Skip to content

Commit

Permalink
Prevent submission of login and reset password forms from logged in u…
Browse files Browse the repository at this point in the history 
…sers (lobsters#741)

Fix lobsters#726
  • Loading branch information
@arandomandy @pushcx
arandomandy authored and pushcx committed Sep 18, 2019
1 parent b422591 commit 32b5a79
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 4 deletions.
4 changes: 4 additions & 0 deletions app/controllers/application_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,10 @@ def require_logged_in_user_or_400
end
end

def require_no_user_or_redirect
return redirect_to "/" if @user
end

def tags_filtered_by_cookie
@_tags_filtered ||= Tag.where(
:tag => cookies[TAG_FILTER_COOKIE].to_s.split(",")
Expand Down
6 changes: 2 additions & 4 deletions app/controllers/login_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ class LoginFailedError < StandardError; end
class LoginController < ApplicationController
before_action :authenticate_user
before_action :check_for_read_only_mode, :except => [:index]
before_action :require_no_user_or_redirect,
only: [:index, :login, :forgot_password, :reset_password]

def logout
if @user
Expand All @@ -17,8 +19,6 @@ def logout
end

def index
return redirect_to "/" if @user

@title = "Login"
@referer ||= request.referer
render :action => "index"
Expand Down Expand Up @@ -100,8 +100,6 @@ def login
end

def forgot_password
return redirect_to "/" if @user

@title = "Reset Password"
render :action => "forgot_password"
end
Expand Down
12 changes: 12 additions & 0 deletions spec/controllers/login_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@
get :index
expect(response).to redirect_to('/')
end

it "doesn't allow submission from logged in users" do
post :login, params: { email: user.email, password: 'asdf' }
post :login, params: { email: user.email, password: 'asdf' }
expect(response).to redirect_to('/')
end
end

describe "/login/reset_password" do
Expand Down Expand Up @@ -110,6 +116,12 @@
get :forgot_password
expect(response).to redirect_to('/')
end

it "doesn't allow submission from logged in users" do
post :login, params: { email: user.email, password: 'asdf' }
post :reset_password, params: { email: user.email }
expect(response).to redirect_to('/')
end
end

describe "/login/set_new_password" do
Expand Down

0 comments on commit 32b5a79

Please sign in to comment.