Use POST for user session disable endpoints

User signout and admin mode disable use now POST instead of GET

Use POST for user session disable endpoints
User signout and admin mode disable use now POST instead of GET
7bc9829e · Diego Louzán · Bob Van Landuyt · 07dadce8 · 7bc9829e · 7bc9829e
Commit 7bc9829e authored Jan 14, 2020 by Diego Louzán Committed by Bob Van Landuyt Jan 14, 2020
9 changed files
--- a/app/views/errors/_footer.html.haml
+++ b/app/views/errors/_footer.html.haml
@@ -4,7 +4,7 @@
      = link_to s_('Nav|Home'), root_path
    %li
      - if current_user
-        = link_to s_('Nav|Sign out and sign in with a different account'), destroy_user_session_path
+        = link_to s_('Nav|Sign out and sign in with a different account'), destroy_user_session_path, method: :post
      - else
        = link_to s_('Nav|Sign In / Register'), new_session_path(:user, redirect_to_referer: 'yes')
    %li

--- a/app/views/layouts/header/_current_user_dropdown.html.haml
+++ b/app/views/layouts/header/_current_user_dropdown.html.haml
@@ -47,4 +47,4 @@
  - if current_user_menu?(:sign_out)
    %li.divider
    %li
-      = link_to _("Sign out"), destroy_user_session_path, class: "sign-out-link", data: { qa_selector: 'sign_out_link' }
+      = link_to _("Sign out"), destroy_user_session_path, method: :post, class: "sign-out-link", data: { qa_selector: 'sign_out_link' }
--- a/app/views/layouts/nav/_dashboard.html.haml
+++ b/app/views/layouts/nav/_dashboard.html.haml
@@ -55,7 +55,7 @@
          - if Feature.enabled?(:user_mode_in_session)
            - if header_link?(:admin_mode)
              = nav_link(controller: 'admin/sessions') do
-                = link_to destroy_admin_session_path, class: 'd-lg-none lock-open-icon' do
+                = link_to destroy_admin_session_path, method: :post, class: 'd-lg-none lock-open-icon' do
                  = _('Leave Admin Mode')
            - elsif current_user.admin?
              = nav_link(controller: 'admin/sessions') do

--- a/changelogs/unreleased/refactor-session-disable-with-post.yml
+++ b/changelogs/unreleased/refactor-session-disable-with-post.yml
+---
+title: User signout and admin mode disable use now POST instead of GET
+merge_request: 22113
+author: Diego Louzán
+type: other
--- a/config/initializers/8_devise.rb
+++ b/config/initializers/8_devise.rb
@@ -203,7 +203,7 @@ Devise.setup do |config|
  config.navigational_formats = [:"*/*", "*/*", :html, :zip]

  # The default HTTP method used to sign out a resource. Default is :delete.
-  config.sign_out_via = :get
+  config.sign_out_via = :post

  # ==> OmniAuth
  # To configure a new OmniAuth provider copy and edit omniauth.rb.sample

--- a/config/routes/admin.rb
+++ b/config/routes/admin.rb
@@ -24,7 +24,7 @@ namespace :admin do
  end

  resource :session, only: [:new, :create] do
-    get 'destroy', action: :destroy, as: :destroy
+    post 'destroy', action: :destroy, as: :destroy
  end

  resource :impersonation, only: :destroy

--- a/spec/controllers/admin/sessions_controller_spec.rb
+++ b/spec/controllers/admin/sessions_controller_spec.rb
@@ -122,7 +122,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
  describe '#destroy' do
    context 'for regular users' do
      it 'shows error page' do
-        get :destroy
+        post :destroy

        expect(response).to have_gitlab_http_status(404)
        expect(controller.current_user_mode.admin_mode?).to be(false)
@@ -139,7 +139,7 @@ describe Admin::SessionsController, :do_not_mock_admin_mode do
        post :create, params: { password: user.password }
        expect(controller.current_user_mode.admin_mode?).to be(true)

-        get :destroy
+        post :destroy

        expect(response).to have_gitlab_http_status(:found)
        expect(response).to redirect_to(root_path)

--- a/spec/routing/admin_routing_spec.rb
+++ b/spec/routing/admin_routing_spec.rb
@@ -161,3 +161,17 @@ describe Admin::GroupsController, "routing" do
    expect(get("/admin/groups/#{name}/edit")).to route_to('admin/groups#edit', id: name)
  end
 end
+
+describe Admin::SessionsController, "routing" do
+  it "to #new" do
+    expect(get("/admin/session/new")).to route_to('admin/sessions#new')
+  end
+
+  it "to #create" do
+    expect(post("/admin/session")).to route_to('admin/sessions#create')
+  end
+
+  it "to #destroy" do
+    expect(post("/admin/session/destroy")).to route_to('admin/sessions#destroy')
+  end
+end
--- a/spec/routing/routing_spec.rb
+++ b/spec/routing/routing_spec.rb
@@ -256,10 +256,8 @@ describe "Authentication", "routing" do
    expect(post("/users/sign_in")).to route_to('sessions#create')
  end

-  # sign_out with GET instead of DELETE facilitates ad-hoc single-sign-out processes
-  # (https://gitlab.com/gitlab-org/gitlab-foss/issues/39708)
-  it "GET /users/sign_out" do
-    expect(get("/users/sign_out")).to route_to('sessions#destroy')
+  it "POST /users/sign_out" do
+    expect(post("/users/sign_out")).to route_to('sessions#destroy')
  end

  it "POST /users/password" do