From: Go MAEDA Date: Sat, 22 Jan 2022 04:04:05 +0000 (+0000) Subject: Update session token only once per minute (#29041). X-Git-Tag: 5.0.0~98 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=8bb06c04ba9f094ba72d6a906d5df921da64647d;p=redmine.git Update session token only once per minute (#29041). Patch by Pavel Rosický. git-svn-id: http://svn.redmine.org/redmine/trunk@21376 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/models/user.rb b/app/models/user.rb index 25530541e..8c190374f 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -469,7 +469,14 @@ class User < Principal if Setting.session_timeout? scope = scope.where("updated_on > ?", Setting.session_timeout.to_i.minutes.ago) end - scope.update_all(:updated_on => Time.now) == 1 + last_updated = scope.maximum(:updated_on) + if last_updated.nil? + false + elsif last_updated <= 1.minute.ago + scope.update_all(:updated_on => Time.now) == 1 + else + true + end end # Return an array of project ids for which the user has explicitly turned mail notifications on diff --git a/test/functional/sessions_controller_test.rb b/test/functional/sessions_controller_test.rb index bc9d1d99a..8640c1ee4 100644 --- a/test/functional/sessions_controller_test.rb +++ b/test/functional/sessions_controller_test.rb @@ -45,6 +45,19 @@ class SessionsControllerTest < Redmine::ControllerTest assert token.updated_on > created end + def test_session_token_should_be_updated_only_once_per_minute + token = Token.create!(:user_id => 2, :action => 'session', :created_on => 1.second.ago, :updated_on => 1.second.ago) + updated = token.reload.updated_on + + get :index, :session => { + :user_id => 2, + :tk => token.value + } + assert_response :success + token.reload + assert_equal updated.to_i, token.updated_on.to_i + end + def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled created = 2.years.ago token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)