diff options
| -rw-r--r-- | app/controllers/user_controller.rb | 6 | ||||
| -rw-r--r-- | spec/controllers/user_controller_spec.rb | 13 |
2 files changed, 17 insertions, 2 deletions
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index fc29a847c..45b71a3a9 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -116,8 +116,10 @@ class UserController < ApplicationController render :action => 'sign' return else - @user_signin = User.authenticate_from_form(params[:user_signin], @post_redirect.reason_params[:user_name] ? true : false) - if @user_signin.errors.size > 0 + if !@post_redirect.nil? + @user_signin = User.authenticate_from_form(params[:user_signin], @post_redirect.reason_params[:user_name] ? true : false) + end + if @post_redirect.nil? || @user_signin.errors.size > 0 # Failed to authenticate render :action => 'sign' return diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb index c13d7c9fc..2560b48c7 100644 --- a/spec/controllers/user_controller_spec.rb +++ b/spec/controllers/user_controller_spec.rb @@ -109,6 +109,19 @@ describe UserController, "when signing in" do response.should_not send_email end + it "should not log you in if you use an invalid PostRedirect token, and shouldn't give 500 error either" do + ActionController::Routing::Routes.filters.clear + get :signin, :r => "/list" + response.should render_template('sign') + post_redirect = "something invalid" + lambda { + post :signin, { :user_signin => { :email => 'bob@localhost', :password => 'jonespassword' }, + :token => post_redirect + } + }.should_not raise_error(NoMethodError) + response.should render_template('sign') + end + # No idea how to test this in the test framework :( # it "should have set a long lived cookie if they picked remember me, session cookie if they didn't" do # get :signin, :r => "/list" |