/ - Diff - Redmine

« Previous | Next »

Revision 11289

Use POST instead of GET for logging out (#13022).

       # Log out current user and redirect to welcome page
       def logout
         logout_user
         redirect_to home_url
         if User.current.anonymous?
           redirect_to home_url
         elsif request.post?
           logout_user
           redirect_to home_url
         end
         # display the logout form
       end
       # Lets user choose a new password

trunk/app/views/account/logout.html.erb
	1	<%= form_tag(signout_path) do %>
	2	<p><%= submit_tag l(:label_logout) %></p>
	3	<% end %>
0	4

       menu.push :login, :signin_path, :if => Proc.new { !User.current.logged? }
       menu.push :register, :register_path, :if => Proc.new { !User.current.logged? && Setting.self_registration? }
       menu.push :my_account, { :controller => 'my', :action => 'account' }, :if => Proc.new { User.current.logged? }
       menu.push :logout, :signout_path, :if => Proc.new { User.current.logged? }
       menu.push :logout, :signout_path, :html => {:method => 'post'}, :if => Proc.new { User.current.logged? }
     end
     Redmine::MenuManager.map :application_menu do |menu|

         assert_response 302
       end
       def test_get_logout_should_not_logout
         @request.session[:user_id] = 2
         get :logout
         assert_response :success
         assert_template 'logout'
         assert_equal 2, @request.session[:user_id]
       end
       def test_logout
         @request.session[:user_id] = 2
         get :logout
         post :logout
         assert_redirected_to '/'
         assert_nil @request.session[:user_id]
       end
-...
         @controller.expects(:reset_session).once
         @request.session[:user_id] = 2
         get :logout
         post :logout
         assert_response 302
       end

           :content => %r{warnLeavingUnsaved}
       end
       def test_logout_link_should_post
         @request.session[:user_id] = 2
         get :index
         assert_select 'a[href=/https/www.redmine.org/logout][data-method=post]', :text => 'Sign out'
       end
       def test_call_hook_mixed_in
         assert @controller.respond_to?(:call_hook)
       end

               { :controller => 'account', :action => 'login' }
+            )
         end
         assert_routing(
             { :method => 'get', :path => "/logout" },
             { :controller => 'account', :action => 'logout' }
+          )
         ["get", "post"].each do |method|
           assert_routing(
               { :method => method, :path => "/logout" },
               { :controller => 'account', :action => 'logout' }
+            )
         end
         ["get", "post"].each do |method|
           assert_routing(
               { :method => method, :path => "/account/register" },
               { :controller => 'account', :action => 'register' }
+            )

Also available in: Unified diff