/logout uses global logout even though the checkbox is not active

[kucho]

I'm trying to add Rails Event Store to a sample app to log every event. When logging logout events, I noticed the default logout behavior is logging out globally even though the checkbox is not selected.

This is the generated HTML:

<form data-turbo="false" action="/logout" accept-charset="UTF-8" method="post"><input type="hidden" name="authenticity_token" value="YOfzhmOKL37VbHxf9k1g_ioW39-1IU15jfRASLBL_uq7F77eXJ-t5yB8MDxFqRoAxCeSc8qBFRBH3fw4R6Z55w" autocomplete="off">
    <div class="form-group mb-3">
      <div class="form-check">
        <input name="global_logout" type="hidden" value="0" autocomplete="off"><input id="global-logout" class="form-check-input" type="checkbox" value="1" name="global_logout">
        <label class="form-check-label" for="global-logout">Logout all Logged In Sessions?</label>
      </div>
    </div>

  <div class="form-group mb-3">
    <input type="submit" name="commit" value="Logout" class="btn btn-warning" data-disable-with="Logout">
  </div>
</form>

The request log:

Started POST "/logout" for 127.0.0.1 at 2022-11-16 12:16:16 -0500
Processing by RodauthApp#call as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]", "global_logout"=>"0", "commit"=>"Logout"}

Rodauth#before_logout in rodauth/features/active_sessions.rb:126 is evaluating:

 param_or_nil(global_logout_param)
=> "0" # truthy

Causing all the other sessions to log out too. Is this the expected behavior? I would have expected it to be only the current session since the checkbox is not active.

[janko]

Thanks for the report. It appears the problem is the hidden input that Rails check_box helper generated, which Rodauth does not. I'll try to push a fix tomorrow.