# HG changeset patch
# User Adam Chlipala <adam@chlipala.net>
# Date 1312898020 14400
# Node ID 9f392276d61496a2db3319b2a7a0c863c7403c19
# Parent  748dd8a2e3a2ee58c46ae4cb8b9fb5cae7a30647
Graceful handling of OpenID providers that log the user in as the wrong identifier

diff -r 748dd8a2e3a2 -r 9f392276d614 src/ur/openidUser.ur
--- a/src/ur/openidUser.ur	Wed Aug 03 08:17:21 2011 -0400
+++ b/src/ur/openidUser.ur	Tue Aug 09 09:53:40 2011 -0400
@@ -92,6 +92,9 @@
             else
                 currentUrl
 
+    val wrongUser =
+        error <xml>Session not authorized to act as user.  Did your OpenID provider log you in as a different user than you expected?  Try logging out at your provider first, then <a href={M.afterLogout}>return to the home page</a>.</xml>
+
     fun current' tweakSession =
         login <- getCookie auth;
         case login of
@@ -112,7 +115,8 @@
                      tweakSession login.Session;
                      return (Some login.User)
                  else
-                     error <xml>Session not authorized to act as user</xml>)
+                     clearCookie auth;
+                     redirect (url wrongUser))
           | _ => return None
 
     val current = current' (fn _ => return ())
diff -r 748dd8a2e3a2 -r 9f392276d614 tests/utest.ur
--- a/tests/utest.ur	Wed Aug 03 08:17:21 2011 -0400
+++ b/tests/utest.ur	Tue Aug 09 09:53:40 2011 -0400
@@ -8,7 +8,7 @@
                                   val secureCookies = False
                                   val association = Openid.Stateful {AssociationType = Openid.HMAC_SHA256,
                                                                      AssociationSessionType = Openid.NoEncryption}
-                                  val realm = None
+                                  val realm = Some "http://localhost:8080/"
 
                                   val creationState =
                                       n <- source "";