Skip to content

Commit

Permalink
Merged in r2-3139-signout-password-change-main (pull request #7011)
Browse files Browse the repository at this point in the history
R2-3139: Fixing issue where changing password on another user changes the session
  • Loading branch information
jtoliver-quoin authored and pnabutovsky committed Dec 6, 2024
2 parents 180289a + bbe0d22 commit 5787070
Showing 2 changed files with 16 additions and 1 deletion.
2 changes: 1 addition & 1 deletion app/controllers/api/v2/users_controller.rb
Original file line number Diff line number Diff line change
@@ -76,6 +76,6 @@ def identity_sync
end

def keep_user_signed_in
bypass_sign_in(@user) if @user.saved_change_to_encrypted_password?
bypass_sign_in(@user) if @user.saved_change_to_encrypted_password? && current_user == @user
end
end
15 changes: 15 additions & 0 deletions spec/requests/api/v2/users_controller_spec.rb
Original file line number Diff line number Diff line change
@@ -682,6 +682,21 @@
expect(controller.current_user).to eq(@user_d)
end

it 'does not change logged in user session when password changed on another user' do
sign_in(@super_user)
params = {
data: {
password: 'primer0!',
password_confirmation: 'primer0!'
}
}
patch("/api/v2/users/#{@user_c.id}", params:)
expect(response).to have_http_status(200)
get('/api/v2/roles')
expect(response).to have_http_status(200)
expect(controller.current_user).to eq(@super_user)
end

it "returns 403 if user isn't authorized to update users" do
login_for_test
params = {

0 comments on commit 5787070

Please sign in to comment.