Updates to session revoking in v4 (#7565)

2025-02-25 18:55:24 -06:00 · 2017-10-04 11:04:17 -04:00
parent 3e144f82e2
commit affd35071e
3 changed files with 30 additions and 1 deletions
--- a/api4/user.go
+++ b/api4/user.go
@@ -926,7 +926,19 @@ func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := c.App.RevokeSessionById(sessionId); err != nil {
+	var session *model.Session
+	var err *model.AppError
+	if session, err = c.App.GetSessionById(sessionId); err != nil {
+		c.Err = err
+		return
+	}
+
+	if session.UserId != c.Params.UserId {
+		c.SetInvalidUrlParam("user_id")
+		return
+	}
+
+	if err := c.App.RevokeSession(session); err != nil {
 		c.Err = err
 		return
 	}
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -1890,6 +1890,14 @@ func TestRevokeSessions(t *testing.T) {
 	}
 	CheckNoError(t, resp)

+	th.LoginBasic()
+
+	sessions, _ = th.App.GetSessions(th.SystemAdminUser.Id)
+	session = sessions[0]
+
+	_, resp = Client.RevokeSession(user.Id, session.Id)
+	CheckBadRequestStatus(t, resp)
+
 	Client.Logout()
 	_, resp = Client.RevokeSession(user.Id, model.NewId())
 	CheckUnauthorizedStatus(t, resp)
--- a/app/session.go
+++ b/app/session.go
@@ -173,6 +173,15 @@ func (a *App) RevokeSessionsForDeviceId(userId string, deviceId string, currentS
 	return nil
 }

+func (a *App) GetSessionById(sessionId string) (*model.Session, *model.AppError) {
+	if result := <-a.Srv.Store.Session().Get(sessionId); result.Err != nil {
+		result.Err.StatusCode = http.StatusBadRequest
+		return nil, result.Err
+	} else {
+		return result.Data.(*model.Session), nil
+	}
+}
+
 func (a *App) RevokeSessionById(sessionId string) *model.AppError {
 	if result := <-a.Srv.Store.Session().Get(sessionId); result.Err != nil {
 		result.Err.StatusCode = http.StatusBadRequest