diff options
| author | Go MAEDA <maeda@farend.jp> | 2021-07-17 07:39:51 +0000 |
|---|---|---|
| committer | Go MAEDA <maeda@farend.jp> | 2021-07-17 07:39:51 +0000 |
| commit | ee0d822517154878a2ad33be66b820c6b68d077b (patch) | |
| tree | a7260cd739f30a482dd494efdc04f0604b9af9ff | |
| parent | ac4d1ce47052442dba0eefc10beceb90d2f062f4 (diff) | |
| download | redmine-ee0d822517154878a2ad33be66b820c6b68d077b.tar.gz redmine-ee0d822517154878a2ad33be66b820c6b68d077b.zip | |
Merged r21069 from trunk to 4.2-stable (#35417).
git-svn-id: http://svn.redmine.org/redmine/branches/4.2-stable@21070 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/twofa_controller.rb | 2 | ||||
| -rw-r--r-- | app/models/user.rb | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/app/controllers/twofa_controller.rb b/app/controllers/twofa_controller.rb index 058388907..87f65e826 100644 --- a/app/controllers/twofa_controller.rb +++ b/app/controllers/twofa_controller.rb @@ -47,6 +47,8 @@ class TwofaController < ApplicationController def activate if @twofa.confirm_pairing!(params[:twofa_code].to_s) + # The session token was destroyed by the twofa pairing, generate a new one + session[:tk] = @user.generate_session_token flash[:notice] = l('twofa_activated', bc_path: my_twofa_backup_codes_init_path) redirect_to my_account_path else diff --git a/app/models/user.rb b/app/models/user.rb index b25bab926..a2d2e61e6 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -916,7 +916,7 @@ class User < Principal # This helps to keep the account secure in case the associated email account # was compromised. def destroy_tokens - if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) + if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) || (saved_change_to_twofa_scheme? && twofa_scheme.present?) tokens = ['recovery', 'autologin', 'session'] Token.where(:user_id => id, :action => tokens).delete_all end |