From 335d36088f5eb108de1df42222483e8d7ed0d8e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Valim?= Date: Wed, 14 Sep 2011 16:52:07 -0700 Subject: [PATCH] Instead of depending on mapping.controller[:session], make it explicit when we allow auth from params. --- app/controllers/devise/sessions_controller.rb | 1 + lib/devise/strategies/authenticatable.rb | 12 +----------- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/app/controllers/devise/sessions_controller.rb b/app/controllers/devise/sessions_controller.rb index 2bf807b4..0c804e07 100644 --- a/app/controllers/devise/sessions_controller.rb +++ b/app/controllers/devise/sessions_controller.rb @@ -1,5 +1,6 @@ class Devise::SessionsController < ApplicationController prepend_before_filter :require_no_authentication, :only => [ :new, :create ] + before_filter :allow_params_authentication!, :only => :create include Devise::Controllers::InternalHelpers # GET /resource/sign_in diff --git a/lib/devise/strategies/authenticatable.rb b/lib/devise/strategies/authenticatable.rb index e25f6320..a84aa31e 100644 --- a/lib/devise/strategies/authenticatable.rb +++ b/lib/devise/strategies/authenticatable.rb @@ -85,17 +85,7 @@ module Devise # By default, a request is valid if the controller is allowed and the VERB is POST. def valid_request? - valid_controller? && valid_verb? - end - - # Check if the controller is the one registered for authentication. - def valid_controller? - mapping.controllers[:sessions] == params[:controller] - end - - # Check if it was a POST request. - def valid_verb? - request.post? + env["devise.allow_params_authentication"] end # If the request is valid, finally check if params_auth_hash returns a hash.