diff options
| -rw-r--r-- | app/controllers/account_controller.rb | 8 | ||||
| -rw-r--r-- | test/functional/account_controller_openid_test.rb | 10 |
2 files changed, 18 insertions, 0 deletions
diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index d39fc2ace..a3768d403 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -22,6 +22,14 @@ class AccountController < ApplicationController # prevents login action to be filtered by check_if_login_required application scope filter skip_before_filter :check_if_login_required, :check_password_change + # Overrides ApplicationController#verify_authenticity_token to disable + # token verification on openid callbacks + def verify_authenticity_token + unless using_open_id? + super + end + end + # Login request and validation def login if request.get? diff --git a/test/functional/account_controller_openid_test.rb b/test/functional/account_controller_openid_test.rb index d99becc8e..e6c72c145 100644 --- a/test/functional/account_controller_openid_test.rb +++ b/test/functional/account_controller_openid_test.rb @@ -131,6 +131,16 @@ class AccountControllerOpenidTest < ActionController::TestCase assert_select 'input[name=?][value=?]', 'user[identity_url]', 'http://openid.example.com/good_blank_user' end + def test_post_login_should_not_verify_token_when_using_open_id + ActionController::Base.allow_forgery_protection = true + AccountController.any_instance.stubs(:using_open_id?).returns(true) + AccountController.any_instance.stubs(:authenticate_with_open_id).returns(true) + post :login + assert_response 200 + ensure + ActionController::Base.allow_forgery_protection = false + end + def test_register_after_login_failure_should_not_require_user_to_enter_a_password Setting.self_registration = '3' |