From 7003a3bd4eb79da6d75839097c30c5ebed013eb4 Mon Sep 17 00:00:00 2001
From: Jelmer Prins <jelmer@pageon.be>
Date: Wed, 23 Mar 2022 12:29:01 +0100
Subject: [PATCH] Reauthenticate when a user password is changed

---
 src/Backend/Core/Engine/Authentication.php |  5 +++++
 src/Backend/Modules/Users/Actions/Edit.php | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/src/Backend/Core/Engine/Authentication.php b/src/Backend/Core/Engine/Authentication.php
index 58e62d641f..a57599203a 100644
--- a/src/Backend/Core/Engine/Authentication.php
+++ b/src/Backend/Core/Engine/Authentication.php
@@ -436,4 +436,9 @@ public static function tearDown(): void
         self::$allowedModules = [];
         self::$user = null;
     }
+
+    public static function clearUserSessionsForId(int $userId): void
+    {
+        BackendModel::get('database')->delete('users_sessions', 'user_id = ?', $userId);
+    }
 }
diff --git a/src/Backend/Modules/Users/Actions/Edit.php b/src/Backend/Modules/Users/Actions/Edit.php
index 9aca228afc..6d84e3e35f 100644
--- a/src/Backend/Modules/Users/Actions/Edit.php
+++ b/src/Backend/Modules/Users/Actions/Edit.php
@@ -288,6 +288,7 @@ private function validateForm(): void
 
             // no errors?
             if ($this->form->isCorrect()) {
+                $reAuthenticate = false;
                 // build user-array
                 $user = ['id' => $this->id];
                 if (!$this->user->isGod()) {
@@ -330,6 +331,7 @@ private function validateForm(): void
 
                     // the password has changed
                     if ($this->record['password'] != $user['password']) {
+                        $reAuthenticate = true;
                         // save the login timestamp in the user's settings
                         $lastPasswordChange = BackendUsersModel::getSetting($user['id'], 'current_password_change');
                         $settings['current_password_change'] = time();
@@ -389,6 +391,14 @@ private function validateForm(): void
                     BackendGroupsModel::insertMultipleGroups($this->id, $fields['groups']->getChecked());
                 }
 
+                if ($reAuthenticate) {
+                    BackendAuthentication::clearUserSessionsForId($this->id);
+                    if ($this->authenticatedUser->getUserId() == $this->id) {
+                        BackendAuthentication::logout();
+                        BackendAuthentication::loginUser($this->user->getEmail(), $fields['new_password']->getValue());
+                    }
+                }
+
                 // can only edit own profile
                 if (!BackendAuthentication::isAllowedAction('Index')) {
                     // everything is saved, so redirect to the edit page