Auth: Delete user sessions after a permission level change #3512
Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
parent
44603857fa
commit
7b9b2ae0c6
2 changed files with 15 additions and 5 deletions
|
@ -78,11 +78,13 @@ func UpdateUser(router *gin.RouterGroup) {
|
|||
// Log event.
|
||||
event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "updated"}, s.RefID)
|
||||
|
||||
// Delete sessions after privilege level change.
|
||||
if s.User().UserUID != m.UID() && isPrivileged {
|
||||
// Delete user sessions after a permission level change.
|
||||
// see https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
|
||||
if isPrivileged {
|
||||
// Prevent the current session from being deleted.
|
||||
deleted := m.DeleteSessions([]string{s.ID})
|
||||
event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "invalidated %s"}, s.RefID,
|
||||
english.Plural(m.DeleteSessions(nil), "session", "sessions"))
|
||||
english.Plural(deleted, "session", "sessions"))
|
||||
}
|
||||
|
||||
// Clear the session cache.
|
||||
|
|
|
@ -740,8 +740,16 @@ func (m *User) DeleteSessions(omit []string) (deleted int) {
|
|||
return 0
|
||||
}
|
||||
|
||||
// Compose update statement.
|
||||
stmt := Db()
|
||||
|
||||
// Find all user sessions except the session ids passed as argument.
|
||||
stmt := Db().Where("user_uid = ? AND id NOT IN (?)", m.UserUID, omit)
|
||||
if len(omit) == 0 {
|
||||
stmt = stmt.Where("user_uid = ?", m.UserUID)
|
||||
} else {
|
||||
stmt = stmt.Where("user_uid = ? AND id NOT IN (?)", m.UserUID, omit)
|
||||
}
|
||||
|
||||
sess := Sessions{}
|
||||
|
||||
if err := stmt.Find(&sess).Error; err != nil {
|
||||
|
|
Loading…
Reference in a new issue