Clear g.uid and g.user when logging out and if there's no valid session

This is mostly for the benefit of tests, but is also a extra-good hardening measure to make sure that utils.logged_in() is returning the correct value, always.
freedomofpress · May 4, 2022 · 6a6a943 · 6a6a943
1 parent c86fb99
commit 6a6a943
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/securedrop/journalist_app/__init__.py b/securedrop/journalist_app/__init__.py
@@ -132,6 +132,9 @@ def setup_g() -> 'Optional[Response]':
             if uid:
                 g.uid = uid  # pylint: disable=assigning-non-slot
                 g.user = Journalist.query.get(uid)  # pylint: disable=assigning-non-slot
+            else:
+                g.uid = None
+                g.user = None
 
         i18n.set_locale(config)
 

diff --git a/securedrop/journalist_app/utils.py b/securedrop/journalist_app/utils.py
@@ -517,10 +517,15 @@ def logout_user(uid: int) -> None:
             sess = session_json_serializer.loads(found.decode())
             if 'uid' in sess and sess['uid'] == uid:
                 redis.delete(key)
+    if g.uid == uid:
+        g.uid = None
+        g.user = None
 
 
 def logout_all() -> None:
     redis = Redis()
     for key in (redis.keys(current_app.config['SESSION_KEY_PREFIX'] + "*") +
                 redis.keys("api_" + current_app.config['SESSION_KEY_PREFIX'] + "*")):
         redis.delete(key)
+    g.uid = None
+    g.user = None