Commits

Miks Kalniņš committed 690fdcf

Fix for bug #184 and related user login issues.

  • Participants
  • Parent commits 25f390d

Comments (0)

Files changed (4)

File MoinMoin/apps/frontend/views.py

                           )
 
 
-def _logout():
-    for key in ['user.itemid', 'user.trusted', 'user.auth_method', 'user.auth_attribs', ]:
-        if key in session:
-            del session[key]
-
-
 @frontend.route('/+logout')
 def logout():
     flash(_("You are now logged out."), "info")
-    _logout()
+    flaskg.user.logout_session()
     return redirect(url_for('.show_root'))
 
 
                             # send verification mail
                             is_ok, msg = flaskg.user.mail_email_verification()
                             if is_ok:
-                                _logout()
-                                flaskg.user.save()
+                                flaskg.user.logout_session()
                                 response['flash'].append((_('Your account has been disabled because you changed your email address. Please see the email we sent to your address to reactivate it.'), "info"))
                                 response['redirect'] = url_for('.show_root')
                             else:

File MoinMoin/auth/__init__.py

                                 trusted=trusted)
             if userobj.valid and not userobj.validate_session(session_token):
                 logging.debug("session token doesn't validate")
+                # Destroy current session since it's no longer valid.
+                userobj.logout_session(False)
+                # We didn't find user in session data.
                 userobj = None
     logging.debug("session started for user {0!r}".format(userobj))
     return userobj

File MoinMoin/user.py

 
     # Sessions ---------------------------------------------------
 
+    def logout_session(self, all_browsers=True):
+        """ Terminate session in all browsers unless all_browsers is set to False """
+        if all_browsers:
+            self.generate_session_token(False)
+
+        for key in ['user.itemid', 'user.trusted', 'user.auth_method', 'user.auth_attribs', 'user.session_token', ]:
+            if key in session:
+                del session[key]
+
     def generate_session_token(self, save=True):
         """ Generate new session token and key pair. Used to validate sessions. """
         key, token = generate_token()
 
     def validate_session(self, token):
         """ Check if the session token is valid. """
-        return valid_token(self.profile[SESSION_KEY], token)
+        # Ignore timeout, it's already handled by session cookie and session key should never timeout.
+        return valid_token(self.profile[SESSION_KEY], token, None)
 
     # Account verification / Password recovery -------------------------------
 

File MoinMoin/util/crypto.py

 
     :param key: give the secret key to verify the token
     :param token: the token to verify
+    :param timeout: timeout seconds, set to None to ignore timeout
     :rtype: bool
     :returns: token is valid and not timed out
     """
         stamp = int(parts[0])
     except ValueError:
         return False
-    if stamp + timeout < time.time():
+    if timeout and stamp + timeout < time.time():
         return False
     expected_token = generate_token(key, stamp)[1]
     return token == expected_token