fix: terminate user sessions for user with changed permissions

thorsten · Sep 22, 2023 · 5f43786 · 5f43786
1 parent 62b9ef1
commit 5f43786
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/phpmyfaq/admin/api/user.php b/phpmyfaq/admin/api/user.php
@@ -115,8 +115,7 @@
 
         case 'activate_user':
             $postData = json_decode(file_get_contents('php://input', true));
-
-            if (!Token::getInstance()->verifyToken('user', $postData->csrfToken)) {
+            if (!Token::getInstance()->verifyToken('activate-user', $postData->csrfToken)) {
                 $response->setStatusCode(Response::HTTP_UNAUTHORIZED);
                 $response->setData(['error' => Translation::get('err_NotAuth')]);
                 $response->send();

diff --git a/phpmyfaq/admin/assets/src/user/user-list.js b/phpmyfaq/admin/assets/src/user/user-list.js
@@ -18,7 +18,7 @@
 import { addElement } from '../../../../assets/src/utils';
 
 const activateUser = (userId, csrfToken) => {
-  fetch('index.php?action=ajax&ajax=user&ajaxaction=delete_user', {
+  fetch('index.php?action=ajax&ajax=user&ajaxaction=activate_user', {
     method: 'POST',
     headers: {
       Accept: 'application/json, text/plain, */*',

diff --git a/phpmyfaq/admin/user.php b/phpmyfaq/admin/user.php
@@ -94,7 +94,10 @@
             foreach ($userRights as $rightId) {
                 $perm->grantUserRight($userId, $rightId);
             }
+
             $idUser = $user->getUserById($userId, true);
+            // Terminate session in case of different permissions after the update
+            $user->terminateSessionId();
             $message .= sprintf(
                 '<p class="alert alert-success">%s <strong>%s</strong> %s</p>',
                 Translation::get('ad_msg_savedsuc_1'),

diff --git a/phpmyfaq/src/phpMyFAQ/User.php b/phpmyfaq/src/phpMyFAQ/User.php
@@ -1037,4 +1037,19 @@ public function setSuperAdmin(bool $isSuperAdmin): bool
 
         return false;
     }
+
+    /**
+     * Terminates the session ID of user
+     * @return bool
+     */
+    public function terminateSessionId(): bool
+    {
+        $update = sprintf(
+            "UPDATE %sfaquser SET session_id = '' WHERE user_id = %d",
+            Database::getTablePrefix(),
+            $this->userId
+        );
+
+        return (bool) $this->config->getDb()->query($update);
+    }
 }