jro_apps/redmine Commit - r13049:b519aba63ee0

Expire other sessions on password change (#17796)....

Jean-Baptiste Barth -

r13049:b519aba63ee0

parent child

Context file:

r13049:b519aba63ee0

db/migrate/20140903143914_add_password_changed_at_to_user.rb created 644 +5 0

@@ -0,0 +1,5
	1	class AddPasswordChangedAtToUser < ActiveRecord::Migration
	2	def change
	3	add_column :users, :passwd_changed_on, :datetime
	4	end
	5	end

app/controllers/application_controller.rb +13 -1

                 end
               end
-              before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization
+              before_filter :session_expiration, :user_setup, :force_logout_if_password_changed, :check_if_login_required, :check_password_change, :set_localization
               rescue_from ::Unauthorized, :with => :deny_access
               rescue_from ::ActionView::MissingTemplate, :with => :missing_template
                 user
               end
+              def force_logout_if_password_changed
+                passwd_changed_on = User.current.passwd_changed_on || Time.at(0)
+                # Make sure we force logout only for web browser sessions, not API calls
+                # if the password was changed after the session creation.
+                if session[:user_id] && passwd_changed_on.utc.to_i > session[:ctime].to_i
+                  reset_session
+                  set_localization
+                  flash[:error] = l(:error_session_expired)
+                  redirect_to signin_url
+                end
+              end
               def autologin_cookie_name
                 Redmine::Configuration['autologin_cookie_name'].presence || 'autologin'
               end

app/controllers/my_controller.rb +3 0

                     @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
                     @user.must_change_passwd = false
                     if @user.save
+                      # Reset the session creation time to not log out this session on next
+                      # request due to ApplicationController#force_logout_if_password_changed
+                      session[:ctime] = Time.now.utc.to_i
                       flash[:notice] = l(:notice_account_password_updated)
                       redirect_to my_account_path
                     end

app/models/user.rb +1 0

               def salt_password(clear_password)
                 self.salt = User.generate_salt
                 self.hashed_password = User.hash_password("#{salt}#{User.hash_password clear_password}")
+                self.passwd_changed_on = Time.now
               end
               # Does the backend storage allow this user to change their password?

test/functional/my_controller_test.rb +12 0

@@ -185,6 +185,18 class MyControllerTest < ActionController::TestCase
185	assert User.try_to_login('jsmith', 'secret123')	185	assert User.try_to_login('jsmith', 'secret123')
186	end	186	end
187		187
		188	def test_change_password_kills_other_sessions
		189	@request.session[:ctime] = (Time.now - 30.minutes).utc.to_i
		190
		191	jsmith = User.find(2)
		192	jsmith.passwd_changed_on = Time.now
		193	jsmith.save!
		194
		195	get 'account'
		196	assert_response 302
		197	assert flash[:error].match(/Your session has expired/)
		198	end
		199
188	def test_change_password_should_redirect_if_user_cannot_change_its_password	200	def test_change_password_should_redirect_if_user_cannot_change_its_password
189	User.find(2).update_attribute(:auth_source_id, 1)	201	User.find(2).update_attribute(:auth_source_id, 1)
190		202

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages