Commit b579cc76 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'feature-change-signout-route' into 'master'

Change Sign Out route from a DELETE to a GET

Closes #39708

See merge request gitlab-org/gitlab-ce!15231
parents f2f58a60 4dea7944
...@@ -61,7 +61,7 @@ ...@@ -61,7 +61,7 @@
= link_to "Help", help_path = link_to "Help", help_path
%li.divider %li.divider
%li %li
= link_to "Sign out", destroy_user_session_path, method: :delete, class: "sign-out-link" = link_to "Sign out", destroy_user_session_path, class: "sign-out-link"
- if session[:impersonator_id] - if session[:impersonator_id]
%li.impersonation %li.impersonation
= link_to admin_impersonation_path, class: 'impersonation-btn', method: :delete, title: "Stop impersonation", aria: { label: 'Stop impersonation' }, data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do = link_to admin_impersonation_path, class: 'impersonation-btn', method: :delete, title: "Stop impersonation", aria: { label: 'Stop impersonation' }, data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do
......
---
title: Change 'Sign Out' route from a DELETE to a GET
merge_request: 39708
author: Joe Marty
type: changed
...@@ -195,7 +195,7 @@ Devise.setup do |config| ...@@ -195,7 +195,7 @@ Devise.setup do |config|
config.navigational_formats = [:"*/*", "*/*", :html, :zip] config.navigational_formats = [:"*/*", "*/*", :html, :zip]
# The default HTTP method used to sign out a resource. Default is :delete. # The default HTTP method used to sign out a resource. Default is :delete.
config.sign_out_via = :delete config.sign_out_via = :get
# ==> OmniAuth # ==> OmniAuth
# To configure a new OmniAuth provider copy and edit omniauth.rb.sample # To configure a new OmniAuth provider copy and edit omniauth.rb.sample
......
...@@ -66,11 +66,7 @@ module Gitlab ...@@ -66,11 +66,7 @@ module Gitlab
end end
def whitelisted_routes def whitelisted_routes
logout_route || grack_route || @whitelisted.any? { |path| request.path.include?(path) } || lfs_route || sidekiq_route grack_route || @whitelisted.any? { |path| request.path.include?(path) } || lfs_route || sidekiq_route
end
def logout_route
route_hash[:controller] == 'sessions' && route_hash[:action] == 'destroy'
end end
def sidekiq_route def sidekiq_route
......
...@@ -91,13 +91,6 @@ describe Gitlab::Middleware::ReadOnly do ...@@ -91,13 +91,6 @@ describe Gitlab::Middleware::ReadOnly do
end end
context 'whitelisted requests' do context 'whitelisted requests' do
it 'expects DELETE request to logout to be allowed' do
response = request.delete('/users/sign_out')
expect(response).not_to be_a_redirect
expect(subject).not_to disallow_request
end
it 'expects a POST internal request to be allowed' do it 'expects a POST internal request to be allowed' do
response = request.post("/api/#{API::API.version}/internal") response = request.post("/api/#{API::API.version}/internal")
......
...@@ -257,8 +257,10 @@ describe "Authentication", "routing" do ...@@ -257,8 +257,10 @@ describe "Authentication", "routing" do
expect(post("/users/sign_in")).to route_to('sessions#create') expect(post("/users/sign_in")).to route_to('sessions#create')
end end
it "DELETE /users/sign_out" do # sign_out with GET instead of DELETE facilitates ad-hoc single-sign-out processes
expect(delete("/users/sign_out")).to route_to('sessions#destroy') # (https://gitlab.com/gitlab-org/gitlab-ce/issues/39708)
it "GET /users/sign_out" do
expect(get("/users/sign_out")).to route_to('sessions#destroy')
end end
it "POST /users/password" do it "POST /users/password" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment