Skip to content
Permalink
Browse files Browse the repository at this point in the history
Logout user on password change, except in the session making the change
  • Loading branch information
brian-kephart committed Oct 12, 2021
1 parent c8fe87c commit 77e31bc
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 5 deletions.
17 changes: 16 additions & 1 deletion app/controllers/camaleon_cms/admin/users_controller.rb
Expand Up @@ -46,7 +46,22 @@ def update
# update som ajax requests from profile or user form
def updated_ajax
@user = current_site.users.find(params[:user_id])
render inline: @user.update(params.require(:password).permit!) ? "" : @user.errors.full_messages.join(', ')
update_session = current_user_is?(@user)
@user.update(params.require(:password).permit!)
render inline: @user.errors.full_messages.join(', ')
# keep user logged in when changing their own password
update_auth_token_in_cookie @user.auth_token if update_session && @user.saved_change_to_password_digest?
end

def update_auth_token_in_cookie(token)
return unless cookie_auth_token_complete?
current_token = cookie_split_auth_token
updated_token = [token, *current_token[1..-1]]
cookies[:auth_token] = updated_token.join("&")
end

def current_user_is?(user)
user_auth_token_from_cookie == user.auth_token rescue false
end

def edit
Expand Down
18 changes: 14 additions & 4 deletions app/helpers/camaleon_cms/session_helper.rb
Expand Up @@ -120,11 +120,21 @@ def cama_current_user
@cama_current_user = cama_calc_api_current_user
return @cama_current_user if @cama_current_user

return nil unless cookies[:auth_token].present?
c = cookies[:auth_token].split("&")
return nil unless c.size == 3
return nil unless cookie_auth_token_complete?

@cama_current_user = current_site.users_include_admins.find_by_auth_token(c[0]).try(:decorate)
@cama_current_user = current_site.users_include_admins.find_by_auth_token(user_auth_token_from_cookie).try(:decorate)
end

def cookie_auth_token_complete?
cookie_split_auth_token&.size == 3
end

def cookie_split_auth_token
cookies[:auth_token]&.split("&")
end

def user_auth_token_from_cookie
cookie_split_auth_token.first
end

# check if a visitor was logged in
Expand Down
2 changes: 2 additions & 0 deletions app/models/concerns/camaleon_cms/user_methods.rb
Expand Up @@ -11,6 +11,8 @@ module CamaleonCms::UserMethods extend ActiveSupport::Concern
before_destroy :reassign_posts
after_destroy :reassign_comments
before_create { generate_token(:auth_token) }
# invaliidate sessions when changing password
before_update { generate_token :auth_token if will_save_change_to_password_digest? }

# relations
cama_define_common_relationships('User')
Expand Down

0 comments on commit 77e31bc

Please sign in to comment.