Merge branch 'refactor/session-disable-with-post' into 'master'

Use POST for session disable endpoints (signout & admin mode disable) See merge request gitlab-org/gitlab!22113

Merge branch 'refactor/session-disable-with-post' into 'master'
Use POST for session disable endpoints (signout & admin mode disable) See merge request gitlab-org/gitlab!22113
e74f59af · Bob Van Landuyt · 07dadce8 · 7bc9829e · e74f59af · e74f59af
Commit e74f59af authored Jan 14, 2020 by Bob Van Landuyt
9 changed files
--- a/app/views/errors/_footer.html.haml
+++ b/app/views/errors/_footer.html.haml
@@ -4,7 +4,7 @@
      = link_to s_('Nav|Home'), root_path
    %li
      - if current_user
-        = link_to s_('Nav|Sign out and sign in with a different account'), destroy_user_session_path
+        = link_to s_('Nav|Sign out and sign in with a different account'), destroy_user_session_path, method: :post
      - else
        = link_to s_('Nav|Sign In / Register'), new_session_path(:user, redirect_to_referer: 'yes')
    %li

--- a/app/views/layouts/header/_current_user_dropdown.html.haml
+++ b/app/views/layouts/header/_current_user_dropdown.html.haml
@@ -47,4 +47,4 @@
  - if current_user_menu?(:sign_out)
    %li.divider
    %li
-      = link_to _("Sign out"), destroy_user_session_path, class: "sign-out-link", data: { qa_selector: 'sign_out_link' }
+      = link_to _("Sign out"), destroy_user_session_path, method: :post, class: "sign-out-link", data: { qa_selector: 'sign_out_link' }
--- a/app/views/layouts/nav/_dashboard.html.haml
+++ b/app/views/layouts/nav/_dashboard.html.haml
@@ -55,7 +55,7 @@
          - if Feature.enabled?(:user_mode_in_session)
            - if header_link?(:admin_mode)
              = nav_link(controller: 'admin/sessions') do
-                = link_to destroy_admin_session_path, class: 'd-lg-none lock-open-icon' do
+                = link_to destroy_admin_session_path, method: :post, class: 'd-lg-none lock-open-icon' do
                  = _('Leave Admin Mode')
            - elsif current_user.admin?
              = nav_link(controller: 'admin/sessions') do

--- a/changelogs/unreleased/refactor-session-disable-with-post.yml
+++ b/changelogs/unreleased/refactor-session-disable-with-post.yml
+---
+title: User signout and admin mode disable use now POST instead of GET
+merge_request: 22113
+author: Diego Louzán
+type: other
--- a/config/initializers/8_devise.rb
+++ b/config/initializers/8_devise.rb
@@ -203,7 +203,7 @@ Devise.setup do |config|
  config.navigational_formats = [:"*/*", "*/*", :html, :zip]

  # The default HTTP method used to sign out a resource. Default is :delete.
-  config.sign_out_via = :get
+  config.sign_out_via = :post

  # ==> OmniAuth
  # To configure a new OmniAuth provider copy and edit omniauth.rb.sample

--- a/config/routes/admin.rb
+++ b/config/routes/admin.rb
@@ -24,7 +24,7 @@ namespace :admin do
  end

  resource :session, only: [:new, :create] do
-    get 'destroy', action: :destroy, as: :destroy
+    post 'destroy', action: :destroy, as: :destroy
  end

  resource :impersonation, only: :destroy

--- a/spec/controllers/admin/sessions_controller_spec.rb
+++ b/spec/controllers/admin/sessions_controller_spec.rb
@@ -122,7 +122,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
  describe '#destroy' do
    context 'for regular users' do
      it 'shows error page' do
-        get :destroy
+        post :destroy

        expect(response).to have_gitlab_http_status(404)
        expect(controller.current_user_mode.admin_mode?).to be(false)
@@ -139,7 +139,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
        post :create, params: { password: user.password }
        expect(controller.current_user_mode.admin_mode?).to be(true)

-        get :destroy
+        post :destroy

        expect(response).to have_gitlab_http_status(:found)
        expect(response).to redirect_to(root_path)

--- a/spec/routing/admin_routing_spec.rb
+++ b/spec/routing/admin_routing_spec.rb
@@ -161,3 +161,17 @@ describe Admin::GroupsController, "routing" do
    expect(get("/admin/groups/#{name}/edit")).to route_to('admin/groups#edit', id: name)
  end
 end
+
+describe Admin::SessionsController, "routing" do
+  it "to #new" do
+    expect(get("/admin/session/new")).to route_to('admin/sessions#new')
+  end
+
+  it "to #create" do
+    expect(post("/admin/session")).to route_to('admin/sessions#create')
+  end
+
+  it "to #destroy" do
+    expect(post("/admin/session/destroy")).to route_to('admin/sessions#destroy')
+  end
+end
--- a/spec/routing/routing_spec.rb
+++ b/spec/routing/routing_spec.rb
@@ -256,10 +256,8 @@ describe "Authentication", "routing" do
    expect(post("/users/sign_in")).to route_to('sessions#create')
  end

-  # sign_out with GET instead of DELETE facilitates ad-hoc single-sign-out processes
-  # (https://gitlab.com/gitlab-org/gitlab-foss/issues/39708)
-  it "GET /users/sign_out" do
-    expect(get("/users/sign_out")).to route_to('sessions#destroy')
+  it "POST /users/sign_out" do
+    expect(post("/users/sign_out")).to route_to('sessions#destroy')
  end

  it "POST /users/password" do