Commits

NikitaUtiu committed 7068e33

added session invalidation

  • Participants
  • Parent commits e885cf1

Comments (0)

Files changed (3)

         # TODO: auth_trusted should be set by the auth method (auth class
         # could have a param where the admin could tell whether he wants to
         # trust it)
+        if 'user.secret' in session and userobj.secret != session['user.secret']:
+            if 'user.id' in session:
+                del session['user.id']  # log the user out if the session was invalidated
+            del session['user.secret']
+            return user.User(auth_method='invalid')
+        session['user.secret'] = userobj.secret
+        
         userobj.auth_trusted = userobj.auth_method in app.cfg.auth_methods_trusted
         session['user.itemid'] = userobj.itemid
         session['user.auth_method'] = userobj.auth_method

MoinMoin/apps/frontend/views.py

             success = True
             if part == 'password':
                 flaskg.user.enc_password = crypto.crypt_password(form['password1'].value)
+                flaskg.user.invalidateSessions()
                 flaskg.user.save()
-                flash(_("Your password has been changed."), "info")
+                flash(_("Your password has been changed. You need to relog."), "info")
+                return redirect(url_for('.usersettings'))
             else:
                 if part == 'personal':
                     if form['openid'].value != flaskg.user.openid and user.search_users(openid=form['openid'].value):
 from MoinMoin.i18n import _, L_, N_
 from MoinMoin.util.interwiki import getInterwikiHome, getInterwikiName, is_local_wiki
 from MoinMoin.util.crypto import crypt_password, upgrade_password, valid_password, \
-                                 generate_token, valid_token, make_uuid
+                                 generate_token, valid_token, make_uuid, random_string
 from MoinMoin.storage.error import NoSuchItemError, ItemAlreadyExistsError, NoSuchRevisionError
 
 
         """
         self._user_backend = get_user_backend()
 
+        self.secret = random_string(12)
+
         self._cfg = app.cfg
         self.valid = 0
         self.itemid = uid
             from MoinMoin.security import Default
             self.may = Default(self)
 
+    def invalidateSessions(self):
+        self.secret = random_string(12)
+
     def __repr__(self):
         return "<{0}.{1} at {2:#x} name:{3!r} itemid:{4!r} valid:{5!r}>".format(
             self.__class__.__module__, self.__class__.__name__, id(self),