diff --git a/config/routes.rb b/config/routes.rb index 6ac85c184..5fc778576 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -14,7 +14,7 @@ devise_scope :spree_user do get '/login' => 'user_sessions#new', :as => :login post '/login' => 'user_sessions#create', :as => :create_new_session - get '/logout' => 'user_sessions#destroy', :as => :logout + post '/logout' => 'user_sessions#destroy', :as => :logout get '/signup' => 'user_registrations#new', :as => :signup post '/signup' => 'user_registrations#create', :as => :registration get '/password/recover' => 'user_passwords#new', :as => :recover_password @@ -41,7 +41,7 @@ get '/authorization_failure', :to => 'user_sessions#authorization_failure', :as => :unauthorized get '/login' => 'user_sessions#new', :as => :login post '/login' => 'user_sessions#create', :as => :create_new_session - get '/logout' => 'user_sessions#destroy', :as => :logout + post '/logout' => 'user_sessions#destroy', :as => :logout end end diff --git a/lib/views/backend/spree/layouts/admin/_login_nav.html.erb b/lib/views/backend/spree/layouts/admin/_login_nav.html.erb index 5a7182519..9ab0d6a8a 100644 --- a/lib/views/backend/spree/layouts/admin/_login_nav.html.erb +++ b/lib/views/backend/spree/layouts/admin/_login_nav.html.erb @@ -24,7 +24,7 @@ <%= link_to Spree.t(:account), spree.edit_user_path(spree_current_user), class: "btn btn-default btn-flat" %>
- <%= link_to Spree.t(:logout), spree.admin_logout_path, class: "btn btn-default btn-flat" %> + <%= link_to Spree.t(:logout), spree.admin_logout_path, method: :post, class: "btn btn-default btn-flat" %>
diff --git a/lib/views/frontend/spree/shared/_login_bar.html.erb b/lib/views/frontend/spree/shared/_login_bar.html.erb index a27a706ac..b208a477f 100644 --- a/lib/views/frontend/spree/shared/_login_bar.html.erb +++ b/lib/views/frontend/spree/shared/_login_bar.html.erb @@ -1,6 +1,6 @@ <% if spree_current_user %>
  • <%= link_to Spree.t(:my_account), spree.account_path %>
    • -
  • <%= link_to Spree.t(:logout), spree.logout_path %>
    • +
  • <%= link_to Spree.t(:logout), spree.logout_path, method: :post %>
    • <% else %> <% end %> diff --git a/spec/features/admin/sign_out_spec.rb b/spec/features/admin/sign_out_spec.rb index b2eb6616b..b3c8b7044 100644 --- a/spec/features/admin/sign_out_spec.rb +++ b/spec/features/admin/sign_out_spec.rb @@ -19,4 +19,12 @@ expect(page).to have_button 'Login' expect(page).not_to have_text 'Logout' end + + scenario 'does not allow logging out by a GET request' do + expect do + visit spree.admin_logout_path + end.to raise_error(ActionController::RoutingError) + visit spree.admin_login_path + expect(page).to have_text('You are already signed in') + end end diff --git a/spec/features/sign_out_spec.rb b/spec/features/sign_out_spec.rb index 786b8c35f..a70e06fca 100644 --- a/spec/features/sign_out_spec.rb +++ b/spec/features/sign_out_spec.rb @@ -22,4 +22,12 @@ expect(page).to have_text 'Login' expect(page).not_to have_text 'Logout' end + + scenario 'restrict signing out by a GET request' do + expect do + visit spree.logout_path + end.to raise_error(ActionController::RoutingError) + visit spree.login_path + expect(page).to have_text('You are already signed in') + end end