Expire other sessions on password change (#17796).

Contributed by Jan Schulz-Hofen.


git-svn-id: http://svn.redmine.org/redmine/trunk@13412 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 13 insertions, 1 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e70f1602c..e8f3565ee 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -49,7 +49,7 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization
+  before_filter :session_expiration, :user_setup, :force_logout_if_password_changed, :check_if_login_required, :check_password_change, :set_localization
 
   rescue_from ::Unauthorized, :with => :deny_access
   rescue_from ::ActionView::MissingTemplate, :with => :missing_template
@@ -145,6 +145,18 @@ class ApplicationController < ActionController::Base
     user
   end
 
+  def force_logout_if_password_changed
+    passwd_changed_on = User.current.passwd_changed_on || Time.at(0)
+    # Make sure we force logout only for web browser sessions, not API calls
+    # if the password was changed after the session creation.
+    if session[:user_id] && passwd_changed_on.utc.to_i > session[:ctime].to_i
+      reset_session
+      set_localization
+      flash[:error] = l(:error_session_expired)
+      redirect_to signin_url
+    end
+  end
+
   def autologin_cookie_name
     Redmine::Configuration['autologin_cookie_name'].presence || 'autologin'
   end