diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2009-06-06 10:20:27 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2009-06-06 10:20:27 +0000 |
| commit | 9c282842a933e30a40053c72cf5add2ddf2af901 (patch) | |
| tree | eaea77d8da56c67390b4aa9104893f3d3a4c3282 | |
| parent | 6da0542af48be717378e3885bf8278cc773be6f2 (diff) | |
| download | redmine-9c282842a933e30a40053c72cf5add2ddf2af901.tar.gz redmine-9c282842a933e30a40053c72cf5add2ddf2af901.zip | |
Do not start user session when accessing atom feed with token-based authentication.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2779 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/application.rb | 13 | ||||
| -rw-r--r-- | test/integration/application_test.rb | 13 |
2 files changed, 20 insertions, 6 deletions
diff --git a/app/controllers/application.rb b/app/controllers/application.rb index fcf83c92a..6d6338ffa 100644 --- a/app/controllers/application.rb +++ b/app/controllers/application.rb @@ -42,19 +42,22 @@ class ApplicationController < ActionController::Base # Check the settings cache for each request Setting.check_cache # Find the current user - self.logged_user = find_current_user + User.current = find_current_user end # Returns the current user or nil if no user is logged in + # and starts a session if needed def find_current_user if session[:user_id] # existing session (User.active.find(session[:user_id]) rescue nil) elsif cookies[:autologin] && Setting.autologin? - # auto-login feature - User.try_to_autologin(cookies[:autologin]) - elsif params[:key] && accept_key_auth_actions.include?(params[:action]) - # RSS key authentication + # auto-login feature starts a new session + user = User.try_to_autologin(cookies[:autologin]) + session[:user_id] = user.id if user + user + elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) + # RSS key authentication does not start a session User.find_by_rss_key(params[:key]) end end diff --git a/test/integration/application_test.rb b/test/integration/application_test.rb index dc6fdf392..fba11e049 100644 --- a/test/integration/application_test.rb +++ b/test/integration/application_test.rb @@ -20,7 +20,7 @@ require "#{File.dirname(__FILE__)}/../test_helper" class ApplicationTest < ActionController::IntegrationTest include Redmine::I18n - fixtures :users + fixtures :all def test_set_localization Setting.default_language = 'en' @@ -42,4 +42,15 @@ class ApplicationTest < ActionController::IntegrationTest assert_response :success assert_tag :tag => 'h2', :content => 'Projects' end + + def test_token_based_access_should_not_start_session + # issue of a private project + get 'issues/4.atom' + assert_response 302 + + rss_key = User.find(2).rss_key + get "issues/4.atom?key=#{rss_key}" + assert_response 200 + assert_nil session[:user_id] + end end |