Allow users with expired passswords to sign out

This change allows users with expired passswords to sign out

Allow users with expired passswords to sign out
This change allows users with expired passswords to sign out
1cd37602 · manojmj · 0413042e · 1cd37602 · 1cd37602 · 1cd37602
Commit 1cd37602 authored Aug 31, 2020 by manojmj
3 changed files
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -10,6 +10,8 @@ class SessionsController < Devise::SessionsController
  include KnownSignIn

  skip_before_action :check_two_factor_requirement, only: [:destroy]
+  skip_before_action :check_password_expiration, only: [:destroy]
+
  # replaced with :require_no_authentication_without_flash
  skip_before_action :require_no_authentication, only: [:new, :create]


--- a/changelogs/unreleased/243444-user-cannot-sign-out-of-gitlab-once-admin-resets-their-password.yml
+++ b/changelogs/unreleased/243444-user-cannot-sign-out-of-gitlab-once-admin-resets-their-password.yml
+---
+title: Allow users with expired passwords to sign out
+merge_request: 40830
+author:
+type: fixed
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -6,11 +6,11 @@ RSpec.describe SessionsController do
  include DeviseHelpers
  include LdapHelpers

-  describe '#new' do
-    before do
-      set_devise_mapping(context: @request)
-    end
+  before do
+    set_devise_mapping(context: @request)
+  end

+  describe '#new' do
    context 'when auto sign-in is enabled' do
      before do
        stub_omniauth_setting(auto_sign_in_with_provider: :saml)
@@ -59,13 +59,19 @@ RSpec.describe SessionsController do
        end
      end
    end
-  end

-  describe '#create' do
-    before do
-      set_devise_mapping(context: @request)
+    it "redirects correctly for referer on same host with params" do
+      host = "test.host"
+      search_path = "/search?search=seed_project"
+      request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}"
+
+      get(:new, params: { redirect_to_referer: :yes })
+
+      expect(controller.stored_location_for(:redirect)).to eq(search_path)
    end
+  end

+  describe '#create' do
    it_behaves_like 'known sign in' do
      let(:user) { create(:user) }
      let(:post_action) { post(:create, params: { user: { login: user.username, password: user.password } }) }
@@ -439,25 +445,8 @@ RSpec.describe SessionsController do
    end
  end

-  describe "#new" do
-    before do
-      set_devise_mapping(context: @request)
-    end
-
-    it "redirects correctly for referer on same host with params" do
-      host = "test.host"
-      search_path = "/search?search=seed_project"
-      request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}"
-
-      get(:new, params: { redirect_to_referer: :yes })
-
-      expect(controller.stored_location_for(:redirect)).to eq(search_path)
-    end
-  end
-
  context 'when login fails' do
    before do
-      set_devise_mapping(context: @request)
      @request.env["warden.options"] = { action:  'unauthenticated' }
    end

@@ -471,10 +460,6 @@ RSpec.describe SessionsController do
  describe '#set_current_context' do
    let_it_be(:user) { create(:user) }

-    before do
-      set_devise_mapping(context: @request)
-    end
-
    context 'when signed in' do
      before do
        sign_in(user)
@@ -528,4 +513,21 @@ RSpec.describe SessionsController do
      end
    end
  end
+
+  describe '#destroy' do
+    before do
+      sign_in(user)
+    end
+
+    context 'for a user whose password has expired' do
+      let(:user) { create(:user, password_expires_at: 2.days.ago) }
+
+      it 'allows to sign out successfully' do
+        delete :destroy
+
+        expect(response).to redirect_to(new_user_session_path)
+        expect(controller.current_user).to be_nil
+      end
+    end
+  end
 end