From 844870273ffb1a663c768494c265caef6768ff83 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 7 Jul 2020 15:26:31 +0200 Subject: Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method --- app/controllers/home_controller.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app/controllers/home_controller.rb') diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb index 7c8a18d17..702889cd0 100644 --- a/app/controllers/home_controller.rb +++ b/app/controllers/home_controller.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true class HomeController < ApplicationController + before_action :redirect_unauthenticated_to_permalinks! before_action :authenticate_user! before_action :set_referrer_policy_header @@ -10,7 +11,7 @@ class HomeController < ApplicationController private - def authenticate_user! + def redirect_unauthenticated_to_permalinks! return if user_signed_in? matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/) @@ -35,6 +36,7 @@ class HomeController < ApplicationController end matches = request.path.match(%r{\A/web/timelines/tag/(?.+)\z}) + redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path) end -- cgit