sign_out_all_scopes is true by default.

2010-08-23 09:18:39 -03:00 · 2010-08-23 09:18:39 -03:00 · 617b95fdcd
parent ab7f3bc175
commit 617b95fdcd
3 changed files with 26 additions and 9 deletions
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@ -1,3 +1,6 @@
+* deprecations
+  * sign_out_all_scopes defaults to true as security measure
+
 * enhancements
  * Added OAuth 2 support
  * sign_out_via is available in the router to configure the method used for sign out (by github.com/martinrehfeld)
--- a/lib/devise.rb
+++ b/lib/devise.rb
@ -162,7 +162,7 @@ module Devise

  # When set to true, signing out an user signs out all other scopes.
  mattr_accessor :sign_out_all_scopes
-  @@sign_out_all_scopes = false
+  @@sign_out_all_scopes = true

  # The default method used while signing out
  mattr_accessor :sign_out_via
--- a/test/controllers/helpers_test.rb
+++ b/test/controllers/helpers_test.rb
@ -19,9 +19,9 @@ class ControllerAuthenticableTest < ActionController::TestCase
  end

  test 'proxy anybody_signed_in? to signed_in?' do
-    Devise.mappings.keys.each { |scope| # :user, :admin, :manager
+    Devise.mappings.keys.each do |scope| # :user, :admin, :manager
      @controller.expects(:signed_in?).with(scope)
-    }
+    end
    @controller.anybody_signed_in?
  end

@ -185,13 +185,27 @@ class ControllerAuthenticableTest < ActionController::TestCase
    @controller.sign_in_and_redirect(admin)
  end

-  test 'sign out and redirect uses the configured after sign out path' do
+  test 'sign out and redirect uses the configured after sign out path when signing out only the current scope' do
+    swap Devise, :sign_out_all_scopes => false do
      @mock_warden.expects(:user).with(:admin).returns(true)
      @mock_warden.expects(:logout).with(:admin).returns(true)
      @controller.expects(:redirect_to).with(admin_root_path)
      @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
      @controller.sign_out_and_redirect(:admin)
    end
+  end
+
+  test 'sign out and redirect uses the configured after sign out path when signing out all scopes' do
+    swap Devise, :sign_out_all_scopes => true do
+      Devise.mappings.keys.each do |scope| # :user, :admin, :manager
+        @mock_warden.expects(:user).with(scope)
+      end
+      @mock_warden.expects(:logout).returns(true)
+      @controller.expects(:redirect_to).with(admin_root_path)
+      @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
+      @controller.sign_out_and_redirect(:admin)
+    end
+  end

  test 'is not a devise controller' do
    assert_not @controller.devise_controller?