When a user ID is destroyed but session still exists, site redirects infinitely

hotsh / rstat.us

Simple microblogging network based on the ostatus protocol.

http://rstat.us/

Other

722 stars 215 forks source link

When a user ID is destroyed but session still exists, site redirects infinitely #771

Closed mathias closed 10 years ago

mathias commented 11 years ago

Clear out the user_id in the session hash to prevent infinite redirects

mathias commented 11 years ago

No test, but I didn't quite know how I'd set it up, so I omitted it.

Steps to reproduce:

Log in as an existing user
Destroy the user in the console
Attempt to load the homepage. Chrome & Firefox give you infinite redirect warning.

wilkie commented 11 years ago

I'm confused. I think this basically turns require_user into a no-op... actually, it would log the user out on any page that has a require_user filter. I'd expect that this would break user profile editing, for one.

mathias commented 11 years ago

Yeah, the build failed, so this is clearly not the fix. For some reason I was thinking require_user was called when we detected that the resource required a logged in user but there wasn't a current_user.. Which isn't what it's doing.

What this needs is something more complicated than redirect to root unless we have a logged in user since it needs to clear the session when we redirect, too.

mathias commented 11 years ago

That should work, and passes tests.

mathias commented 10 years ago

Closing due to inactivity.