Auth: Delete user sessions after a permission level change #3512

Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
Michael Mayer 2023-07-18 16:38:10 +02:00
parent 44603857fa
commit 7b9b2ae0c6
2 changed files with 15 additions and 5 deletions

View file

@ -78,11 +78,13 @@ func UpdateUser(router *gin.RouterGroup) {
// Log event.
event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "updated"}, s.RefID)
// Delete sessions after privilege level change.
if s.User().UserUID != m.UID() && isPrivileged {
// Delete user sessions after a permission level change.
// see https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
if isPrivileged {
// Prevent the current session from being deleted.
deleted := m.DeleteSessions([]string{s.ID})
event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "invalidated %s"}, s.RefID,
english.Plural(m.DeleteSessions(nil), "session", "sessions"))
english.Plural(deleted, "session", "sessions"))
}
// Clear the session cache.

View file

@ -740,8 +740,16 @@ func (m *User) DeleteSessions(omit []string) (deleted int) {
return 0
}
// Compose update statement.
stmt := Db()
// Find all user sessions except the session ids passed as argument.
stmt := Db().Where("user_uid = ? AND id NOT IN (?)", m.UserUID, omit)
if len(omit) == 0 {
stmt = stmt.Where("user_uid = ?", m.UserUID)
} else {
stmt = stmt.Where("user_uid = ? AND id NOT IN (?)", m.UserUID, omit)
}
sess := Sessions{}
if err := stmt.Find(&sess).Error; err != nil {