From ab95492b1f628785da47cd4c2975b33513957cc7 Mon Sep 17 00:00:00 2001
From: Robert Speicher <robert@gitlab.com>
Date: Wed, 7 Dec 2016 00:51:33 +0000
Subject: Merge branch 'destroy-session' into 'security'

Destroy a user session when they delete their own account via browser

This patch destroys a user's session when they delete their own account
using a browser. A new session is created as they are redirected to the
sign_in page.

Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/25015

See merge request !2042
---
 app/controllers/registrations_controller.rb | 5 ++++-
 changelogs/unreleased/destroy-session.yml   | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/destroy-session.yml

diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index 3327f4f2b87..c45196cc3e9 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -27,7 +27,10 @@ class RegistrationsController < Devise::RegistrationsController
     DeleteUserService.new(current_user).execute(current_user)
 
     respond_to do |format|
-      format.html { redirect_to new_user_session_path, notice: "Account successfully removed." }
+      format.html do
+        session.try(:destroy)
+        redirect_to new_user_session_path, notice: "Account successfully removed."
+      end 
     end
   end
 
diff --git a/changelogs/unreleased/destroy-session.yml b/changelogs/unreleased/destroy-session.yml
new file mode 100644
index 00000000000..e713e2dc424
--- /dev/null
+++ b/changelogs/unreleased/destroy-session.yml
@@ -0,0 +1,4 @@
+---
+title: Destroy a user's session when they delete their own account
+merge_request: 
+author: 
-- 
cgit v1.2.3