Context Navigation

← Previous Changeset
Next Changeset →

Changeset 30895

Timestamp:

12/16/2014 12:52:52 PM (9 years ago)

Author:

johnbillion

Message:

Updates to the 'Log out everywhere' implementation.

Include a message and a disabled button when you're only logged in at one location.
Avoid leaking the session token in HTML.
Simplify, simplify, simplify.

Merges [30888] to the 4.1 branch.

Fixes #30264.

Location:

branches/4.1

Files:

: 6 edited

. (modified) (1 prop)
src/wp-admin/css/common.css (modified) (1 diff)
src/wp-admin/includes/ajax-actions.php (modified) (3 diffs)
src/wp-admin/js/user-profile.js (modified) (2 diffs)
src/wp-admin/user-edit.php (modified) (4 diffs)
src/wp-includes/script-loader.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

branches/4.1
- Property svn:mergeinfo changed
  /trunk merged: 30888

branches/4.1/src/wp-admin/css/common.css

-                      r30880
+                      r30895
 .notice p,
 div.updated p,
+div.error p {
+div.error p,
+.form-table td .notice p {
     margin: 0.5em 0;
     padding: 2px;

branches/4.1/src/wp-admin/includes/ajax-actions.php

-                      r30596
+                      r30895
 function wp_ajax_destroy_sessions() {
+    if ( empty( $_POST['user_id'] ) ) {
+        $user = new WP_Error();
+    } else {
+        $user = new WP_User( absint( $_POST['user_id'] ) );
+        if ( ! $user->exists() ) {
+            $user = new WP_Error();
+        } elseif ( ! current_user_can( 'edit_user', $user->ID ) ) {
+            $user = new WP_Error();
+        } elseif ( ! check_ajax_referer( sprintf( 'destroy_sessions_%d', $user->ID ), false, false ) ) {
+            $user = new WP_Error();
+        }
+    }
+    if ( is_wp_error( $user ) ) {
+    $user = get_userdata( (int) $_POST['user_id'] );
+    if ( $user ) {
+        if ( ! current_user_can( 'edit_user', $user->ID ) ) {
+            $user = false;
+        } elseif ( ! wp_verify_nonce( $_POST['nonce'], 'update-user_' . $user->ID ) ) {
+            $user = false;
+        }
+    }
+    if ( ! $user ) {
         wp_send_json_error( array(
             'message' => __( 'Could not log out user sessions. Please try again.' ),
 …
+    }
-    // 'token' is only set if the initiating user is viewing their own profile-editing screen.
-    if ( isset( $_POST['token'] ) ) {
-        $keep = wp_unslash( $_POST['token'] );
-    } else {
-        $keep = null;
+    }
     $sessions = WP_Session_Tokens::get_instance( $user->ID );
+    /*
+     * If $keep is a string, then the current user is destroying all of their own sessions
+     * except the current one. If $keep is not a string, the current user is destroying all
+     * of another user's sessions with no exceptions.
+     */
+    if ( is_string( $keep ) ) {
+        $sessions->destroy_others( $keep );
+    if ( $user->ID === get_current_user_id() ) {
+        $sessions->destroy_others( wp_get_session_token() );
         $message = __( 'You are now logged out everywhere else.' );
     } else {
 …
+    }
+    wp_send_json_success( array(
+        'message' => $message
+    ) );
+}
+    wp_send_json_success( array( 'message' => $message ) );
+}

branches/4.1/src/wp-admin/js/user-profile.js

-                      r30334
+                      r30895
 /* global ajaxurl, pwsL10n, _wpSessionMangager */
+/* global ajaxurl, pwsL10n */
 (function($){
 …
     $( '#destroy-sessions' ).on( 'click', function( e ) {
+        var $this = $(this);
+        var $this = $(this);
+        var data = {
+            action      : 'destroy-sessions',
+            _ajax_nonce : _wpSessionMangager.nonce,
+            user_id     : _wpSessionMangager.user_id,
+            token       : $(this).data('token')
+        };
+        $.post( ajaxurl, data, function( response ) {
+            if ( response.success ) {
+                $this.prop( 'disabled', true );
+                $this.before( '<div class="updated inline"><p>' + response.data.message + '</p></div>' );
+            } else {
+                $this.before( '<div class="error inline"><p>' + response.data.message + '</p></div>' );
+            }
+        }, 'json' );
+        wp.ajax.post( 'destroy-sessions', {
+            nonce: $( '#_wpnonce' ).val(),
+            user_id: $( '#user_id' ).val()
+        }).done( function( response ) {
+            $this.prop( 'disabled', true );
+            $this.siblings( '.notice' ).remove();
+            $this.before( '<div class="notice notice-success inline"><p>' + response.message + '</p></div>' );
+        }).fail( function( response ) {
+            $this.siblings( '.notice' ).remove();
+            $this.before( '<div class="notice notice-error inline"><p>' + response.message + '</p></div>' );
+        });
         e.preventDefault();

branches/4.1/src/wp-admin/user-edit.php

-                      r30754
+                      r30895
 wp_enqueue_script('user-profile');
-wp_localize_script(
-    'user-profile',
-    '_wpSessionMangager',
-    array(
-        'user_id' => $user_id,
-        'nonce'   => wp_create_nonce( sprintf( 'destroy_sessions_%d', $user_id ) ),
+    )
-);
 $title = IS_PROFILE_PAGE ? __('Profile') : __('Edit User');
 …
 <?php endif; ?>
+<?php if ( IS_PROFILE_PAGE && ( count( $sessions->get_all() ) > 1 ) ) { ?>
+<?php
+if ( IS_PROFILE_PAGE && count( $sessions->get_all() ) === 1 ) : ?>
     <tr class="user-sessions-wrap hide-if-no-js">
         <th>&nbsp;</th>
         <td aria-live="assertive">
+            <div class="destroy-sessions"><button class="button button-secondary" id="destroy-sessions" data-token="<?php echo esc_attr( wp_get_session_token() ); ?>"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
+            <div class="destroy-sessions"><button disabled class="button button-secondary"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
+            <p class="description">
+                <?php _e( 'You are only logged in at this location.' ); ?>
+            </p>
+        </td>
+    </tr>
+<?php elseif ( IS_PROFILE_PAGE && count( $sessions->get_all() ) > 1 ) : ?>
+    <tr class="user-sessions-wrap hide-if-no-js">
+        <th>&nbsp;</th>
+        <td aria-live="assertive">
+            <div class="destroy-sessions"><button class="button button-secondary" id="destroy-sessions"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
             <p class="description">
                 <?php _e( 'Left your account logged in at a public computer? Lost your phone? This will log you out everywhere except your current browser.' ); ?>
 …
         </td>
     </tr>
 <?php } else if ( ! IS_PROFILE_PAGE && ( count( $sessions->get_all() ) > 0 ) ) { ?>
+<?php elseif ( ! IS_PROFILE_PAGE && $sessions->get_all() ) : ?>
     <tr class="user-sessions-wrap hide-if-no-js">
         <th>&nbsp;</th>
 …
         </td>
     </tr>
 <?php } ?>
+<?php endif; ?>
 </table>

branches/4.1/src/wp-includes/script-loader.php

r30892	r30895
350	350	) );
351	351
352		$scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter' ), false, 1 );
	352	$scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter', 'wp-util' ), false, 1 );
353	353	$scripts->add( 'language-chooser', "/wp-admin/js/language-chooser$suffix.js", array( 'jquery' ), false, 1 );
354	354

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core