Non-GET requests that would usually non-ssl-redirect will now respond…

… with HTTP status 426 Conflicts: core/spec/lib/spree/core/controller_helpers/ssl_spec.rb
bsylvain · Oct 11, 2013 · c4a1d53 · c4a1d53
1 parent 9f64227
commit c4a1d53
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/core/config/locales/en.yml b/core/config/locales/en.yml
@@ -1002,6 +1002,8 @@ en:
     special_instructions: Special Instructions
     split: Split
     spree_gateway_error_flash_for_checkout: There was a problem with your payment information. Please check your information and try again.
+    ssl:
+      change_protocol: "Please switch to using HTTP (rather than HTTPS) and retry this request."
     start: Start
     state: State
     state_based: State Based

diff --git a/core/lib/spree/core/controller_helpers/ssl.rb b/core/lib/spree/core/controller_helpers/ssl.rb
@@ -41,14 +41,18 @@ def ssl_allowed?
             # * <tt>host</tt> - Redirect to a different host name
             def force_non_ssl_redirect(host = nil)
               if request.ssl? && !ssl_allowed?
-                redirect_options = {
-                  :protocol => 'http://',
-                  :host     => host || request.host,
-                  :path     => request.fullpath,
-                }
-                flash.keep if respond_to?(:flash)
-                insecure_url = ActionDispatch::Http::URL.url_for(redirect_options)
-                redirect_to insecure_url, :status => :moved_permanently
+                if request.get?
+                  redirect_options = {
+                    :protocol => 'http://',
+                    :host     => host || request.host,
+                    :path     => request.fullpath,
+                  }
+                  flash.keep if respond_to?(:flash)
+                  insecure_url = ActionDispatch::Http::URL.url_for(redirect_options)
+                  redirect_to insecure_url, :status => :moved_permanently
+                else
+                  render :text => Spree.t(:change_protocol, :scope => :ssl), :status => :upgrade_required
+                end
               end
             end
         end

diff --git a/core/spec/lib/spree/core/controller_helpers/ssl_spec.rb b/core/spec/lib/spree/core/controller_helpers/ssl_spec.rb
@@ -4,6 +4,7 @@
   controller do
     include Spree::Core::ControllerHelpers::SSL
     def index; render text: 'index'; end
+    def create; end
     def self.ssl_supported?; true; end
   end
 
@@ -34,6 +35,14 @@ def self.ssl_supported?; true; end
       controller(described_class){ }
       specify{ get(:index).should be_redirect }
     end
+    context 'using a post returns a HTTP status 426' do
+      controller(described_class){ }
+      specify do
+        post(:create)
+        response.body.should == "Please switch to using HTTP (rather than HTTPS) and retry this request."
+        response.status.should == 426
+      end
+    end
   end
 
   describe 'redirect to https' do