Return 401 for sessions#destroy action with no user signed in (#4878)

It's an unauthenticated request, so return 401 Unauthorized like most other similar requests. Signed-off-by: Carlos Antonio da Silva <carlosantoniodasilva@gmail.com>
2026-01-08 22:37:57 -05:00 · 2018-12-28 05:18:07 -08:00
parent 05bbc71446
commit 9a149ff139
3 changed files with 18 additions and 5 deletions
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -74,7 +74,7 @@ class SessionsControllerTest < Devise::ControllerTestCase
    assert_template "devise/sessions/new"
  end

-  test "#destroy doesn't set the flash if the requested format is not navigational" do
+  test "#destroy doesn't set the flash and returns 204 status if the requested format is not navigational" do
    request.env["devise.mapping"] = Devise.mappings[:user]
    user = create_user
    user.confirm
@@ -87,4 +87,16 @@ class SessionsControllerTest < Devise::ControllerTestCase
    assert flash[:notice].blank?, "flash[:notice] should be blank, not #{flash[:notice].inspect}"
    assert_equal 204, @response.status
  end
+
+  test "#destroy returns 401 status if user is not signed in and the requested format is not navigational" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    delete :destroy, format: 'json'
+    assert_equal 401, @response.status
+  end
+
+  test "#destroy returns 302 status if user is not signed in and the requested format is navigational" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    delete :destroy
+    assert_equal 302, @response.status
+  end
 end