diff options
author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-10-24 10:15:22 +0000 |
---|---|---|
committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-10-24 10:15:22 +0000 |
commit | 4cd22dcc5595f32519fbb43329e33106127c29b6 (patch) | |
tree | 8d8c35201924edfc5ab522e0193342390a94d212 | |
parent | a371c8d850a2d1941e34fcf908d549438fdf72df (diff) | |
download | redmine-4cd22dcc5595f32519fbb43329e33106127c29b6.tar.gz redmine-4cd22dcc5595f32519fbb43329e33106127c29b6.zip |
Keep track of valid user sessions (#21058).
git-svn-id: http://svn.redmine.org/redmine/trunk@14735 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r-- | app/controllers/application_controller.rb | 34 | ||||
-rw-r--r-- | app/controllers/my_controller.rb | 5 | ||||
-rw-r--r-- | app/models/token.rb | 12 | ||||
-rw-r--r-- | app/models/user.rb | 24 | ||||
-rw-r--r-- | config/environments/test.rb | 3 | ||||
-rw-r--r-- | db/migrate/20151024082034_add_tokens_updated_on.rb | 10 | ||||
-rw-r--r-- | test/functional/my_controller_test.rb | 12 | ||||
-rw-r--r-- | test/functional/sessions_controller_test.rb | 138 | ||||
-rw-r--r-- | test/functional/sessions_test.rb | 132 | ||||
-rw-r--r-- | test/integration/account_test.rb | 68 | ||||
-rw-r--r-- | test/integration/sessions_test.rb | 97 | ||||
-rw-r--r-- | test/unit/token_test.rb | 13 |
12 files changed, 340 insertions, 208 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index f11c04536..98a22463b 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base end end - before_filter :session_expiration, :user_setup, :force_logout_if_password_changed, :check_if_login_required, :check_password_change, :set_localization + before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization rescue_from ::Unauthorized, :with => :deny_access rescue_from ::ActionView::MissingTemplate, :with => :missing_template @@ -63,36 +63,23 @@ class ApplicationController < ActionController::Base include Redmine::SudoMode::Controller def session_expiration - if session[:user_id] + if session[:user_id] && Rails.application.config.redmine_verify_sessions != false if session_expired? && !try_to_autologin set_localization(User.active.find_by_id(session[:user_id])) self.logged_user = nil flash[:error] = l(:error_session_expired) require_login - else - session[:atime] = Time.now.utc.to_i end end end def session_expired? - if Setting.session_lifetime? - unless session[:ctime] && (Time.now.utc.to_i - session[:ctime].to_i <= Setting.session_lifetime.to_i * 60) - return true - end - end - if Setting.session_timeout? - unless session[:atime] && (Time.now.utc.to_i - session[:atime].to_i <= Setting.session_timeout.to_i * 60) - return true - end - end - false + ! User.verify_session_token(session[:user_id], session[:tk]) end def start_user_session(user) session[:user_id] = user.id - session[:ctime] = Time.now.utc.to_i - session[:atime] = Time.now.utc.to_i + session[:tk] = user.generate_session_token if user.must_change_password? session[:pwd] = '1' end @@ -149,18 +136,6 @@ class ApplicationController < ActionController::Base user end - def force_logout_if_password_changed - passwd_changed_on = User.current.passwd_changed_on || Time.at(0) - # Make sure we force logout only for web browser sessions, not API calls - # if the password was changed after the session creation. - if session[:user_id] && passwd_changed_on.utc.to_i > session[:ctime].to_i - reset_session - set_localization - flash[:error] = l(:error_session_expired) - redirect_to signin_url - end - end - def autologin_cookie_name Redmine::Configuration['autologin_cookie_name'].presence || 'autologin' end @@ -193,6 +168,7 @@ class ApplicationController < ActionController::Base if User.current.logged? cookies.delete(autologin_cookie_name) Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin']) + Token.delete_all(["user_id = ? AND action = ? AND value = ?", User.current.id, 'session', session[:tk]]) self.logged_user = nil end end diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb index 1f744a936..9fdc14314 100644 --- a/app/controllers/my_controller.rb +++ b/app/controllers/my_controller.rb @@ -103,9 +103,8 @@ class MyController < ApplicationController @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] @user.must_change_passwd = false if @user.save - # Reset the session creation time to not log out this session on next - # request due to ApplicationController#force_logout_if_password_changed - session[:ctime] = User.current.passwd_changed_on.utc.to_i + # The session token was destroyed by the password change, generate a new one + session[:tk] = @user.generate_session_token flash[:notice] = l(:notice_account_password_updated) redirect_to my_account_path end diff --git a/app/models/token.rb b/app/models/token.rb index 84e7fc353..e458a92a7 100644 --- a/app/models/token.rb +++ b/app/models/token.rb @@ -36,7 +36,7 @@ class Token < ActiveRecord::Base # Delete all expired tokens def self.destroy_expired - Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api'], Time.now - validity_time).delete_all + Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api', 'session'], Time.now - validity_time).delete_all end # Returns the active user who owns the key for the given action @@ -79,7 +79,15 @@ class Token < ActiveRecord::Base # Removes obsolete tokens (same user and action) def delete_previous_tokens if user - Token.where(:user_id => user.id, :action => action).delete_all + scope = Token.where(:user_id => user.id, :action => action) + if action == 'session' + ids = scope.order(:updated_on => :desc).offset(9).ids + if ids.any? + Token.delete(ids) + end + else + scope.delete_all + end end end end diff --git a/app/models/user.rb b/app/models/user.rb index e133cd02e..4a6109f7d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -394,6 +394,26 @@ class User < Principal api_token.value end + # Generates a new session token and returns its value + def generate_session_token + token = Token.create!(:user_id => id, :action => 'session') + token.value + end + + # Returns true if token is a valid session token for the user whose id is user_id + def self.verify_session_token(user_id, token) + return false if user_id.blank? || token.blank? + + scope = Token.where(:user_id => user_id, :value => token.to_s, :action => 'session') + if Setting.session_lifetime? + scope = scope.where("created_on > ?", Setting.session_lifetime.to_i.minutes.ago) + end + if Setting.session_timeout? + scope = scope.where("updated_on > ?", Setting.session_timeout.to_i.minutes.ago) + end + scope.update_all(:updated_on => Time.now) == 1 + end + # Return an array of project ids for which the user has explicitly turned mail notifications on def notified_projects_ids @notified_projects_ids ||= memberships.select {|m| m.mail_notification?}.collect(&:project_id) @@ -764,8 +784,8 @@ class User < Principal # This helps to keep the account secure in case the associated email account # was compromised. def destroy_tokens - if hashed_password_changed? - tokens = ['recovery', 'autologin'] + if hashed_password_changed? || (status_changed? && !active?) + tokens = ['recovery', 'autologin', 'session'] Token.where(:user_id => id, :action => tokens).delete_all end end diff --git a/config/environments/test.rb b/config/environments/test.rb index 4e5057dd7..645996dce 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -26,6 +26,9 @@ Rails.application.configure do # Disable request forgery protection in test environment. config.action_controller.allow_forgery_protection = false + # Disable sessions verifications in test environment. + config.redmine_verify_sessions = false + # Print deprecation notices to stderr and the Rails logger. config.active_support.deprecation = [:stderr, :log] diff --git a/db/migrate/20151024082034_add_tokens_updated_on.rb b/db/migrate/20151024082034_add_tokens_updated_on.rb new file mode 100644 index 000000000..0af28dc81 --- /dev/null +++ b/db/migrate/20151024082034_add_tokens_updated_on.rb @@ -0,0 +1,10 @@ +class AddTokensUpdatedOn < ActiveRecord::Migration + def self.up + add_column :tokens, :updated_on, :timestamp + Token.update_all("updated_on = created_on") + end + + def self.down + remove_column :tokens, :updated_on + end +end diff --git a/test/functional/my_controller_test.rb b/test/functional/my_controller_test.rb index 5a7b33940..92ee24781 100644 --- a/test/functional/my_controller_test.rb +++ b/test/functional/my_controller_test.rb @@ -185,18 +185,6 @@ class MyControllerTest < ActionController::TestCase assert User.try_to_login('jsmith', 'secret123') end - def test_change_password_kills_other_sessions - @request.session[:ctime] = (Time.now - 30.minutes).utc.to_i - - jsmith = User.find(2) - jsmith.passwd_changed_on = Time.now - jsmith.save! - - get 'account' - assert_response 302 - assert flash[:error].match(/Your session has expired/) - end - def test_change_password_should_redirect_if_user_cannot_change_its_password User.find(2).update_attribute(:auth_source_id, 1) diff --git a/test/functional/sessions_controller_test.rb b/test/functional/sessions_controller_test.rb new file mode 100644 index 000000000..b4adda7fd --- /dev/null +++ b/test/functional/sessions_controller_test.rb @@ -0,0 +1,138 @@ +# Redmine - project management software +# Copyright (C) 2006-2015 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../test_helper', __FILE__) + +class SessionsControllerTest < ActionController::TestCase + include Redmine::I18n + tests WelcomeController + + fixtures :users, :email_addresses + + def setup + Rails.application.config.redmine_verify_sessions = true + end + + def teardown + Rails.application.config.redmine_verify_sessions = false + end + + def test_session_token_should_be_updated + created = 10.hours.ago + token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) + + get :index, {}, {:user_id => 2, :tk => token.value} + assert_response :success + token.reload + assert_equal created, token.created_on + assert_not_equal created, token.updated_on + assert token.updated_on > created + end + + def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled + created = 2.years.ago + token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) + + with_settings :session_lifetime => '0', :session_timeout => '0' do + get :index, {}, {:user_id => 2, :tk => token.value} + assert_response :success + end + end + + def test_user_session_without_token_should_be_reset + get :index, {}, {:user_id => 2} + assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' + end + + def test_expired_user_session_should_be_reset_if_lifetime_enabled + created = 2.days.ago + token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) + + with_settings :session_timeout => '720' do + get :index, {}, {:user_id => 2, :tk => token.value} + assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' + end + end + + def test_valid_user_session_should_not_be_reset_if_lifetime_enabled + created = 3.hours.ago + token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) + + with_settings :session_timeout => '720' do + get :index, {}, {:user_id => 2, :tk => token.value} + assert_response :success + end + end + + def test_expired_user_session_should_be_reset_if_timeout_enabled + created = 4.hours.ago + token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) + + with_settings :session_timeout => '60' do + get :index, {}, {:user_id => 2, :tk => token.value} + assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' + end + end + + def test_valid_user_session_should_not_be_reset_if_timeout_enabled + created = 10.minutes.ago + token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) + + with_settings :session_timeout => '60' do + get :index, {}, {:user_id => 2, :tk => token.value} + assert_response :success + end + end + + def test_expired_user_session_should_be_restarted_if_autologin + created = 2.hours.ago + token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) + + with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do + autologin_token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago) + @request.cookies['autologin'] = autologin_token.value + + get :index, {}, {:user_id => 2, :tk => token.value} + assert_equal 2, session[:user_id] + assert_response :success + assert_not_equal token.value, session[:tk] + end + end + + def test_expired_user_session_should_set_locale + set_language_if_valid 'it' + user = User.find(2) + user.language = 'fr' + user.save! + created = 4.hours.ago + token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created) + + with_settings :session_timeout => '60' do + get :index, {}, {:user_id => user.id, :tk => token.value} + assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' + assert_include "Veuillez vous reconnecter", flash[:error] + assert_equal :fr, current_language + end + end + + def test_anonymous_session_should_not_be_reset + with_settings :session_lifetime => '720', :session_timeout => '60' do + get :index + assert_response :success + end + end +end diff --git a/test/functional/sessions_test.rb b/test/functional/sessions_test.rb deleted file mode 100644 index 9e7032682..000000000 --- a/test/functional/sessions_test.rb +++ /dev/null @@ -1,132 +0,0 @@ -# Redmine - project management software -# Copyright (C) 2006-2015 Jean-Philippe Lang -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -require File.expand_path('../../test_helper', __FILE__) - -class SessionStartTest < ActionController::TestCase - tests AccountController - - fixtures :users - - def test_login_should_set_session_timestamps - post :login, :username => 'jsmith', :password => 'jsmith' - assert_response 302 - assert_equal 2, session[:user_id] - assert_not_nil session[:ctime] - assert_not_nil session[:atime] - end -end - -class SessionsTest < ActionController::TestCase - include Redmine::I18n - tests WelcomeController - - fixtures :users, :email_addresses - - def test_atime_from_user_session_should_be_updated - created = 2.hours.ago.utc.to_i - get :index, {}, {:user_id => 2, :ctime => created, :atime => created} - assert_response :success - assert_equal created, session[:ctime] - assert_not_equal created, session[:atime] - assert session[:atime] > created - end - - def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled - with_settings :session_lifetime => '0', :session_timeout => '0' do - get :index, {}, {:user_id => 2} - assert_response :success - end - end - - def test_user_session_without_ctime_should_be_reset_if_lifetime_enabled - with_settings :session_lifetime => '720' do - get :index, {}, {:user_id => 2} - assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' - end - end - - def test_user_session_with_expired_ctime_should_be_reset_if_lifetime_enabled - with_settings :session_timeout => '720' do - get :index, {}, {:user_id => 2, :atime => 2.days.ago.utc.to_i} - assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' - end - end - - def test_user_session_with_valid_ctime_should_not_be_reset_if_lifetime_enabled - with_settings :session_timeout => '720' do - get :index, {}, {:user_id => 2, :atime => 3.hours.ago.utc.to_i} - assert_response :success - end - end - - def test_user_session_without_atime_should_be_reset_if_timeout_enabled - with_settings :session_timeout => '60' do - get :index, {}, {:user_id => 2} - assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' - end - end - - def test_user_session_with_expired_atime_should_be_reset_if_timeout_enabled - with_settings :session_timeout => '60' do - get :index, {}, {:user_id => 2, :atime => 4.hours.ago.utc.to_i} - assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' - end - end - - def test_user_session_with_valid_atime_should_not_be_reset_if_timeout_enabled - with_settings :session_timeout => '60' do - get :index, {}, {:user_id => 2, :atime => 10.minutes.ago.utc.to_i} - assert_response :success - end - end - - def test_expired_user_session_should_be_restarted_if_autologin - with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do - token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago) - @request.cookies['autologin'] = token.value - created = 2.hours.ago.utc.to_i - - get :index, {}, {:user_id => 2, :ctime => created, :atime => created} - assert_equal 2, session[:user_id] - assert_response :success - assert_not_equal created, session[:ctime] - assert session[:ctime] >= created - end - end - - def test_expired_user_session_should_set_locale - set_language_if_valid 'it' - user = User.find(2) - user.language = 'fr' - user.save! - - with_settings :session_timeout => '60' do - get :index, {}, {:user_id => user.id, :atime => 4.hours.ago.utc.to_i} - assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F' - assert_include "Veuillez vous reconnecter", flash[:error] - assert_equal :fr, current_language - end - end - - def test_anonymous_session_should_not_be_reset - with_settings :session_lifetime => '720', :session_timeout => '60' do - get :index - assert_response :success - end - end -end diff --git a/test/integration/account_test.rb b/test/integration/account_test.rb index 3b5d0606c..38f5da7c9 100644 --- a/test/integration/account_test.rb +++ b/test/integration/account_test.rb @@ -30,35 +30,47 @@ class AccountTest < Redmine::IntegrationTest assert_template "my/account" end + def test_login_should_set_session_token + assert_difference 'Token.count' do + log_user('jsmith', 'jsmith') + + assert_equal 2, session[:user_id] + assert_not_nil session[:tk] + end + end + def test_autologin user = User.find(1) - Setting.autologin = "7" Token.delete_all - # User logs in with 'autologin' checked - post '/login', :username => user.login, :password => 'admin', :autologin => 1 - assert_redirected_to '/my/page' - token = Token.first - assert_not_nil token - assert_equal user, token.user - assert_equal 'autologin', token.action - assert_equal user.id, session[:user_id] - assert_equal token.value, cookies['autologin'] - - # Session is cleared - reset! - User.current = nil - # Clears user's last login timestamp - user.update_attribute :last_login_on, nil - assert_nil user.reload.last_login_on - - # User comes back with user's autologin cookie - cookies[:autologin] = token.value - get '/my/page' - assert_response :success - assert_template 'my/page' - assert_equal user.id, session[:user_id] - assert_not_nil user.reload.last_login_on + with_settings :autologin => '7' do + assert_difference 'Token.count', 2 do + # User logs in with 'autologin' checked + post '/login', :username => user.login, :password => 'admin', :autologin => 1 + assert_redirected_to '/my/page' + end + token = Token.where(:action => 'autologin').order(:id => :desc).first + assert_not_nil token + assert_equal user, token.user + assert_equal 'autologin', token.action + assert_equal user.id, session[:user_id] + assert_equal token.value, cookies['autologin'] + + # Session is cleared + reset! + User.current = nil + # Clears user's last login timestamp + user.update_attribute :last_login_on, nil + assert_nil user.reload.last_login_on + + # User comes back with user's autologin cookie + cookies[:autologin] = token.value + get '/my/page' + assert_response :success + assert_template 'my/page' + assert_equal user.id, session[:user_id] + assert_not_nil user.reload.last_login_on + end end def test_autologin_should_use_autologin_cookie_name @@ -69,7 +81,7 @@ class AccountTest < Redmine::IntegrationTest Redmine::Configuration.stubs(:[]).with('sudo_mode_timeout').returns(15) with_settings :autologin => '7' do - assert_difference 'Token.count' do + assert_difference 'Token.count', 2 do post '/login', :username => 'admin', :password => 'admin', :autologin => 1 assert_response 302 end @@ -82,7 +94,7 @@ class AccountTest < Redmine::IntegrationTest get '/my/page' assert_response :success - assert_difference 'Token.count', -1 do + assert_difference 'Token.count', -2 do post '/logout' end assert cookies['custom_autologin'].blank? @@ -119,7 +131,7 @@ class AccountTest < Redmine::IntegrationTest assert_equal 'Password was successfully updated.', flash[:notice] log_user('jsmith', 'newpass123') - assert_equal 0, Token.count + assert_equal false, Token.exists?(token.id), "Password recovery token was not deleted" end def test_user_with_must_change_passwd_should_be_forced_to_change_its_password diff --git a/test/integration/sessions_test.rb b/test/integration/sessions_test.rb new file mode 100644 index 000000000..39a2b8a30 --- /dev/null +++ b/test/integration/sessions_test.rb @@ -0,0 +1,97 @@ +# Redmine - project management software +# Copyright (C) 2006-2015 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../test_helper', __FILE__) + +class SessionsTest < Redmine::IntegrationTest + fixtures :users, :email_addresses, :roles + + def setup + Rails.application.config.redmine_verify_sessions = true + end + + def teardown + Rails.application.config.redmine_verify_sessions = false + end + + def test_change_password_kills_sessions + log_user('jsmith', 'jsmith') + + jsmith = User.find(2) + jsmith.password = "somenewpassword" + jsmith.save! + + get '/my/account' + assert_response 302 + assert flash[:error].match(/Your session has expired/) + end + + def test_lock_user_kills_sessions + log_user('jsmith', 'jsmith') + + jsmith = User.find(2) + assert jsmith.lock! + assert jsmith.activate! + + get '/my/account' + assert_response 302 + assert flash[:error].match(/Your session has expired/) + end + + def test_update_user_does_not_kill_sessions + log_user('jsmith', 'jsmith') + + jsmith = User.find(2) + jsmith.firstname = 'Robert' + jsmith.save! + + get '/my/account' + assert_response 200 + end + + def test_change_password_generates_a_new_token_for_current_session + log_user('jsmith', 'jsmith') + assert_not_nil token = session[:tk] + + get '/my/password' + assert_response 200 + post '/my/password', :password => 'jsmith', + :new_password => 'secret123', + :new_password_confirmation => 'secret123' + assert_response 302 + assert_not_equal token, session[:tk] + + get '/my/account' + assert_response 200 + end + + def test_simultaneous_sessions_should_be_valid + first = open_session do |session| + session.post "/login", :username => 'jsmith', :password => 'jsmith' + end + other = open_session do |session| + session.post "/login", :username => 'jsmith', :password => 'jsmith' + end + + first.get '/my/account' + assert_equal 200, first.response.response_code + first.post '/logout' + + other.get '/my/account' + assert_equal 200, other.response.response_code + end +end diff --git a/test/unit/token_test.rb b/test/unit/token_test.rb index 1d3c83703..95559c569 100644 --- a/test/unit/token_test.rb +++ b/test/unit/token_test.rb @@ -36,6 +36,19 @@ class TokenTest < ActiveSupport::TestCase assert Token.exists?(t2.id) end + def test_create_session_token_should_keep_last_10_tokens + Token.delete_all + user = User.find(1) + + assert_difference 'Token.count', 10 do + 10.times { Token.create!(:user => user, :action => 'session') } + end + + assert_no_difference 'Token.count' do + Token.create!(:user => user, :action => 'session') + end + end + def test_destroy_expired_should_not_destroy_feeds_and_api_tokens Token.delete_all |