Fixed issue #19117: [security] Account past their expiration date can…

… be still active (#3524)

application/controllers/admin/Authentication.php

@@ -270,17 +270,8 @@ public function newPassword()
      */
     public function logout()
     {
-        /* Adding beforeLogout event */
-        $beforeLogout = new PluginEvent('beforeLogout');
-        App()->getPluginManager()->dispatchEvent($beforeLogout);
-        regenerateCSRFToken();
         App()->user->logout();
         App()->user->setFlash('loginmessage', gT('Logout successful.'));
-
-        /* Adding afterLogout event */
-        $event = new PluginEvent('afterLogout');
-        App()->getPluginManager()->dispatchEvent($event);
-
         $this->getController()->redirect(array('/admin/authentication/sa/login'));
     }
 

application/core/LSWebUser.php

@@ -25,6 +25,49 @@ public function checkAccess($operation, $params = array(), $allowCaching = true)
         }
     }
 
+    /**
+     * @inheritDoc
+     * Replace auto getter to check if currentb uiser is valid or not
+     */
+    public function getId()
+    {
+        if (empty(parent::getId())) {
+            return parent::getId();
+        }
+        $id = App()->getCurrentUserId();
+        if (empty($id)) {
+            /* If still connected but invalid : logout */
+            $this->logout();
+        }
+        return $id;
+    }
+
+    /**
+     * @inheritDoc
+     * Set id in session too
+     */
+    public function setId($id)
+    {
+        parent::setId($id);
+        \Yii::app()->session['loginID'] = $id;
+    }
+
+    /**
+     * @inheritDoc
+     * Add the specific plugin event and regerenaret CRSF
+     */
+    public function logout($destroySession = true)
+    {
+        /* Adding beforeLogout event */
+        $beforeLogout = new PluginEvent('beforeLogout');
+        App()->getPluginManager()->dispatchEvent($beforeLogout);
+        regenerateCSRFToken();
+        parent::logout($destroySession);
+        /* Adding afterLogout event */
+        $event = new PluginEvent('afterLogout');
+        App()->getPluginManager()->dispatchEvent($event);
+    }
+
     /**
      * @inheritdoc
      * replace by a fixed string

application/core/Traits/LSApplicationTrait.php

@@ -8,7 +8,6 @@
 
 trait LSApplicationTrait
 {
-
     /* @var integer| null the current userId for all action */
     private $currentUserId;
     /**
@@ -18,7 +17,7 @@ trait LSApplicationTrait
      */
     public function getCurrentUserId()
     {
-        if(empty(App()->session['loginID'])) {
+        if (empty(App()->session['loginID'])) {
             /**
              * NULL for guest,
              * null by default for CConsoleapplication, but Permission always return true for console
@@ -31,7 +30,7 @@ public function getCurrentUserId()
         }
         /* use App()->session and not App()->user fot easiest unit test */
         $this->currentUserId = App()->session['loginID'];
-        if ($this->currentUserId && !User::model()->findByPk($this->currentUserId)) {
+        if ($this->currentUserId && !User::model()->active()->findByPk($this->currentUserId)) {
             $this->currentUserId = 0;
         }
         return $this->currentUserId;

application/models/User.php

@@ -941,6 +941,19 @@ public function search()
         ));
     }
 
+    /** @inheritdoc */
+    public function scopes()
+    {
+        return array(
+            'active' => array(
+                'condition' => "expires > :now OR expires IS NULL",
+                'params' => array(
+                    'now' => dateShift(date("Y-m-d H:i:s"), "Y-m-d H:i:s", Yii::app()->getConfig("timeadjust")),
+                )
+            )
+        );
+    }
+
     /**
      * Creates a validation key and saves it in table user for this user.
      *