From 405f3af257f3ef4645e560fbb62697d2330a50a5 Mon Sep 17 00:00:00 2001 From: "J. King" Date: Fri, 25 Dec 2020 22:22:37 -0500 Subject: [PATCH] Invalidate sessions and Fever passwords when renaming users --- lib/User.php | 9 +++++++-- tests/cases/User/TestUser.php | 26 ++++++++++++++++++++------ 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/lib/User.php b/lib/User.php index 1c7979bc..d0bbbf80 100644 --- a/lib/User.php +++ b/lib/User.php @@ -106,12 +106,17 @@ class User { public function rename(string $user, string $newName): bool { if ($this->u->userRename($user, $newName)) { + $tr = Arsse::$db->begin(); if (!Arsse::$db->userExists($user)) { Arsse::$db->userAdd($newName, null); - return true; } else { - return Arsse::$db->userRename($user, $newName); + Arsse::$db->userRename($user, $newName); + // invalidate any sessions and Fever passwords + Arsse::$db->sessionDestroy($newName); + Arsse::$db->tokenRevoke($newName, "fever.login"); } + $tr->commit(); + return true; } return false; } diff --git a/tests/cases/User/TestUser.php b/tests/cases/User/TestUser.php index e42832e9..c2a2645d 100644 --- a/tests/cases/User/TestUser.php +++ b/tests/cases/User/TestUser.php @@ -183,6 +183,8 @@ class TestUser extends \JKingWeb\Arsse\Test\AbstractTest { } public function testRenameAUser(): void { + $tr = \Phake::mock(Transaction::class); + \Phake::when(Arsse::$db)->begin->thenReturn($tr); \Phake::when(Arsse::$db)->userExists->thenReturn(true); \Phake::when(Arsse::$db)->userAdd->thenReturn(true); \Phake::when(Arsse::$db)->userRename->thenReturn(true); @@ -191,12 +193,20 @@ class TestUser extends \JKingWeb\Arsse\Test\AbstractTest { $old = "john.doe@example.com"; $new = "jane.doe@example.com"; $this->assertTrue($u->rename($old, $new)); - \Phake::verify($this->drv)->userRename($old, $new); - \Phake::verify(Arsse::$db)->userExists($old); - \Phake::verify(Arsse::$db)->userRename($old, $new); + \Phake::inOrder( + \Phake::verify($this->drv)->userRename($old, $new), + \Phake::verify(Arsse::$db)->begin(), + \Phake::verify(Arsse::$db)->userExists($old), + \Phake::verify(Arsse::$db)->userRename($old, $new), + \Phake::verify(Arsse::$db)->sessionDestroy($new), + \Phake::verify(Arsse::$db)->tokenRevoke($new, "fever.login"), + \Phake::verify($tr)->commit() + ); } public function testRenameAUserWeDoNotKnow(): void { + $tr = \Phake::mock(Transaction::class); + \Phake::when(Arsse::$db)->begin->thenReturn($tr); \Phake::when(Arsse::$db)->userExists->thenReturn(false); \Phake::when(Arsse::$db)->userAdd->thenReturn(true); \Phake::when(Arsse::$db)->userRename->thenReturn(true); @@ -205,9 +215,13 @@ class TestUser extends \JKingWeb\Arsse\Test\AbstractTest { $old = "john.doe@example.com"; $new = "jane.doe@example.com"; $this->assertTrue($u->rename($old, $new)); - \Phake::verify($this->drv)->userRename($old, $new); - \Phake::verify(Arsse::$db)->userExists($old); - \Phake::verify(Arsse::$db)->userAdd($new, null); + \Phake::inOrder( + \Phake::verify($this->drv)->userRename($old, $new), + \Phake::verify(Arsse::$db)->begin(), + \Phake::verify(Arsse::$db)->userExists($old), + \Phake::verify(Arsse::$db)->userAdd($new, null), + \Phake::verify($tr)->commit() + ); } public function testRenameAUserWithoutEffect(): void {