use :sign_out_via to control the method(s) for the destroy_*_session_path route

2022-11-09 12:18:31 -05:00 · 2010-08-13 17:40:06 +08:00 · 2010-08-13 17:40:06 +08:00 · f3385e96ab
commit f3385e96ab
parent f04e633542
3 changed files with 80 additions and 3 deletions
--- a/lib/devise/rails/routes.rb
+++ b/lib/devise/rails/routes.rb
@ -69,6 +69,13 @@ module ActionDispatch::Routing
    #
    #      devise_for :users, :controllers => { :sessions => "users/sessions" }
    #
+    #  * :sign_out_via => the HTTP method(s) accepted for the :sign_out action (default: :get),
+    #    if you wish to restrict this to accept only :post or :delete requests you should do:
+    #
+    #      devise_for :users, :sign_out_via => [ :post, :delete ]
+    #
+    #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
+    #
    #  * :module => the namespace to find controlers. By default, devise will access devise/sessions,
    #    devise/registrations and so on. If you want to namespace all at once, use module:
    #
@ -194,7 +201,7 @@ module ActionDispatch::Routing
        scope :controller => controllers[:sessions], :as => :session do
          get   :new,     :path => mapping.path_names[:sign_in]
          post  :create,  :path => mapping.path_names[:sign_in], :as => ""
-          get  :destroy, :path => mapping.path_names[:sign_out]
+          match :destroy, :path => mapping.path_names[:sign_out], :via => mapping.sign_out_via
        end
      end
 
--- a/test/integration/authenticatable_test.rb
+++ b/test/integration/authenticatable_test.rb
@ -332,3 +332,52 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
    assert_not warden.authenticated?(:admin)
  end
 end
+
+class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+  def sign_in!(scope)
+    sign_in_as_user(:visit => send("new_#{scope}_session_path"))
+    assert warden.authenticated?(scope)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    delete destroy_sign_out_via_delete_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'allow sign out via post when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    post destroy_sign_out_via_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    delete destroy_sign_out_via_delete_or_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete_or_post)
+  end
+
+  test 'allow sign out via post when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    post destroy_sign_out_via_delete_or_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete_or_post)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    get destroy_sign_out_via_delete_or_post_session_path
+    assert warden.authenticated?(:sign_out_via_delete_or_post)
+  end
+end
--- a/test/routes_test.rb
+++ b/test/routes_test.rb
@ -153,6 +153,27 @@ class CustomizedRoutingTest < ActionController::TestCase
    assert_recognizes({:controller => 'devise/registrations', :action => 'cancel', :locale => 'en'}, '/en/accounts/management/giveup')
  end

+  test 'map deletes with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/deletes/sign_out', :method => :delete})
+    assert_raise ActionController::RoutingError do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/deletes/sign_out', :method => :get})
+    end
+  end
+
+  test 'map posts with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/posts/sign_out', :method => :post})
+    assert_raise ActionController::RoutingError do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/posts/sign_out', :method => :get})
+    end
+  end
+
+  test 'map delete_or_posts with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :post})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :delete})
+    assert_raise ActionController::RoutingError do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :get})
+    end
+  end
 end

 class ScopedRoutingTest < ActionController::TestCase