Sign out the signed in user if a different uid is passed to AuthorizationsController#new

2011-08-15 18:35:14 -07:00 · 2011-08-15 18:35:14 -07:00 · a63d1ad4ae
commit a63d1ad4ae
parent 6b88a75174
5 changed files with 17 additions and 8 deletions
--- a/app/controllers/authorizations_controller.rb
+++ b/app/controllers/authorizations_controller.rb
@ -9,16 +9,17 @@ class AuthorizationsController < ApplicationController
  skip_before_filter :verify_authenticity_token, :only => :token

  def new
-    if params[:uid] && params[:uid] != current_user.username
+    if params[:uid].present? && params[:uid] != current_user.username
      sign_out current_user
-      redirect_to request.url
+      redirect_url = Addressable::URI.parse(request.url)
+      redirect_url.query_values = redirect_url.query_values.merge("uid" => nil)
+      redirect_to redirect_url.to_s
    end
    @requested_scopes = params["scope"].split(',')
    @client = oauth2_authorization_request.client

    if authorization = current_user.authorizations.where(:client_id => @client.id).first
      ac = authorization.authorization_codes.create(:redirect_uri => params[:redirect_uri])
-      #tokens = current_user.authorizations.first.access_tokens.first
      redirect_to "#{params[:redirect_uri]}&code=#{ac.code}"
    end
  end
--- a/features/oauth.feature
+++ b/features/oauth.feature
@ -24,6 +24,14 @@ Feature: oauth
    Then I should be on "/account" on Chubbies

    And I should have 1 user on Chubbies
+
+  Scenario: Signing up as a user while someone else is logged into Diaspora
+    Given a user with username "alice"
+    When I sign in as "alice@alice.alice"
+    Then I visit "/new" on Chubbies
+    And I fill in "Diaspora ID" with "bob@localhost:9887"
+    And I press "Connect to Diaspora"
+    Then I should be on the new user session page
  
  Scenario: Not authorize Chubbies
    When I try to authorize Chubbies
--- a/features/step_definitions/oauth_steps.rb
+++ b/features/step_definitions/oauth_steps.rb
@ -47,7 +47,7 @@ When /^I try to authorize Chubbies$/ do
 end

 And /^I fill in my Diaspora ID to connect$/ do
-  And "I fill in \"Diaspora Handle\" with \"#{@me.diaspora_handle}\""
+  And "I fill in \"Diaspora ID\" with \"#{@me.diaspora_handle}\""
 end

 And /^I should have (\d) user on Chubbies$/ do |num|
--- a/spec/chubbies/app.rb
+++ b/spec/chubbies/app.rb
@ -74,7 +74,7 @@ module Chubbies

    def create_account(hash)
      hash[:username] = hash.delete(:diaspora_id)
-      account_const.create(hash)
+      User.create(hash)
    end

    get '/account' do
--- a/spec/chubbies/views/home.haml
+++ b/spec/chubbies/views/home.haml
@ -2,7 +2,7 @@
  %head
  %body
    %form{:action => '/', :id => 'login', :method => 'get'}
-      %label{:for => 'diaspora_handle'}
-        Diaspora Handle
-      %input{:type=>'text', :id => 'diaspora_handle', :name => 'diaspora_handle'}
+      %label{:for => 'diaspora_id'}
+        Diaspora ID
+      %input{:type=>'text', :id => 'diaspora_id', :name => 'diaspora_id'}
      %input{:type => 'submit', :value => "Connect to Diaspora" }