Patch by Felix Schäfer. git-svn-id: http://svn.redmine.org/redmine/trunk@21069 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/5.0.0
@@ -47,6 +47,8 @@ class TwofaController < ApplicationController | |||
def activate | |||
if @twofa.confirm_pairing!(params[:twofa_code].to_s) | |||
# The session token was destroyed by the twofa pairing, generate a new one | |||
session[:tk] = @user.generate_session_token | |||
flash[:notice] = l('twofa_activated', bc_path: my_twofa_backup_codes_init_path) | |||
redirect_to my_account_path | |||
else |
@@ -919,7 +919,7 @@ class User < Principal | |||
# This helps to keep the account secure in case the associated email account | |||
# was compromised. | |||
def destroy_tokens | |||
if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) | |||
if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) || (saved_change_to_twofa_scheme? && twofa_scheme.present?) | |||
tokens = ['recovery', 'autologin', 'session'] | |||
Token.where(:user_id => id, :action => tokens).delete_all | |||
end |