Don't treat CSRF tokens as optional session data for administrators (they're needed to allow them to edit anything! Fixes #95

(Also change wording of test namess to match usual rspec convention)
author: Seb Bacon <seb.bacon@gmail.com> 2011-07-27 15:27:22 +0100
committer: Seb Bacon <seb.bacon@gmail.com> 2011-07-27 15:28:58 +0100
commit: 44ffca31030651ca9d816cfd7d0784d0652c4ee5 (patch)
tree: 6fc1a8dd5ff33947584f0e32b6d676f14860e386 /spec/lib
parent: cace286e2d92ad50c4253c5765055e9da4da3871 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb b/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb
index 1d71d680f..1cf5e3d25 100644
--- a/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb
+++ b/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb
@@ -50,6 +50,14 @@ describe WhatDoTheyKnow::StripEmptySessions do
       response = make_response(@session_data, application_response_headers)
       response.headers['Set-Cookie'].should == ""
     end
+
+    it 'should not strip the session cookie setting for admins' do 
+      @session_data[:using_admin] = 1
+      application_response_headers = { 'Content-Type' => 'text/html', 
+                                       'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
+      response = make_response(@session_data, application_response_headers)
+      response.headers['Set-Cookie'].should == "mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly"
+    end
   
     it 'should strip the session cookie setting header (but no other cookie setting header) if there is more than one' do 
       application_response_headers = { 'Content-Type' => 'text/html',
author	Seb Bacon <seb.bacon@gmail.com>	2011-07-27 15:27:22 +0100
committer	Seb Bacon <seb.bacon@gmail.com>	2011-07-27 15:28:58 +0100
commit	44ffca31030651ca9d816cfd7d0784d0652c4ee5 (patch)
tree	6fc1a8dd5ff33947584f0e32b6d676f14860e386 /spec/lib
parent	cace286e2d92ad50c4253c5765055e9da4da3871 (diff)