Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modified sessions controller to return 401 for destroy action with no user signed in #4878

Merged
merged 4 commits into from
Dec 28, 2018
Merged

Modified sessions controller to return 401 for destroy action with no user signed in #4878

merged 4 commits into from
Dec 28, 2018
+16 −5

Conversation

aamarill
Copy link

@aamarill aamarill commented May 18, 2018
edited
Loading

This PR is for issue #4782 @tegon
To clarify the 3 tests added:

1. Authenticated non-navigational request - returns 204.

  • This was the original behavior before I made any changes. I simply added this test to ensure this was not broken after my implementation.

2. Unauthenticated non-navigational request - returns 401.

  • This is the new behavior added.

3. Unauthenticated navigational request - returns 302.

  • This was the original behavior before I made any changes. I simply added this test to ensure this was not broken after my implementation.

feliperenan
feliperenan reviewed Jun 5, 2018
View reviewed changes
app/controllers/devise/sessions_controller.rb Outdated
@@ -62,7 +62,10 @@ def verify_signed_out_user
if all_signed_out?
set_flash_message! :notice, :already_signed_out

respond_to_on_destroy
respond_to do |format|
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could avoid the respond_to duplication changing the #respond_to_on_destroy to accept the status as parameter, something like this:

def respond_to_on_destroy(status: :no_content)
  respond_to do |format|
    format.all { head status }
    format.any(*navigational_formats) { redirect_to after_sign_out_path_for(resource_name) }
  end
end

Then, here we just do respond_to_on_destroy(status: :unauthorized). WDTY?

Copy link
Collaborator

@feliperenan feliperenan Jun 5, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe the default :no_content isn't a good idea. I like the idea to have the status explicited in the caller.

respond_to_on_destroy(status: :no_content)
respond_to_on_destroy(status: :unauthorized)

feliperenan
feliperenan reviewed Jun 5, 2018
View reviewed changes
test/controllers/sessions_controller_test.rb Outdated
@@ -88,6 +88,30 @@ class SessionsControllerTest < Devise::ControllerTestCase
assert_equal 204, @response.status
end

test "#destroy returns 204 status if the requested format is not navigational" do
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This behavior is already tested in the test above. IMHO changing the test name would be enough.

#destroy doesn't set the flash and returns 204 status if the requested format is not navigational

feliperenan
feliperenan reviewed Jun 5, 2018
View reviewed changes
test/controllers/sessions_controller_test.rb
assert_equal 401, @response.status
end

test "#destroy returns 302 status if user is not signed in and the requested format is navigational" do
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👏

@tegon
Copy link
Member

tegon commented Dec 27, 2018

@aamarill are you still going to work on this?

I'm asking to know if I should assign it to someone else.

@aamarill
Copy link
Author

@tegon please go ahead and assign to someone else. Thank you

@tegon tegon added this to the 5.0 milestone Dec 28, 2018
@tegon tegon changed the base branch from master to 5-rc December 28, 2018 13:17
@tegon tegon merged commit 31dd92b into heartcombo:5-rc Dec 28, 2018
@tegon
Copy link
Member

tegon commented Dec 28, 2018

@aamarill Since the changes were small, I committed them directly to your branch. Thanks for your contribution!

@tegon tegon mentioned this pull request Dec 28, 2018
Closed
tegon pushed a commit that referenced this pull request Jan 2, 2019
@tegon
Modified sessions controller to return 401 for destroy action with no…
028704b 
… user signed in (#4878)
feliperenan pushed a commit that referenced this pull request Jan 18, 2019
@feliperenan
Modified sessions controller to return 401 for destroy action with no…
c2dba74 
… user signed in (#4878)
feliperenan pushed a commit that referenced this pull request Jan 28, 2019
@feliperenan
Modified sessions controller to return 401 for destroy action with no…
383f2ae 
… user signed in (#4878)
feliperenan pushed a commit that referenced this pull request Jan 28, 2019
@feliperenan
Modified sessions controller to return 401 for destroy action with no…
059bebe 
… user signed in (#4878)
feliperenan pushed a commit that referenced this pull request Jan 29, 2019
@feliperenan
Modified sessions controller to return 401 for destroy action with no…
59b1d94 
… user signed in (#4878)
tegon pushed a commit that referenced this pull request Feb 15, 2019
@tegon
Modified sessions controller to return 401 for destroy action with no…
45c6f5c 
… user signed in (#4878)
mracos pushed a commit that referenced this pull request Sep 19, 2019
@mracos
Modified sessions controller to return 401 for destroy action with no…
195cbfb 
… user signed in (#4878)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@feliperenan feliperenan feliperenan left review comments

Assignees
No one assigned
Labels
Needs more work
Milestone
5.0
Development

Successfully merging this pull request may close these issues.
3 participants
@aamarill @tegon @feliperenan