github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Do not allow revoking the token of current session. (#6472)

Browse Source 
* FIX: Do not allow revoking the token of current session.

* DEV: Add getter of current auth_token from Guardian.
This commit is contained in:
Bianca Nenciu
2018-10-12 02:40:48 +03:00
committed by Sam
parent e68ecf1f1d
commit 048cdfbcfa
5 changed files with 28 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/users_controller.rb
View File

@ -1119,7 +1119,10 @@ class UsersController < ApplicationController
user = fetch_user_from_params
guardian.ensure_can_edit!(user)
if !SiteSetting.log_out_strict && params[:token_id]
if params[:token_id]
token = UserAuthToken.find_by(id: params[:token_id], user_id: user.id)
# The user should not be able to revoke the auth token of current session.
raise Discourse::NotFound if guardian.auth_token == token.auth_token
UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!)
else
UserAuthToken.where(user_id: user.id).each(&:destroy!)