From affd35071ea155069979fd359726296de8aa6aaf Mon Sep 17 00:00:00 2001
From: Joram Wilander <jwawilander@gmail.com>
Date: Wed, 4 Oct 2017 11:04:17 -0400
Subject: Updates to session revoking in v4 (#7565)

---
 api4/user.go      | 14 +++++++++++++-
 api4/user_test.go |  8 ++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

(limited to 'api4')

diff --git a/api4/user.go b/api4/user.go
index 97f79cf6f..e46ded670 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -926,7 +926,19 @@ func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := c.App.RevokeSessionById(sessionId); err != nil {
+	var session *model.Session
+	var err *model.AppError
+	if session, err = c.App.GetSessionById(sessionId); err != nil {
+		c.Err = err
+		return
+	}
+
+	if session.UserId != c.Params.UserId {
+		c.SetInvalidUrlParam("user_id")
+		return
+	}
+
+	if err := c.App.RevokeSession(session); err != nil {
 		c.Err = err
 		return
 	}
diff --git a/api4/user_test.go b/api4/user_test.go
index b2d6d14dd..12a323137 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -1890,6 +1890,14 @@ func TestRevokeSessions(t *testing.T) {
 	}
 	CheckNoError(t, resp)
 
+	th.LoginBasic()
+
+	sessions, _ = th.App.GetSessions(th.SystemAdminUser.Id)
+	session = sessions[0]
+
+	_, resp = Client.RevokeSession(user.Id, session.Id)
+	CheckBadRequestStatus(t, resp)
+
 	Client.Logout()
 	_, resp = Client.RevokeSession(user.Id, model.NewId())
 	CheckUnauthorizedStatus(t, resp)
-- 
cgit v1.2.3-1-g7c22