Log out a user if they arrive at AuthorizationsController#new carrying the username of a different user

app/controllers/authorizations_controller.rb

@@ -9,6 +9,10 @@ class AuthorizationsController < ApplicationController
   skip_before_filter :verify_authenticity_token, :only => :token
 
   def new
+    if params[:uid] && params[:uid] != current_user.username
+      sign_out current_user
+      redirect_to request.url
+    end
     @requested_scopes = params["scope"].split(',')
     @client = oauth2_authorization_request.client
 

spec/chubbies/app.rb

@@ -72,9 +72,6 @@ module Chubbies
       '/account?id=1'
     end
 
-    def account_const
-      User
-    end
     def create_account(hash)
       hash[:username] = hash.delete(:diaspora_id)
       account_const.create(hash)

spec/controllers/authorizations_controller_spec.rb

@@ -31,6 +31,34 @@ describe AuthorizationsController do
       }
   end
 
+  describe '#new' do
+    before do
+      @app = Factory.create(:app, :name => "Authorized App")
+      @params = {
+        :scope => "profile",
+        :redirect_uri => @manifest['application_base_url'] << '/callback',
+        :client_id => @app.oauth_identifier,
+        :uid => alice.username
+      }
+    end
+    it 'succeeds' do
+      get :new, @params
+      response.should be_success
+    end
+
+    it 'logs out the signed in user if a different username is passed' do
+      @params[:uid] = bob.username
+      get :new, @params
+      response.location.should include(oauth_authorize_path)
+    end
+
+    it 'it succeeds if no uid is passed' do
+      @params[:uid] = nil
+      get :new, @params
+      response.should be_success
+    end
+  end
+
   describe '#token' do
     before do
       packaged_manifest = {:public_key => @public_key.export, :jwt => JWT.encode(@manifest, @private_key, "RS256")}.to_json