allow login via private token only for atom feeds

app/controllers/application_controller.rb

@@ -1,7 +1,7 @@
 class ApplicationController < ActionController::Base
   before_filter :authenticate_user!
   before_filter :reject_blocked!
-  before_filter :set_current_user_for_mailer
+  before_filter :set_current_user_for_mailer, :check_token_auth
   protect_from_forgery
   helper_method :abilities, :can?
 
@@ -17,9 +17,16 @@ class ApplicationController < ActionController::Base
 
   protected
 
+  def check_token_auth
+    # Redirect to login page if not atom feed
+    if params[:private_token].present? && params[:format] != 'atom'
+      redirect_to new_user_session_path
+    end
+  end
+
   def reject_blocked!
     if current_user && current_user.blocked
-      sign_out current_user 
+      sign_out current_user
       flash[:alert] = "Your account was blocked"
       redirect_to new_user_session_path
     end

spec/requests/projects_spec.rb

@@ -28,6 +28,13 @@ describe "Projects" do
       visit projects_path(:atom, :private_token => @user.private_token)
       page.body.should have_selector("feed title")
     end
+
+    it "should not render projects page via private token" do
+      logout
+
+      visit projects_path(:private_token => @user.private_token)
+      current_path.should == new_user_session_path
+    end
   end
 
   describe "GET /projects/new" do