Skip to content

Commit

Permalink
Reauthenticate when a user password is changed
Browse files Browse the repository at this point in the history
  • Loading branch information
@carakas
carakas committed Mar 23, 2022
1 parent 1b38e33 commit 7003a3b
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/Backend/Core/Engine/Authentication.php
View file
Expand Up @@ -436,4 +436,9 @@ public static function tearDown(): void
self::$allowedModules = [];
self::$user = null;
}

public static function clearUserSessionsForId(int $userId): void
{
BackendModel::get('database')->delete('users_sessions', 'user_id = ?', $userId);
}
}
10 changes: 10 additions & 0 deletions src/Backend/Modules/Users/Actions/Edit.php
View file
Expand Up @@ -288,6 +288,7 @@ private function validateForm(): void

// no errors?
if ($this->form->isCorrect()) {
$reAuthenticate = false;
// build user-array
$user = ['id' => $this->id];
if (!$this->user->isGod()) {
Expand Down Expand Up @@ -330,6 +331,7 @@ private function validateForm(): void

// the password has changed
if ($this->record['password'] != $user['password']) {
$reAuthenticate = true;
// save the login timestamp in the user's settings
$lastPasswordChange = BackendUsersModel::getSetting($user['id'], 'current_password_change');
$settings['current_password_change'] = time();
Expand Down Expand Up @@ -389,6 +391,14 @@ private function validateForm(): void
BackendGroupsModel::insertMultipleGroups($this->id, $fields['groups']->getChecked());
}

if ($reAuthenticate) {
BackendAuthentication::clearUserSessionsForId($this->id);
if ($this->authenticatedUser->getUserId() == $this->id) {
BackendAuthentication::logout();
BackendAuthentication::loginUser($this->user->getEmail(), $fields['new_password']->getValue());
}
}

// can only edit own profile
if (!BackendAuthentication::isAllowedAction('Index')) {
// everything is saved, so redirect to the edit page
Expand Down

0 comments on commit 7003a3b

Please sign in to comment.