Kick other sessions when changing password (#13194)

* Kick other session when changing password Invalidate other sessions when a user password gets changed * Don't logout admin users when they change passwords. Cleanup phpstan exceptions * only restore user if needed * comment odd behavior * $current_user typehint
2024-10-07 16:52:45 +00:00 · 2021-10-21 17:25:38 -05:00
parent e4d26c0c09
commit 50cf1a49f1
8 changed files with 21 additions and 75 deletions
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -31,6 +31,7 @@ use App\Models\AuthLog;
 use App\Models\Dashboard;
 use App\Models\User;
 use App\Models\UserPref;
+use Auth;
 use Illuminate\Support\Str;
 use LibreNMS\Authentication\LegacyAuth;
 use LibreNMS\Config;
@@ -168,6 +169,15 @@ class UserController extends Controller
    {
        if ($request->get('new_password') && $user->canSetPassword($request->user())) {
            $user->setPassword($request->new_password);
+            /** @var User $current_user */
+            $current_user = Auth::user();
+            Auth::setUser($user); // make sure new password is loaded, can only logout other sessions for the active user
+            Auth::logoutOtherDevices($request->new_password);
+
+            // when setting the password on another account, restore back to the user's account.
+            if ($current_user->user_id !== $user->user_id) {
+                Auth::setUser($current_user);
+            }
        }

        $user->fill($request->all());
@@ -176,17 +186,15 @@ class UserController extends Controller
            Toastr::success(__('Updated dashboard for :username', ['username' => $user->username]));
        }

-        if ($user->isDirty()) {
-            if ($user->save()) {
-                Toastr::success(__('User :username updated', ['username' => $user->username]));
-            } else {
-                Toastr::error(__('Failed to update user :username', ['username' => $user->username]));
+        if ($user->save()) {
+            Toastr::success(__('User :username updated', ['username' => $user->username]));

-                return redirect()->back();
-            }
+            return redirect(route(Str::contains(URL::previous(), 'preferences') ? 'preferences.index' : 'users.index'));
        }

-        return redirect(route(Str::contains(URL::previous(), 'preferences') ? 'preferences.index' : 'users.index'));
+        Toastr::error(__('Failed to update user :username', ['username' => $user->username]));
+
+        return redirect()->back();
    }

    /**
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -34,7 +34,7 @@ class Kernel extends HttpKernel
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
-            // \Illuminate\Session\Middleware\AuthenticateSession::class,
+            \Illuminate\Session\Middleware\AuthenticateSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,