Merged r12438 (#15735).

git-svn-id: http://svn.redmine.org/redmine/branches/2.4-stable@12444 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 18 insertions, 0 deletions

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index d39fc2ace..a3768d403 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -22,6 +22,14 @@ class AccountController < ApplicationController
   # prevents login action to be filtered by check_if_login_required application scope filter
   skip_before_filter :check_if_login_required, :check_password_change
 
+  # Overrides ApplicationController#verify_authenticity_token to disable
+  # token verification on openid callbacks
+  def verify_authenticity_token
+    unless using_open_id?
+      super
+    end
+  end
+
   # Login request and validation
   def login
     if request.get?
diff --git a/test/functional/account_controller_openid_test.rb b/test/functional/account_controller_openid_test.rb
index d99becc8e..e6c72c145 100644
--- a/test/functional/account_controller_openid_test.rb
+++ b/test/functional/account_controller_openid_test.rb
@@ -131,6 +131,16 @@ class AccountControllerOpenidTest < ActionController::TestCase
       assert_select 'input[name=?][value=?]', 'user[identity_url]', 'http://openid.example.com/good_blank_user'
     end
 
+    def test_post_login_should_not_verify_token_when_using_open_id
+      ActionController::Base.allow_forgery_protection = true
+      AccountController.any_instance.stubs(:using_open_id?).returns(true)
+      AccountController.any_instance.stubs(:authenticate_with_open_id).returns(true)
+      post :login
+      assert_response 200
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
+
     def test_register_after_login_failure_should_not_require_user_to_enter_a_password
       Setting.self_registration = '3'