Actions
Bug #3625
open[Workbench] API token provided in query string should not be ignored just because the session already has a token.
Story points:
0.5
Release:
Release relationship:
Auto
Description
To reproduce:
- Log in to Workbench.
- Visit any Workbench page ?api_token=123abc (or a valid token).
- The new token is ignored. You're still logged in as if you had never provided an api_token.
- As a bonus, the ?api_token=123abc is displayed in the location bar instead of being redirected away.
- throw away the existing token (if any) in the session
- use the new token from now on, whether or not it's valid
- redirect to the current page without the ?api_token param, to avoid having tokens sitting around in Location bars.
In other words, the presence of session[:arvados_api_token]
should not affect the process we use to copy a token from query string to session.
This may be a simple matter of reversing the order of the Thread and session tests here in ApplicationController.set_thread_api_token
:
if Thread.current[:arvados_api_token]
yield # An API token has already been found - pass it through.
return
elsif setup_user_session
return # A new session was set up and received a response.
end
Actions