From 6a6a943e1be77e31b66baaa5c226d2013b0ab5ed Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Wed, 4 May 2022 13:37:10 -0400 Subject: [PATCH] Clear g.uid and g.user when logging out and if there's no valid session This is mostly for the benefit of tests, but is also a extra-good hardening measure to make sure that utils.logged_in() is returning the correct value, always. --- securedrop/journalist_app/__init__.py | 3 +++ securedrop/journalist_app/utils.py | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/securedrop/journalist_app/__init__.py b/securedrop/journalist_app/__init__.py index dedb01ad58..e4f7195fca 100644 --- a/securedrop/journalist_app/__init__.py +++ b/securedrop/journalist_app/__init__.py @@ -132,6 +132,9 @@ def setup_g() -> 'Optional[Response]': if uid: g.uid = uid # pylint: disable=assigning-non-slot g.user = Journalist.query.get(uid) # pylint: disable=assigning-non-slot + else: + g.uid = None + g.user = None i18n.set_locale(config) diff --git a/securedrop/journalist_app/utils.py b/securedrop/journalist_app/utils.py index b298b522ac..3af0f9ae23 100644 --- a/securedrop/journalist_app/utils.py +++ b/securedrop/journalist_app/utils.py @@ -517,6 +517,9 @@ def logout_user(uid: int) -> None: sess = session_json_serializer.loads(found.decode()) if 'uid' in sess and sess['uid'] == uid: redis.delete(key) + if g.uid == uid: + g.uid = None + g.user = None def logout_all() -> None: @@ -524,3 +527,5 @@ def logout_all() -> None: for key in (redis.keys(current_app.config['SESSION_KEY_PREFIX'] + "*") + redis.keys("api_" + current_app.config['SESSION_KEY_PREFIX'] + "*")): redis.delete(key) + g.uid = None + g.user = None