diff --git a/app/controllers/application.rb b/app/controllers/application.rb index fcf83c92a..6d6338ffa 100644 --- a/app/controllers/application.rb +++ b/app/controllers/application.rb @@ -42,19 +42,22 @@ class ApplicationController < ActionController::Base # Check the settings cache for each request Setting.check_cache # Find the current user - self.logged_user = find_current_user + User.current = find_current_user end # Returns the current user or nil if no user is logged in + # and starts a session if needed def find_current_user if session[:user_id] # existing session (User.active.find(session[:user_id]) rescue nil) elsif cookies[:autologin] && Setting.autologin? - # auto-login feature - User.try_to_autologin(cookies[:autologin]) - elsif params[:key] && accept_key_auth_actions.include?(params[:action]) - # RSS key authentication + # auto-login feature starts a new session + user = User.try_to_autologin(cookies[:autologin]) + session[:user_id] = user.id if user + user + elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) + # RSS key authentication does not start a session User.find_by_rss_key(params[:key]) end end diff --git a/test/integration/application_test.rb b/test/integration/application_test.rb index dc6fdf392..fba11e049 100644 --- a/test/integration/application_test.rb +++ b/test/integration/application_test.rb @@ -20,7 +20,7 @@ require "#{File.dirname(__FILE__)}/../test_helper" class ApplicationTest < ActionController::IntegrationTest include Redmine::I18n - fixtures :users + fixtures :all def test_set_localization Setting.default_language = 'en' @@ -42,4 +42,15 @@ class ApplicationTest < ActionController::IntegrationTest assert_response :success assert_tag :tag => 'h2', :content => 'Projects' end + + def test_token_based_access_should_not_start_session + # issue of a private project + get 'issues/4.atom' + assert_response 302 + + rss_key = User.find(2).rss_key + get "issues/4.atom?key=#{rss_key}" + assert_response 200 + assert_nil session[:user_id] + end end