Merged r12438 (#15735).

git-svn-id: http://svn.redmine.org/redmine/branches/2.4-stable@12444 e93f8b46-1217-0410-a6f0-8f06a7374b81
2013-12-22 14:48:46 +00:00 · 2013-12-22 14:48:46 +00:00 · aacaa9da8e
parent 9ebcb1e734
commit aacaa9da8e
2 changed files with 18 additions and 0 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -22,6 +22,14 @@ class AccountController < ApplicationController
  # prevents login action to be filtered by check_if_login_required application scope filter
  skip_before_filter :check_if_login_required, :check_password_change

+  # Overrides ApplicationController#verify_authenticity_token to disable
+  # token verification on openid callbacks
+  def verify_authenticity_token
+    unless using_open_id?
+      super
+    end
+  end
+
  # Login request and validation
  def login
    if request.get?
--- a/test/functional/account_controller_openid_test.rb
+++ b/test/functional/account_controller_openid_test.rb
@ -131,6 +131,16 @@ class AccountControllerOpenidTest < ActionController::TestCase
      assert_select 'input[name=?][value=?]', 'user[identity_url]', 'http://openid.example.com/good_blank_user'
    end

+    def test_post_login_should_not_verify_token_when_using_open_id
+      ActionController::Base.allow_forgery_protection = true
+      AccountController.any_instance.stubs(:using_open_id?).returns(true)
+      AccountController.any_instance.stubs(:authenticate_with_open_id).returns(true)
+      post :login
+      assert_response 200
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
+
    def test_register_after_login_failure_should_not_require_user_to_enter_a_password
      Setting.self_registration = '3'