github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-01 09:08:10 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Don't redirect XHR/JSON requests when login is required (#15093)

Browse Source 
When redirecting to login, we store a destination_url cookie, which the user is then redirected to after login. We never want the user to be redirected to a JSON URL. Instead, we should return a 403 in these situations.

This should also be much less confusing for API consumers - a 403 is a better representation than a 302.
This commit is contained in:
David Taylor
2021-12-02 15:12:25 +00:00
committed by GitHub
parent 55cbc70f3f
commit cfb6199a95
4 changed files with 46 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
spec/requests/application_controller_spec.rb
View File

@ -120,6 +120,14 @@ RSpec.describe ApplicationController do
expect(response.body).not_to include("data-authentication-data=")
expect(response.headers["Set-Cookie"]).to include("authentication_data=;") # Delete cookie
end
it "returns a 403 for json requests" do
get '/latest'
expect(response.status).to eq(302)
get '/latest.json'
expect(response.status).to eq(403)
end
end
describe '#redirect_to_second_factor_if_required' do