Skip to content

Commit

Permalink
Check user is still valid on session validity check
Browse files Browse the repository at this point in the history
  • Loading branch information
@cedric-anne @trasher
cedric-anne authored and trasher committed Nov 3, 2022
1 parent b811b98 commit edb8159
Showing 1 changed file with 45 additions and 1 deletion.
46 changes: 45 additions & 1 deletion src/Session.php
View file
Expand Up @@ -863,17 +863,61 @@ public static function redirectIfNotLoggedIn()
**/
public static function checkValidSessionId()
{
global $DB;

if (
!isset($_SESSION['valid_id'])
|| ($_SESSION['valid_id'] !== session_id())
) {
Html::redirectToLogin('error=3');
}

$user_id = self::getLoginUserID();
$profile_id = $_SESSION['glpiactiveprofile']['id'] ?? null;
$entity_id = $_SESSION['glpiactive_entity'] ?? null;

$valid_user = true;

if (!is_numeric($user_id) || $profile_id === null || $entity_id === null) {
$valid_user = false;
} else {
$user_table = User::getTable();
$pu_table = Profile_User::getTable();
$result = $DB->request(
[
'COUNT' => 'count',
'FROM' => $user_table,
'LEFT JOIN' => [
$pu_table => [
'FKEY' => [
Profile_User::getTable() => 'users_id',
$user_table => 'id'
]
]
],
'WHERE' => [
$user_table . '.id' => $user_id,
$user_table . '.is_active' => 1,
$user_table . '.is_deleted' => 0,
$pu_table . '.profiles_id' => $profile_id,
$pu_table . '.entities_id' => $entity_id,
],
]
);
if ($result->current()['count'] === 0) {
$valid_user = false;
}
}

if (!$valid_user) {
Session::destroy();
Auth::setRememberMeCookie('');
Html::redirectToLogin();
}

return true;
}


/**
* Check if I have access to the central interface
*
Expand Down

0 comments on commit edb8159

Please sign in to comment.