Commit e74f59af authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch 'refactor/session-disable-with-post' into 'master'

Use POST for session disable endpoints (signout & admin mode disable)

See merge request gitlab-org/gitlab!22113
parents 07dadce8 7bc9829e
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
= link_to s_('Nav|Home'), root_path = link_to s_('Nav|Home'), root_path
%li %li
- if current_user - if current_user
= link_to s_('Nav|Sign out and sign in with a different account'), destroy_user_session_path = link_to s_('Nav|Sign out and sign in with a different account'), destroy_user_session_path, method: :post
- else - else
= link_to s_('Nav|Sign In / Register'), new_session_path(:user, redirect_to_referer: 'yes') = link_to s_('Nav|Sign In / Register'), new_session_path(:user, redirect_to_referer: 'yes')
%li %li
......
...@@ -47,4 +47,4 @@ ...@@ -47,4 +47,4 @@
- if current_user_menu?(:sign_out) - if current_user_menu?(:sign_out)
%li.divider %li.divider
%li %li
= link_to _("Sign out"), destroy_user_session_path, class: "sign-out-link", data: { qa_selector: 'sign_out_link' } = link_to _("Sign out"), destroy_user_session_path, method: :post, class: "sign-out-link", data: { qa_selector: 'sign_out_link' }
...@@ -55,7 +55,7 @@ ...@@ -55,7 +55,7 @@
- if Feature.enabled?(:user_mode_in_session) - if Feature.enabled?(:user_mode_in_session)
- if header_link?(:admin_mode) - if header_link?(:admin_mode)
= nav_link(controller: 'admin/sessions') do = nav_link(controller: 'admin/sessions') do
= link_to destroy_admin_session_path, class: 'd-lg-none lock-open-icon' do = link_to destroy_admin_session_path, method: :post, class: 'd-lg-none lock-open-icon' do
= _('Leave Admin Mode') = _('Leave Admin Mode')
- elsif current_user.admin? - elsif current_user.admin?
= nav_link(controller: 'admin/sessions') do = nav_link(controller: 'admin/sessions') do
......
---
title: User signout and admin mode disable use now POST instead of GET
merge_request: 22113
author: Diego Louzán
type: other
...@@ -203,7 +203,7 @@ Devise.setup do |config| ...@@ -203,7 +203,7 @@ Devise.setup do |config|
config.navigational_formats = [:"*/*", "*/*", :html, :zip] config.navigational_formats = [:"*/*", "*/*", :html, :zip]
# The default HTTP method used to sign out a resource. Default is :delete. # The default HTTP method used to sign out a resource. Default is :delete.
config.sign_out_via = :get config.sign_out_via = :post
# ==> OmniAuth # ==> OmniAuth
# To configure a new OmniAuth provider copy and edit omniauth.rb.sample # To configure a new OmniAuth provider copy and edit omniauth.rb.sample
......
...@@ -24,7 +24,7 @@ namespace :admin do ...@@ -24,7 +24,7 @@ namespace :admin do
end end
resource :session, only: [:new, :create] do resource :session, only: [:new, :create] do
get 'destroy', action: :destroy, as: :destroy post 'destroy', action: :destroy, as: :destroy
end end
resource :impersonation, only: :destroy resource :impersonation, only: :destroy
......
...@@ -122,7 +122,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do ...@@ -122,7 +122,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
describe '#destroy' do describe '#destroy' do
context 'for regular users' do context 'for regular users' do
it 'shows error page' do it 'shows error page' do
get :destroy post :destroy
expect(response).to have_gitlab_http_status(404) expect(response).to have_gitlab_http_status(404)
expect(controller.current_user_mode.admin_mode?).to be(false) expect(controller.current_user_mode.admin_mode?).to be(false)
...@@ -139,7 +139,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do ...@@ -139,7 +139,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
post :create, params: { password: user.password } post :create, params: { password: user.password }
expect(controller.current_user_mode.admin_mode?).to be(true) expect(controller.current_user_mode.admin_mode?).to be(true)
get :destroy post :destroy
expect(response).to have_gitlab_http_status(:found) expect(response).to have_gitlab_http_status(:found)
expect(response).to redirect_to(root_path) expect(response).to redirect_to(root_path)
......
...@@ -161,3 +161,17 @@ describe Admin::GroupsController, "routing" do ...@@ -161,3 +161,17 @@ describe Admin::GroupsController, "routing" do
expect(get("/admin/groups/#{name}/edit")).to route_to('admin/groups#edit', id: name) expect(get("/admin/groups/#{name}/edit")).to route_to('admin/groups#edit', id: name)
end end
end end
describe Admin::SessionsController, "routing" do
it "to #new" do
expect(get("/admin/session/new")).to route_to('admin/sessions#new')
end
it "to #create" do
expect(post("/admin/session")).to route_to('admin/sessions#create')
end
it "to #destroy" do
expect(post("/admin/session/destroy")).to route_to('admin/sessions#destroy')
end
end
...@@ -256,10 +256,8 @@ describe "Authentication", "routing" do ...@@ -256,10 +256,8 @@ describe "Authentication", "routing" do
expect(post("/users/sign_in")).to route_to('sessions#create') expect(post("/users/sign_in")).to route_to('sessions#create')
end end
# sign_out with GET instead of DELETE facilitates ad-hoc single-sign-out processes it "POST /users/sign_out" do
# (https://gitlab.com/gitlab-org/gitlab-foss/issues/39708) expect(post("/users/sign_out")).to route_to('sessions#destroy')
it "GET /users/sign_out" do
expect(get("/users/sign_out")).to route_to('sessions#destroy')
end end
it "POST /users/password" do it "POST /users/password" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment