git-svn-id: http://svn.redmine.org/redmine/trunk@14735 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/3.2.0
@@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base | |||
end | |||
end | |||
before_filter :session_expiration, :user_setup, :force_logout_if_password_changed, :check_if_login_required, :check_password_change, :set_localization | |||
before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization | |||
rescue_from ::Unauthorized, :with => :deny_access | |||
rescue_from ::ActionView::MissingTemplate, :with => :missing_template | |||
@@ -63,36 +63,23 @@ class ApplicationController < ActionController::Base | |||
include Redmine::SudoMode::Controller | |||
def session_expiration | |||
if session[:user_id] | |||
if session[:user_id] && Rails.application.config.redmine_verify_sessions != false | |||
if session_expired? && !try_to_autologin | |||
set_localization(User.active.find_by_id(session[:user_id])) | |||
self.logged_user = nil | |||
flash[:error] = l(:error_session_expired) | |||
require_login | |||
else | |||
session[:atime] = Time.now.utc.to_i | |||
end | |||
end | |||
end | |||
def session_expired? | |||
if Setting.session_lifetime? | |||
unless session[:ctime] && (Time.now.utc.to_i - session[:ctime].to_i <= Setting.session_lifetime.to_i * 60) | |||
return true | |||
end | |||
end | |||
if Setting.session_timeout? | |||
unless session[:atime] && (Time.now.utc.to_i - session[:atime].to_i <= Setting.session_timeout.to_i * 60) | |||
return true | |||
end | |||
end | |||
false | |||
! User.verify_session_token(session[:user_id], session[:tk]) | |||
end | |||
def start_user_session(user) | |||
session[:user_id] = user.id | |||
session[:ctime] = Time.now.utc.to_i | |||
session[:atime] = Time.now.utc.to_i | |||
session[:tk] = user.generate_session_token | |||
if user.must_change_password? | |||
session[:pwd] = '1' | |||
end | |||
@@ -149,18 +136,6 @@ class ApplicationController < ActionController::Base | |||
user | |||
end | |||
def force_logout_if_password_changed | |||
passwd_changed_on = User.current.passwd_changed_on || Time.at(0) | |||
# Make sure we force logout only for web browser sessions, not API calls | |||
# if the password was changed after the session creation. | |||
if session[:user_id] && passwd_changed_on.utc.to_i > session[:ctime].to_i | |||
reset_session | |||
set_localization | |||
flash[:error] = l(:error_session_expired) | |||
redirect_to signin_url | |||
end | |||
end | |||
def autologin_cookie_name | |||
Redmine::Configuration['autologin_cookie_name'].presence || 'autologin' | |||
end | |||
@@ -193,6 +168,7 @@ class ApplicationController < ActionController::Base | |||
if User.current.logged? | |||
cookies.delete(autologin_cookie_name) | |||
Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin']) | |||
Token.delete_all(["user_id = ? AND action = ? AND value = ?", User.current.id, 'session', session[:tk]]) | |||
self.logged_user = nil | |||
end | |||
end |
@@ -103,9 +103,8 @@ class MyController < ApplicationController | |||
@user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] | |||
@user.must_change_passwd = false | |||
if @user.save | |||
# Reset the session creation time to not log out this session on next | |||
# request due to ApplicationController#force_logout_if_password_changed | |||
session[:ctime] = User.current.passwd_changed_on.utc.to_i | |||
# The session token was destroyed by the password change, generate a new one | |||
session[:tk] = @user.generate_session_token | |||
flash[:notice] = l(:notice_account_password_updated) | |||
redirect_to my_account_path | |||
end |
@@ -36,7 +36,7 @@ class Token < ActiveRecord::Base | |||
# Delete all expired tokens | |||
def self.destroy_expired | |||
Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api'], Time.now - validity_time).delete_all | |||
Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api', 'session'], Time.now - validity_time).delete_all | |||
end | |||
# Returns the active user who owns the key for the given action | |||
@@ -79,7 +79,15 @@ class Token < ActiveRecord::Base | |||
# Removes obsolete tokens (same user and action) | |||
def delete_previous_tokens | |||
if user | |||
Token.where(:user_id => user.id, :action => action).delete_all | |||
scope = Token.where(:user_id => user.id, :action => action) | |||
if action == 'session' | |||
ids = scope.order(:updated_on => :desc).offset(9).ids | |||
if ids.any? | |||
Token.delete(ids) | |||
end | |||
else | |||
scope.delete_all | |||
end | |||
end | |||
end | |||
end |
@@ -394,6 +394,26 @@ class User < Principal | |||
api_token.value | |||
end | |||
# Generates a new session token and returns its value | |||
def generate_session_token | |||
token = Token.create!(:user_id => id, :action => 'session') | |||
token.value | |||
end | |||
# Returns true if token is a valid session token for the user whose id is user_id | |||
def self.verify_session_token(user_id, token) | |||
return false if user_id.blank? || token.blank? | |||
scope = Token.where(:user_id => user_id, :value => token.to_s, :action => 'session') | |||
if Setting.session_lifetime? | |||
scope = scope.where("created_on > ?", Setting.session_lifetime.to_i.minutes.ago) | |||
end | |||
if Setting.session_timeout? | |||
scope = scope.where("updated_on > ?", Setting.session_timeout.to_i.minutes.ago) | |||
end | |||
scope.update_all(:updated_on => Time.now) == 1 | |||
end | |||
# Return an array of project ids for which the user has explicitly turned mail notifications on | |||
def notified_projects_ids | |||
@notified_projects_ids ||= memberships.select {|m| m.mail_notification?}.collect(&:project_id) | |||
@@ -764,8 +784,8 @@ class User < Principal | |||
# This helps to keep the account secure in case the associated email account | |||
# was compromised. | |||
def destroy_tokens | |||
if hashed_password_changed? | |||
tokens = ['recovery', 'autologin'] | |||
if hashed_password_changed? || (status_changed? && !active?) | |||
tokens = ['recovery', 'autologin', 'session'] | |||
Token.where(:user_id => id, :action => tokens).delete_all | |||
end | |||
end |
@@ -26,6 +26,9 @@ Rails.application.configure do | |||
# Disable request forgery protection in test environment. | |||
config.action_controller.allow_forgery_protection = false | |||
# Disable sessions verifications in test environment. | |||
config.redmine_verify_sessions = false | |||
# Print deprecation notices to stderr and the Rails logger. | |||
config.active_support.deprecation = [:stderr, :log] | |||
@@ -0,0 +1,10 @@ | |||
class AddTokensUpdatedOn < ActiveRecord::Migration | |||
def self.up | |||
add_column :tokens, :updated_on, :timestamp | |||
Token.update_all("updated_on = created_on") | |||
end | |||
def self.down | |||
remove_column :tokens, :updated_on | |||
end | |||
end |
@@ -185,18 +185,6 @@ class MyControllerTest < ActionController::TestCase | |||
assert User.try_to_login('jsmith', 'secret123') | |||
end | |||
def test_change_password_kills_other_sessions | |||
@request.session[:ctime] = (Time.now - 30.minutes).utc.to_i | |||
jsmith = User.find(2) | |||
jsmith.passwd_changed_on = Time.now | |||
jsmith.save! | |||
get 'account' | |||
assert_response 302 | |||
assert flash[:error].match(/Your session has expired/) | |||
end | |||
def test_change_password_should_redirect_if_user_cannot_change_its_password | |||
User.find(2).update_attribute(:auth_source_id, 1) | |||
@@ -0,0 +1,138 @@ | |||
# Redmine - project management software | |||
# Copyright (C) 2006-2015 Jean-Philippe Lang | |||
# | |||
# This program is free software; you can redistribute it and/or | |||
# modify it under the terms of the GNU General Public License | |||
# as published by the Free Software Foundation; either version 2 | |||
# of the License, or (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program; if not, write to the Free Software | |||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |||
require File.expand_path('../../test_helper', __FILE__) | |||
class SessionsControllerTest < ActionController::TestCase | |||
include Redmine::I18n | |||
tests WelcomeController | |||
fixtures :users, :email_addresses | |||
def setup | |||
Rails.application.config.redmine_verify_sessions = true | |||
end | |||
def teardown | |||
Rails.application.config.redmine_verify_sessions = false | |||
end | |||
def test_session_token_should_be_updated | |||
created = 10.hours.ago | |||
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) | |||
get :index, {}, {:user_id => 2, :tk => token.value} | |||
assert_response :success | |||
token.reload | |||
assert_equal created, token.created_on | |||
assert_not_equal created, token.updated_on | |||
assert token.updated_on > created | |||
end | |||
def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled | |||
created = 2.years.ago | |||
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) | |||
with_settings :session_lifetime => '0', :session_timeout => '0' do | |||
get :index, {}, {:user_id => 2, :tk => token.value} | |||
assert_response :success | |||
end | |||
end | |||
def test_user_session_without_token_should_be_reset | |||
get :index, {}, {:user_id => 2} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
end | |||
def test_expired_user_session_should_be_reset_if_lifetime_enabled | |||
created = 2.days.ago | |||
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) | |||
with_settings :session_timeout => '720' do | |||
get :index, {}, {:user_id => 2, :tk => token.value} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
end | |||
end | |||
def test_valid_user_session_should_not_be_reset_if_lifetime_enabled | |||
created = 3.hours.ago | |||
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) | |||
with_settings :session_timeout => '720' do | |||
get :index, {}, {:user_id => 2, :tk => token.value} | |||
assert_response :success | |||
end | |||
end | |||
def test_expired_user_session_should_be_reset_if_timeout_enabled | |||
created = 4.hours.ago | |||
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) | |||
with_settings :session_timeout => '60' do | |||
get :index, {}, {:user_id => 2, :tk => token.value} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
end | |||
end | |||
def test_valid_user_session_should_not_be_reset_if_timeout_enabled | |||
created = 10.minutes.ago | |||
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) | |||
with_settings :session_timeout => '60' do | |||
get :index, {}, {:user_id => 2, :tk => token.value} | |||
assert_response :success | |||
end | |||
end | |||
def test_expired_user_session_should_be_restarted_if_autologin | |||
created = 2.hours.ago | |||
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) | |||
with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do | |||
autologin_token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago) | |||
@request.cookies['autologin'] = autologin_token.value | |||
get :index, {}, {:user_id => 2, :tk => token.value} | |||
assert_equal 2, session[:user_id] | |||
assert_response :success | |||
assert_not_equal token.value, session[:tk] | |||
end | |||
end | |||
def test_expired_user_session_should_set_locale | |||
set_language_if_valid 'it' | |||
user = User.find(2) | |||
user.language = 'fr' | |||
user.save! | |||
created = 4.hours.ago | |||
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) | |||
with_settings :session_timeout => '60' do | |||
get :index, {}, {:user_id => user.id, :tk => token.value} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
assert_include "Veuillez vous reconnecter", flash[:error] | |||
assert_equal :fr, current_language | |||
end | |||
end | |||
def test_anonymous_session_should_not_be_reset | |||
with_settings :session_lifetime => '720', :session_timeout => '60' do | |||
get :index | |||
assert_response :success | |||
end | |||
end | |||
end |
@@ -1,132 +0,0 @@ | |||
# Redmine - project management software | |||
# Copyright (C) 2006-2015 Jean-Philippe Lang | |||
# | |||
# This program is free software; you can redistribute it and/or | |||
# modify it under the terms of the GNU General Public License | |||
# as published by the Free Software Foundation; either version 2 | |||
# of the License, or (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program; if not, write to the Free Software | |||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |||
require File.expand_path('../../test_helper', __FILE__) | |||
class SessionStartTest < ActionController::TestCase | |||
tests AccountController | |||
fixtures :users | |||
def test_login_should_set_session_timestamps | |||
post :login, :username => 'jsmith', :password => 'jsmith' | |||
assert_response 302 | |||
assert_equal 2, session[:user_id] | |||
assert_not_nil session[:ctime] | |||
assert_not_nil session[:atime] | |||
end | |||
end | |||
class SessionsTest < ActionController::TestCase | |||
include Redmine::I18n | |||
tests WelcomeController | |||
fixtures :users, :email_addresses | |||
def test_atime_from_user_session_should_be_updated | |||
created = 2.hours.ago.utc.to_i | |||
get :index, {}, {:user_id => 2, :ctime => created, :atime => created} | |||
assert_response :success | |||
assert_equal created, session[:ctime] | |||
assert_not_equal created, session[:atime] | |||
assert session[:atime] > created | |||
end | |||
def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled | |||
with_settings :session_lifetime => '0', :session_timeout => '0' do | |||
get :index, {}, {:user_id => 2} | |||
assert_response :success | |||
end | |||
end | |||
def test_user_session_without_ctime_should_be_reset_if_lifetime_enabled | |||
with_settings :session_lifetime => '720' do | |||
get :index, {}, {:user_id => 2} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
end | |||
end | |||
def test_user_session_with_expired_ctime_should_be_reset_if_lifetime_enabled | |||
with_settings :session_timeout => '720' do | |||
get :index, {}, {:user_id => 2, :atime => 2.days.ago.utc.to_i} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
end | |||
end | |||
def test_user_session_with_valid_ctime_should_not_be_reset_if_lifetime_enabled | |||
with_settings :session_timeout => '720' do | |||
get :index, {}, {:user_id => 2, :atime => 3.hours.ago.utc.to_i} | |||
assert_response :success | |||
end | |||
end | |||
def test_user_session_without_atime_should_be_reset_if_timeout_enabled | |||
with_settings :session_timeout => '60' do | |||
get :index, {}, {:user_id => 2} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
end | |||
end | |||
def test_user_session_with_expired_atime_should_be_reset_if_timeout_enabled | |||
with_settings :session_timeout => '60' do | |||
get :index, {}, {:user_id => 2, :atime => 4.hours.ago.utc.to_i} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
end | |||
end | |||
def test_user_session_with_valid_atime_should_not_be_reset_if_timeout_enabled | |||
with_settings :session_timeout => '60' do | |||
get :index, {}, {:user_id => 2, :atime => 10.minutes.ago.utc.to_i} | |||
assert_response :success | |||
end | |||
end | |||
def test_expired_user_session_should_be_restarted_if_autologin | |||
with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do | |||
token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago) | |||
@request.cookies['autologin'] = token.value | |||
created = 2.hours.ago.utc.to_i | |||
get :index, {}, {:user_id => 2, :ctime => created, :atime => created} | |||
assert_equal 2, session[:user_id] | |||
assert_response :success | |||
assert_not_equal created, session[:ctime] | |||
assert session[:ctime] >= created | |||
end | |||
end | |||
def test_expired_user_session_should_set_locale | |||
set_language_if_valid 'it' | |||
user = User.find(2) | |||
user.language = 'fr' | |||
user.save! | |||
with_settings :session_timeout => '60' do | |||
get :index, {}, {:user_id => user.id, :atime => 4.hours.ago.utc.to_i} | |||
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' | |||
assert_include "Veuillez vous reconnecter", flash[:error] | |||
assert_equal :fr, current_language | |||
end | |||
end | |||
def test_anonymous_session_should_not_be_reset | |||
with_settings :session_lifetime => '720', :session_timeout => '60' do | |||
get :index | |||
assert_response :success | |||
end | |||
end | |||
end |
@@ -30,35 +30,47 @@ class AccountTest < Redmine::IntegrationTest | |||
assert_template "my/account" | |||
end | |||
def test_login_should_set_session_token | |||
assert_difference 'Token.count' do | |||
log_user('jsmith', 'jsmith') | |||
assert_equal 2, session[:user_id] | |||
assert_not_nil session[:tk] | |||
end | |||
end | |||
def test_autologin | |||
user = User.find(1) | |||
Setting.autologin = "7" | |||
Token.delete_all | |||
# User logs in with 'autologin' checked | |||
post '/login', :username => user.login, :password => 'admin', :autologin => 1 | |||
assert_redirected_to '/my/page' | |||
token = Token.first | |||
assert_not_nil token | |||
assert_equal user, token.user | |||
assert_equal 'autologin', token.action | |||
assert_equal user.id, session[:user_id] | |||
assert_equal token.value, cookies['autologin'] | |||
# Session is cleared | |||
reset! | |||
User.current = nil | |||
# Clears user's last login timestamp | |||
user.update_attribute :last_login_on, nil | |||
assert_nil user.reload.last_login_on | |||
# User comes back with user's autologin cookie | |||
cookies[:autologin] = token.value | |||
get '/my/page' | |||
assert_response :success | |||
assert_template 'my/page' | |||
assert_equal user.id, session[:user_id] | |||
assert_not_nil user.reload.last_login_on | |||
with_settings :autologin => '7' do | |||
assert_difference 'Token.count', 2 do | |||
# User logs in with 'autologin' checked | |||
post '/login', :username => user.login, :password => 'admin', :autologin => 1 | |||
assert_redirected_to '/my/page' | |||
end | |||
token = Token.where(:action => 'autologin').order(:id => :desc).first | |||
assert_not_nil token | |||
assert_equal user, token.user | |||
assert_equal 'autologin', token.action | |||
assert_equal user.id, session[:user_id] | |||
assert_equal token.value, cookies['autologin'] | |||
# Session is cleared | |||
reset! | |||
User.current = nil | |||
# Clears user's last login timestamp | |||
user.update_attribute :last_login_on, nil | |||
assert_nil user.reload.last_login_on | |||
# User comes back with user's autologin cookie | |||
cookies[:autologin] = token.value | |||
get '/my/page' | |||
assert_response :success | |||
assert_template 'my/page' | |||
assert_equal user.id, session[:user_id] | |||
assert_not_nil user.reload.last_login_on | |||
end | |||
end | |||
def test_autologin_should_use_autologin_cookie_name | |||
@@ -69,7 +81,7 @@ class AccountTest < Redmine::IntegrationTest | |||
Redmine::Configuration.stubs(:[]).with('sudo_mode_timeout').returns(15) | |||
with_settings :autologin => '7' do | |||
assert_difference 'Token.count' do | |||
assert_difference 'Token.count', 2 do | |||
post '/login', :username => 'admin', :password => 'admin', :autologin => 1 | |||
assert_response 302 | |||
end | |||
@@ -82,7 +94,7 @@ class AccountTest < Redmine::IntegrationTest | |||
get '/my/page' | |||
assert_response :success | |||
assert_difference 'Token.count', -1 do | |||
assert_difference 'Token.count', -2 do | |||
post '/logout' | |||
end | |||
assert cookies['custom_autologin'].blank? | |||
@@ -119,7 +131,7 @@ class AccountTest < Redmine::IntegrationTest | |||
assert_equal 'Password was successfully updated.', flash[:notice] | |||
log_user('jsmith', 'newpass123') | |||
assert_equal 0, Token.count | |||
assert_equal false, Token.exists?(token.id), "Password recovery token was not deleted" | |||
end | |||
def test_user_with_must_change_passwd_should_be_forced_to_change_its_password |
@@ -0,0 +1,97 @@ | |||
# Redmine - project management software | |||
# Copyright (C) 2006-2015 Jean-Philippe Lang | |||
# | |||
# This program is free software; you can redistribute it and/or | |||
# modify it under the terms of the GNU General Public License | |||
# as published by the Free Software Foundation; either version 2 | |||
# of the License, or (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program; if not, write to the Free Software | |||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |||
require File.expand_path('../../test_helper', __FILE__) | |||
class SessionsTest < Redmine::IntegrationTest | |||
fixtures :users, :email_addresses, :roles | |||
def setup | |||
Rails.application.config.redmine_verify_sessions = true | |||
end | |||
def teardown | |||
Rails.application.config.redmine_verify_sessions = false | |||
end | |||
def test_change_password_kills_sessions | |||
log_user('jsmith', 'jsmith') | |||
jsmith = User.find(2) | |||
jsmith.password = "somenewpassword" | |||
jsmith.save! | |||
get '/my/account' | |||
assert_response 302 | |||
assert flash[:error].match(/Your session has expired/) | |||
end | |||
def test_lock_user_kills_sessions | |||
log_user('jsmith', 'jsmith') | |||
jsmith = User.find(2) | |||
assert jsmith.lock! | |||
assert jsmith.activate! | |||
get '/my/account' | |||
assert_response 302 | |||
assert flash[:error].match(/Your session has expired/) | |||
end | |||
def test_update_user_does_not_kill_sessions | |||
log_user('jsmith', 'jsmith') | |||
jsmith = User.find(2) | |||
jsmith.firstname = 'Robert' | |||
jsmith.save! | |||
get '/my/account' | |||
assert_response 200 | |||
end | |||
def test_change_password_generates_a_new_token_for_current_session | |||
log_user('jsmith', 'jsmith') | |||
assert_not_nil token = session[:tk] | |||
get '/my/password' | |||
assert_response 200 | |||
post '/my/password', :password => 'jsmith', | |||
:new_password => 'secret123', | |||
:new_password_confirmation => 'secret123' | |||
assert_response 302 | |||
assert_not_equal token, session[:tk] | |||
get '/my/account' | |||
assert_response 200 | |||
end | |||
def test_simultaneous_sessions_should_be_valid | |||
first = open_session do |session| | |||
session.post "/login", :username => 'jsmith', :password => 'jsmith' | |||
end | |||
other = open_session do |session| | |||
session.post "/login", :username => 'jsmith', :password => 'jsmith' | |||
end | |||
first.get '/my/account' | |||
assert_equal 200, first.response.response_code | |||
first.post '/logout' | |||
other.get '/my/account' | |||
assert_equal 200, other.response.response_code | |||
end | |||
end |
@@ -36,6 +36,19 @@ class TokenTest < ActiveSupport::TestCase | |||
assert Token.exists?(t2.id) | |||
end | |||
def test_create_session_token_should_keep_last_10_tokens | |||
Token.delete_all | |||
user = User.find(1) | |||
assert_difference 'Token.count', 10 do | |||
10.times { Token.create!(:user => user, :action => 'session') } | |||
end | |||
assert_no_difference 'Token.count' do | |||
Token.create!(:user => user, :action => 'session') | |||
end | |||
end | |||
def test_destroy_expired_should_not_destroy_feeds_and_api_tokens | |||
Token.delete_all | |||