_out_via_delete)
+ end
+
+ test 'do not allow sign out via get when sign_out_via provides only delete' do
+ sign_in!(:sign_out_via_delete)
+ get destroy_sign_out_via_delete_session_path
+ assert warden.authenticated?(:sign_out_via_delete)
+ end
+
+ test 'allow sign out via post when sign_out_via provides only post' do
+ sign_in!(:sign_out_via_post)
+ post destroy_sign_out_via_post_session_path
+ assert_not warden.authenticated?(:sign_out_via_post)
+ end
+
+ test 'do not allow sign out via get when sign_out_via provides only post' do
+ sign_in!(:sign_out_via_post)
+ get destroy_sign_out_via_delete_session_path
+ assert warden.authenticated?(:sign_out_via_post)
+ end
+
+ test 'allow sign out via delete when sign_out_via provides delete and post' do
+ sign_in!(:sign_out_via_delete_or_post)
+ delete destroy_sign_out_via_delete_or_post_session_path
+ assert_not warden.authenticated?(:sign_out_via_delete_or_post)
+ end
+
+ test 'allow sign out via post when sign_out_via provides delete and post' do
+ sign_in!(:sign_out_via_delete_or_post)
+ post destroy_sign_out_via_delete_or_post_session_path
+ assert_not warden.authenticated?(:sign_out_via_delete_or_post)
+ end
+
+ test 'do not allow sign out via get when sign_out_via provides delete and post' do
+ sign_in!(:sign_out_via_delete_or_post)
+ get destroy_sign_out_via_delete_or_post_session_path
+ assert warden.authenticated?(:sign_out_via_delete_or_post)
+ end
+end
View
21 test/routes_test.rb
@@ -153,6 +153,27 @@ class CustomizedRoutingTest < ActionController::TestCase
assert_recognizes({:controller => 'devise/registrations', :action => 'cancel', :locale => 'en'}, '/en/accounts/management/giveup')
end
+ test 'map deletes with :sign_out_via option' do
+ assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/deletes/sign_out', :method => :delete})
+ assert_raise ActionController::RoutingError do
+ assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/deletes/sign_out', :method => :get})
+ end
+ end
+
+ test 'map posts with :sign_out_via option' do
+ assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/posts/sign_out', :method => :post})
+ assert_raise ActionController::RoutingError do
+ assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/posts/sign_out', :method => :get})
+ end
+ end
+
+ test 'map delete_or_posts with :sign_out_via option' do
+ assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :post})
+ assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :delete})
+ assert_raise ActionController::RoutingError do
+ assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :get})
+ end
+ end
end
class ScopedRoutingTest < ActionController::TestCase

0 comments on commit f3385e9

Please sign in to comment.