Make WordPress Core


Ignore:
Timestamp:
12/16/2014 09:15:01 AM (10 years ago)
Author:
nacin
Message:

Updates to the 'Log out everywhere' implementation.

  • Include a message and a disabled button when you're only logged in at one location.
  • Avoid leaking the session token in HTML.
  • Simplify, simplify, simplify.

see #30264.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/ajax-actions.php

    r30596 r30888  
    27722772function wp_ajax_destroy_sessions() {
    27732773
    2774     if ( empty( $_POST['user_id'] ) ) {
    2775         $user = new WP_Error();
    2776     } else {
    2777         $user = new WP_User( absint( $_POST['user_id'] ) );
    2778 
    2779         if ( ! $user->exists() ) {
    2780             $user = new WP_Error();
    2781         } elseif ( ! current_user_can( 'edit_user', $user->ID ) ) {
    2782             $user = new WP_Error();
    2783         } elseif ( ! check_ajax_referer( sprintf( 'destroy_sessions_%d', $user->ID ), false, false ) ) {
    2784             $user = new WP_Error();
    2785         }
    2786     }
    2787 
    2788     if ( is_wp_error( $user ) ) {
     2774    $user = get_userdata( (int) $_POST['user_id'] );
     2775    if ( $user ) {
     2776        if ( ! current_user_can( 'edit_user', $user->ID ) ) {
     2777            $user = false;
     2778        } elseif ( ! wp_verify_nonce( $_POST['nonce'], 'update-user_' . $user->ID ) ) {
     2779            $user = false;
     2780        }
     2781    }
     2782
     2783    if ( ! $user ) {
    27892784        wp_send_json_error( array(
    27902785            'message' => __( 'Could not log out user sessions. Please try again.' ),
     
    27922787    }
    27932788
    2794     // 'token' is only set if the initiating user is viewing their own profile-editing screen.
    2795     if ( isset( $_POST['token'] ) ) {
    2796         $keep = wp_unslash( $_POST['token'] );
    2797     } else {
    2798         $keep = null;
    2799     }
    2800 
    28012789    $sessions = WP_Session_Tokens::get_instance( $user->ID );
    28022790
    2803     /*
    2804      * If $keep is a string, then the current user is destroying all of their own sessions
    2805      * except the current one. If $keep is not a string, the current user is destroying all
    2806      * of another user's sessions with no exceptions.
    2807      */
    2808     if ( is_string( $keep ) ) {
    2809         $sessions->destroy_others( $keep );
     2791    if ( $user->ID === get_current_user_id() ) {
     2792        $sessions->destroy_others( wp_get_session_token() );
    28102793        $message = __( 'You are now logged out everywhere else.' );
    28112794    } else {
     
    28152798    }
    28162799
    2817     wp_send_json_success( array(
    2818         'message' => $message
    2819     ) );
    2820 
    2821 }
     2800    wp_send_json_success( array( 'message' => $message ) );
     2801}
Note: See TracChangeset for help on using the changeset viewer.