]> source.dussan.org Git - redmine.git/commitdiff
Do not start user session when accessing atom feed with token-based authentication.
authorJean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 6 Jun 2009 10:20:27 +0000 (10:20 +0000)
committerJean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 6 Jun 2009 10:20:27 +0000 (10:20 +0000)
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2779 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/application.rb
test/integration/application_test.rb

index fcf83c92a8f23f4e750e5b9adf0125e7933fafd6..6d6338ffabe138007319f1356a47d06ae9956e25 100644 (file)
@@ -42,19 +42,22 @@ class ApplicationController < ActionController::Base
     # Check the settings cache for each request
     Setting.check_cache
     # Find the current user
-    self.logged_user = find_current_user
+    User.current = find_current_user
   end
   
   # Returns the current user or nil if no user is logged in
+  # and starts a session if needed
   def find_current_user
     if session[:user_id]
       # existing session
       (User.active.find(session[:user_id]) rescue nil)
     elsif cookies[:autologin] && Setting.autologin?
-      # auto-login feature
-      User.try_to_autologin(cookies[:autologin])
-    elsif params[:key] && accept_key_auth_actions.include?(params[:action])
-      # RSS key authentication
+      # auto-login feature starts a new session
+      user = User.try_to_autologin(cookies[:autologin])
+      session[:user_id] = user.id if user
+      user
+    elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
+      # RSS key authentication does not start a session
       User.find_by_rss_key(params[:key])
     end
   end
index dc6fdf39227d33b7f96fe4194734efbefe087a52..fba11e049064ba032f1639dc1f73b529a43264e5 100644 (file)
@@ -20,7 +20,7 @@ require "#{File.dirname(__FILE__)}/../test_helper"
 class ApplicationTest < ActionController::IntegrationTest
   include Redmine::I18n
   
-  fixtures :users
+  fixtures :all
   
   def test_set_localization
     Setting.default_language = 'en'
@@ -42,4 +42,15 @@ class ApplicationTest < ActionController::IntegrationTest
     assert_response :success
     assert_tag :tag => 'h2', :content => 'Projects'
   end
+  
+  def test_token_based_access_should_not_start_session
+    # issue of a private project
+    get 'issues/4.atom'
+    assert_response 302
+    
+    rss_key = User.find(2).rss_key
+    get "issues/4.atom?key=#{rss_key}"
+    assert_response 200
+    assert_nil session[:user_id]
+  end
 end