From affd35071ea155069979fd359726296de8aa6aaf Mon Sep 17 00:00:00 2001
From: Joram Wilander <jwawilander@gmail.com>
Date: Wed, 4 Oct 2017 11:04:17 -0400
Subject: Updates to session revoking in v4 (#7565)

---
 api4/user.go      | 14 +++++++++++++-
 api4/user_test.go |  8 ++++++++
 app/session.go    |  9 +++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/api4/user.go b/api4/user.go
index 97f79cf6f..e46ded670 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -926,7 +926,19 @@ func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := c.App.RevokeSessionById(sessionId); err != nil {
+	var session *model.Session
+	var err *model.AppError
+	if session, err = c.App.GetSessionById(sessionId); err != nil {
+		c.Err = err
+		return
+	}
+
+	if session.UserId != c.Params.UserId {
+		c.SetInvalidUrlParam("user_id")
+		return
+	}
+
+	if err := c.App.RevokeSession(session); err != nil {
 		c.Err = err
 		return
 	}
diff --git a/api4/user_test.go b/api4/user_test.go
index b2d6d14dd..12a323137 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -1890,6 +1890,14 @@ func TestRevokeSessions(t *testing.T) {
 	}
 	CheckNoError(t, resp)
 
+	th.LoginBasic()
+
+	sessions, _ = th.App.GetSessions(th.SystemAdminUser.Id)
+	session = sessions[0]
+
+	_, resp = Client.RevokeSession(user.Id, session.Id)
+	CheckBadRequestStatus(t, resp)
+
 	Client.Logout()
 	_, resp = Client.RevokeSession(user.Id, model.NewId())
 	CheckUnauthorizedStatus(t, resp)
diff --git a/app/session.go b/app/session.go
index 0e7701135..be79b0266 100644
--- a/app/session.go
+++ b/app/session.go
@@ -173,6 +173,15 @@ func (a *App) RevokeSessionsForDeviceId(userId string, deviceId string, currentS
 	return nil
 }
 
+func (a *App) GetSessionById(sessionId string) (*model.Session, *model.AppError) {
+	if result := <-a.Srv.Store.Session().Get(sessionId); result.Err != nil {
+		result.Err.StatusCode = http.StatusBadRequest
+		return nil, result.Err
+	} else {
+		return result.Data.(*model.Session), nil
+	}
+}
+
 func (a *App) RevokeSessionById(sessionId string) *model.AppError {
 	if result := <-a.Srv.Store.Session().Get(sessionId); result.Err != nil {
 		result.Err.StatusCode = http.StatusBadRequest
-- 
cgit v1.2.3-1-g7c22