archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
Files
aea624118b70bd57e16290e8c94a01cd4d43cad8
phabricator/src/applications/auth/controller/PhabricatorAuthTerminateSessionController.php
epriestley aea624118b Allow users to terminate login sessions 
Summary:
This is partly a good feature, and partly should reduce false positives on HackerOne reporting things vaguely related to this.

Allow a user to terminate login sessions from the settings panel.

Test Plan:
  - Terminated a session.
  - Terminated all sessions.
  - Tried to terminate all sessions again.
  - Logged in with two browsers, terminated the other browser's session, reloaded, got kicked out.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8556
2014-03-17 15:02:01 -07:00

84 lines
2.2 KiB
PHP
Raw Blame History

<?php
final class PhabricatorAuthTerminateSessionController
extends PhabricatorAuthController {
private $id;
public function willProcessRequest(array $data) {
$this->id = $data['id'];
}
public function processRequest() {
$request = $this->getRequest();
$viewer = $request->getUser();
$is_all = ($this->id === 'all');
$query = id(new PhabricatorAuthSessionQuery())
->setViewer($viewer)
->withIdentityPHIDs(array($viewer->getPHID()));
if (!$is_all) {
$query->withIDs(array($this->id));
}
$current_key = PhabricatorHash::digest(
$request->getCookie(PhabricatorCookies::COOKIE_SESSION));
$sessions = $query->execute();
foreach ($sessions as $key => $session) {
if ($session->getSessionKey() == $current_key) {
// Don't terminate the current login session.
unset($sessions[$key]);
}
}
$panel_uri = '/settings/panel/sessions/';
if (!$sessions) {
$dialog = id(new AphrontDialogView())
->setUser($viewer)
->setTitle(pht('No Matching Sessions'))
->appendParagraph(
pht('There are no matching sessions to terminate.'))
->appendParagraph(
pht(
'(You can not terminate your current login session. To '.
'terminate it, log out.)'))
->addCancelButton($panel_uri);
return id(new AphrontDialogResponse())->setDialog($dialog);
}
if ($request->isDialogFormPost()) {
foreach ($sessions as $session) {
$session->delete();
}
return id(new AphrontRedirectResponse())->setURI($panel_uri);
}
if ($is_all) {
$title = pht('Terminate Sessions?');
$body = pht(
'Really terminate all sessions? (Your current login session will '.
'not be terminated.)');
} else {
$title = pht('Terminate Session?');
$body = pht(
'Really terminate session %s?',
phutil_tag('strong', array(), substr($session->getSessionKey(), 0, 6)));
}
$dialog = id(new AphrontDialogView())
->setUser($viewer)
->setTitle($title)
->appendParagraph($body)
->addSubmitButton(pht('Terminate'))
->addCancelButton($panel_uri);
return id(new AphrontDialogResponse())->setDialog($dialog);
}
}
Reference in New Issue View Git Blame Copy Permalink