User cannot access sign up and similar pages if he is already signed in through a cookie or token, closes #1036.

2011-04-29 08:56:35 +02:00 · 2011-04-29 08:56:35 +02:00 · 4fd866d113
parent a59410a254
commit 4fd866d113
8 changed files with 31 additions and 6 deletions
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@ -3,6 +3,7 @@

 * bug fix
  * password_required? should not affect length validation
+  * User cannot access sign up and similar pages if he is already signed in through a cookie or token

 == 1.3.3

--- a/lib/devise.rb
+++ b/lib/devise.rb
@ -43,6 +43,9 @@ module Devise
  STRATEGIES  = ActiveSupport::OrderedHash.new
  URL_HELPERS = ActiveSupport::OrderedHash.new

+  # Strategies that do not require user input.
+  NO_INPUT = []
+
  # True values used to check params
  TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']

@ -293,13 +296,17 @@ module Devise
    options.assert_valid_keys(:strategy, :model, :controller, :route)

    if strategy = options[:strategy]
-      STRATEGIES[module_name] = (strategy == true ? module_name : strategy)
+      strategy = (strategy == true ? module_name : strategy)
+      STRATEGIES[module_name] = strategy
    end

    if controller = options[:controller]
-      CONTROLLERS[module_name] = (controller == true ? module_name : controller)
+      controller = (controller == true ? module_name : controller)
+      CONTROLLERS[module_name] = controller
    end

+    NO_INPUT << strategy if strategy && controller != :sessions
+
    if route = options[:route]
      case route
      when TrueClass
--- a/lib/devise/controllers/internal_helpers.rb
+++ b/lib/devise/controllers/internal_helpers.rb
@ -91,7 +91,8 @@ MESSAGE
      # Example:
      #   before_filter :require_no_authentication, :only => :new
      def require_no_authentication
-        if warden.authenticated?(resource_name)
+        args = devise_mapping.no_input_strategies.dup.push :scope => resource_name
+        if warden.authenticate?(*args)
          resource = warden.user(resource_name)
          flash[:alert] = I18n.t("devise.failure.already_authenticated")
          redirect_to after_sign_in_path_for(resource)
--- a/lib/devise/mapping.rb
+++ b/lib/devise/mapping.rb
@ -85,6 +85,10 @@ module Devise
      @strategies ||= STRATEGIES.values_at(*self.modules).compact.uniq.reverse
    end

+    def no_input_strategies
+      self.strategies & Devise::NO_INPUT
+    end
+
    def routes
      @routes ||= ROUTES.values_at(*self.modules).compact.uniq
    end
--- a/lib/devise/modules.rb
+++ b/lib/devise/modules.rb
@ -5,7 +5,7 @@ Devise.with_options :model => true do |d|
  d.with_options :strategy => true do |s|
    routes = [nil, :new, :destroy]
    s.add_module :database_authenticatable, :controller => :sessions, :route => { :session => routes }
-    s.add_module :token_authenticatable,    :controller => :sessions, :route => { :session => routes }
+    s.add_module :token_authenticatable
    s.add_module :rememberable
  end

--- a/test/controllers/internal_helpers_test.rb
+++ b/test/controllers/internal_helpers_test.rb
@ -39,14 +39,14 @@ class HelpersTest < ActionController::TestCase
  end

  test 'require no authentication tests current mapping' do
-    @mock_warden.expects(:authenticated?).with(:user).returns(true)
+    @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
    @mock_warden.expects(:user).with(:user).returns(User.new)
    @controller.expects(:redirect_to).with(root_path)
    @controller.send :require_no_authentication
  end

  test 'require no authentication sets a flash message' do
-    @mock_warden.expects(:authenticated?).with(:user).returns(true)
+    @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
    @mock_warden.expects(:user).with(:user).returns(User.new)
    @controller.expects(:redirect_to).with(root_path)
    @controller.send :require_no_authentication
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@ -72,6 +72,13 @@ class RememberMeTest < ActionController::IntegrationTest
    assert_match /remember_user_token[^\n]*HttpOnly\n/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
  end

+  test 'remember the user before sign up and redirect him to his home' do
+    user = create_user_and_remember
+    get new_user_registration_path
+    assert warden.authenticated?(:user)
+    assert_redirected_to root_path
+  end
+
  test 'cookies are destroyed on unverified requests' do
    swap ApplicationController, :allow_forgery_protection => true do
      user = create_user_and_remember
--- a/test/mapping_test.rb
+++ b/test/mapping_test.rb
@ -50,6 +50,11 @@ class MappingTest < ActiveSupport::TestCase
    assert_equal [:rememberable, :database_authenticatable], Devise.mappings[:admin].strategies
  end

+  test 'has no input strategies depending on the model declaration' do
+    assert_equal [:rememberable, :token_authenticatable], Devise.mappings[:user].no_input_strategies
+    assert_equal [:rememberable], Devise.mappings[:admin].no_input_strategies
+  end
+
  test 'find scope for a given object' do
    assert_equal :user, Devise::Mapping.find_scope!(User)
    assert_equal :user, Devise::Mapping.find_scope!(:user)