diff options
author | Joram Wilander <jwawilander@gmail.com> | 2017-10-04 11:04:17 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-04 11:04:17 -0400 |
commit | affd35071ea155069979fd359726296de8aa6aaf (patch) | |
tree | d6810c7a9356ceb3ff5bbb293f1b8756906d1d45 /api4 | |
parent | 3e144f82e29e566b3cf1615c19b4ddc6dc7e4694 (diff) | |
download | chat-affd35071ea155069979fd359726296de8aa6aaf.tar.gz chat-affd35071ea155069979fd359726296de8aa6aaf.tar.bz2 chat-affd35071ea155069979fd359726296de8aa6aaf.zip |
Updates to session revoking in v4 (#7565)
Diffstat (limited to 'api4')
-rw-r--r-- | api4/user.go | 14 | ||||
-rw-r--r-- | api4/user_test.go | 8 |
2 files changed, 21 insertions, 1 deletions
diff --git a/api4/user.go b/api4/user.go index 97f79cf6f..e46ded670 100644 --- a/api4/user.go +++ b/api4/user.go @@ -926,7 +926,19 @@ func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { return } - if err := c.App.RevokeSessionById(sessionId); err != nil { + var session *model.Session + var err *model.AppError + if session, err = c.App.GetSessionById(sessionId); err != nil { + c.Err = err + return + } + + if session.UserId != c.Params.UserId { + c.SetInvalidUrlParam("user_id") + return + } + + if err := c.App.RevokeSession(session); err != nil { c.Err = err return } diff --git a/api4/user_test.go b/api4/user_test.go index b2d6d14dd..12a323137 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -1890,6 +1890,14 @@ func TestRevokeSessions(t *testing.T) { } CheckNoError(t, resp) + th.LoginBasic() + + sessions, _ = th.App.GetSessions(th.SystemAdminUser.Id) + session = sessions[0] + + _, resp = Client.RevokeSession(user.Id, session.Id) + CheckBadRequestStatus(t, resp) + Client.Logout() _, resp = Client.RevokeSession(user.Id, model.NewId()) CheckUnauthorizedStatus(t, resp) |