From 98ed38302aba551d93cf4088df02b468b0c61e01 Mon Sep 17 00:00:00 2001
From: Ritchie Martori <skawful@gmail.com>
Date: Tue, 17 Dec 2013 21:22:05 -0800
Subject: [PATCH] Logout now automatically pulls the accessToken from the
 request

---
 lib/models/user.js                 | 8 +++++++-
 test/access-control.integration.js | 3 ++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/models/user.js b/lib/models/user.js
index e378f6a6..4762c0c8 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -356,7 +356,13 @@ User.setup = function () {
     UserModel.logout,
     {
       accepts: [
-        {arg: 'sid', type: 'string', required: true}
+        {arg: 'access_token', type: 'string', required: true, http: function(ctx) {
+          var req = ctx && ctx.req;
+          var accessToken = req && req.accessToken;
+          var tokenID = accessToken && accessToken.id;
+
+          return tokenID;
+        }}
       ],
       http: {verb: 'all'}
     }
diff --git a/test/access-control.integration.js b/test/access-control.integration.js
index 07cd6a5a..b6a22ba8 100644
--- a/test/access-control.integration.js
+++ b/test/access-control.integration.js
@@ -68,9 +68,10 @@ describe('access control - integration', function () {
     lt.it.shouldBeDeniedWhenCalledByUser(CURRENT_USER,'GET', urlForUser);
 
     lt.it.shouldBeAllowedWhenCalledAnonymously('POST', '/api/users');
-    lt.it.shouldBeAllowedWhenCalledUnauthenticated('POST', '/api/users');
     lt.it.shouldBeAllowedWhenCalledByUser(CURRENT_USER, 'POST', '/api/users');
 
+    lt.it.shouldBeAllowedWhenCalledByUser(CURRENT_USER, 'POST', '/api/users/logout');
+
     lt.describe.whenCalledRemotely('DELETE', '/api/users', function() {
       lt.it.shouldNotBeFound();
     });