From 9b0b50515993d943f905544c654c9283485a793a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@gmail.com>
Date: Tue, 15 Feb 2011 20:01:17 +0100
Subject: [PATCH] Implement handle unverified scope.

---
 lib/devise/controllers/helpers.rb     | 14 ++++++++++++++
 test/integration/rememberable_test.rb | 10 ++++++++++
 test/rails_app/config/environment.rb  |  2 +-
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/lib/devise/controllers/helpers.rb b/lib/devise/controllers/helpers.rb
index ef78ccb2e5..7eb334c4a4 100644
--- a/lib/devise/controllers/helpers.rb
+++ b/lib/devise/controllers/helpers.rb
@@ -163,6 +163,20 @@ def sign_out_and_redirect(resource_or_scope)
         redirect_to after_sign_out_path_for(scope)
       end
 
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click. This signs out ALL scopes in warden.
+      def sign_out_all_scopes
+        Devise.mappings.keys.each { |s| warden.user(s) }
+        warden.raw_session.inspect
+        warden.logout
+      end
+
+      # Override Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
+
       # Define authentication filters and accessor helpers based on mappings.
       # These filters should be used inside the controllers as before_filters,
       # so you can control the scope of the user who should be signed in to
diff --git a/test/integration/rememberable_test.rb b/test/integration/rememberable_test.rb
index 61c37d864e..7c10f3116d 100644
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@@ -69,4 +69,14 @@ def create_user_and_remember(add_to_token='')
     assert_not warden.authenticated?(:user)
     assert_equal cookies['remember_user_token'], ''
   end
+
+  test 'cookies are destroyed on unverified requests' do
+    swap HomeController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
+  end
 end
diff --git a/test/rails_app/config/environment.rb b/test/rails_app/config/environment.rb
index a13c67834f..35cd3264b0 100644
--- a/test/rails_app/config/environment.rb
+++ b/test/rails_app/config/environment.rb
@@ -1,7 +1,7 @@
 # Be sure to restart your server when you modify this file
 
 # Specifies gem version of Rails to use when vendor/rails is not present
-RAILS_GEM_VERSION = '2.3.10' unless defined? RAILS_GEM_VERSION
+RAILS_GEM_VERSION = '2.3.11' unless defined? RAILS_GEM_VERSION
 DEVISE_ORM = :active_record unless defined? DEVISE_ORM
 
 # Bootstrap the Rails environment, frameworks, and default configuration