From 455778d138ea623d224c9206e5001fd2a1fd7e1c Mon Sep 17 00:00:00 2001
From: Tres Seaver <tseaver@palladion.com>
Date: Tue, 31 May 2016 19:35:57 +0200
Subject: [PATCH] middleware: Avoid passing extracted 'identity' to 'remember' during egress.

---
 repoze/who/tests/test_middleware.py |   34 ++++++++++++++++++++++++++++++++++
 1 files changed, 34 insertions(+), 0 deletions(-)

diff --git a/repoze/who/tests/test_middleware.py b/repoze/who/tests/test_middleware.py
index b79998d..f53e81a 100644
--- a/repoze/who/tests/test_middleware.py
+++ b/repoze/who/tests/test_middleware.py
@@ -224,6 +224,29 @@
         self.assertEqual(start_response.status, '200 OK')
         self.assertEqual(start_response.headers, headers)
 
+    def test_call_200_no_challengers_app_calls_forget(self):
+        # See https://github.com/repoze/repoze.who/issues/21
+        environ = self._makeEnviron()
+        remember_headers = [('remember', '1')]
+        forget_headers = [('forget', '1')]
+        app = DummyLogoutApp('200 OK')
+        credentials = {'login':'chris', 'password':'password'}
+        identifier = DummyIdentifier(
+            credentials,
+            remember_headers=remember_headers,
+            forget_headers=forget_headers)
+        identifiers = [ ('identifier', identifier) ]
+        authenticator = DummyAuthenticator()
+        authenticators = [ ('authenticator', authenticator) ]
+        mw = self._makeOne(
+            app=app, identifiers=identifiers, authenticators=authenticators)
+        start_response = DummyStartResponse()
+        result = mw(environ, start_response)
+        self.assertEqual(mw.app.environ, environ)
+        self.assertEqual(result, ['body'])
+        self.assertEqual(start_response.status, '200 OK')
+        self.assertEqual(start_response.headers, forget_headers)
+
     def test_call_401_no_identifiers(self):
         from webob.exc import HTTPUnauthorized
         environ = self._makeEnviron()
@@ -607,6 +630,17 @@
         start_response(self.status, self.headers)
         return ['body']
 
+class DummyLogoutApp(object):
+    def __init__(self, status):
+        self.status = status
+
+    def __call__(self, environ, start_response):
+        self.environ = environ
+        api = environ['repoze.who.api']
+        headers = api.logout()
+        start_response(self.status, headers)
+        return ['body']
+
 class DummyGeneratorApp(object):
     def __init__(self, status, headers):
         self.status = status

--
Gitblit v1.9.3