summaryrefslogtreecommitdiffstats
path: root/api4
diff options
context:
space:
mode:
Diffstat (limited to 'api4')
-rw-r--r--api4/user.go14
-rw-r--r--api4/user_test.go8
2 files changed, 21 insertions, 1 deletions
diff --git a/api4/user.go b/api4/user.go
index 97f79cf6f..e46ded670 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -926,7 +926,19 @@ func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if err := c.App.RevokeSessionById(sessionId); err != nil {
+ var session *model.Session
+ var err *model.AppError
+ if session, err = c.App.GetSessionById(sessionId); err != nil {
+ c.Err = err
+ return
+ }
+
+ if session.UserId != c.Params.UserId {
+ c.SetInvalidUrlParam("user_id")
+ return
+ }
+
+ if err := c.App.RevokeSession(session); err != nil {
c.Err = err
return
}
diff --git a/api4/user_test.go b/api4/user_test.go
index b2d6d14dd..12a323137 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -1890,6 +1890,14 @@ func TestRevokeSessions(t *testing.T) {
}
CheckNoError(t, resp)
+ th.LoginBasic()
+
+ sessions, _ = th.App.GetSessions(th.SystemAdminUser.Id)
+ session = sessions[0]
+
+ _, resp = Client.RevokeSession(user.Id, session.Id)
+ CheckBadRequestStatus(t, resp)
+
Client.Logout()
_, resp = Client.RevokeSession(user.Id, model.NewId())
CheckUnauthorizedStatus(t, resp)