diff options
Diffstat (limited to 'api4')
| -rw-r--r-- | api4/user.go | 14 | ||||
| -rw-r--r-- | api4/user_test.go | 8 |
2 files changed, 21 insertions, 1 deletions
diff --git a/api4/user.go b/api4/user.go index 97f79cf6f..e46ded670 100644 --- a/api4/user.go +++ b/api4/user.go @@ -926,7 +926,19 @@ func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { return } - if err := c.App.RevokeSessionById(sessionId); err != nil { + var session *model.Session + var err *model.AppError + if session, err = c.App.GetSessionById(sessionId); err != nil { + c.Err = err + return + } + + if session.UserId != c.Params.UserId { + c.SetInvalidUrlParam("user_id") + return + } + + if err := c.App.RevokeSession(session); err != nil { c.Err = err return } diff --git a/api4/user_test.go b/api4/user_test.go index b2d6d14dd..12a323137 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -1890,6 +1890,14 @@ func TestRevokeSessions(t *testing.T) { } CheckNoError(t, resp) + th.LoginBasic() + + sessions, _ = th.App.GetSessions(th.SystemAdminUser.Id) + session = sessions[0] + + _, resp = Client.RevokeSession(user.Id, session.Id) + CheckBadRequestStatus(t, resp) + Client.Logout() _, resp = Client.RevokeSession(user.Id, model.NewId()) CheckUnauthorizedStatus(t, resp) |