return false;
}
+ /**
+ * @deprecated since 1.28, use SessionManager::invalidateSessionForUser() instead.
+ */
public function resetAuthToken() {
# Override this!
return true;
return $this->getSessionFromInfo( $infos[0], $request );
}
+ public function invalidateSessionsForUser( User $user ) {
+ global $wgAuth;
+
+ $user->setToken();
+ $user->saveSettings();
+
+ $wgAuth->getUserInstance( $user )->resetAuthToken();
+
+ foreach ( $this->getProviders() as $provider ) {
+ $provider->invalidateSessionsForUser( $user );
+ }
+ }
+
public function getVaryHeaders() {
// @codeCoverageIgnoreStart
if ( defined( 'MW_NO_SESSION' ) && MW_NO_SESSION !== 'warn' ) {
namespace MediaWiki\Session;
use Psr\Log\LoggerAwareInterface;
+use User;
use WebRequest;
/**
*/
public function getEmptySession( WebRequest $request = null );
+ /**
+ * Invalidate sessions for a user
+ *
+ * After calling this, existing sessions should be invalid. For mutable
+ * session providers, this generally means the user has to log in again;
+ * for immutable providers, it generally means the loss of session data.
+ *
+ * @param User $user
+ */
+ public function invalidateSessionsForUser( User $user );
+
/**
* Return the HTTP headers that need varying on.
*
use Psr\Log\LoggerInterface;
use Config;
use Language;
+use User;
use WebRequest;
/**
}
}
+ /**
+ * Invalidate existing sessions for a user
+ *
+ * If the provider has its own equivalent of CookieSessionProvider's Token
+ * cookie (and doesn't use User::getToken() to implement it), it should
+ * reset whatever token it does use here.
+ *
+ * @protected For use by \MediaWiki\Session\SessionManager only
+ * @param User $user;
+ */
+ public function invalidateSessionsForUser( User $user ) {
+ }
+
/**
* Return the HTTP headers that need varying on.
*
$u->setEmail( $this->mEmail );
$u->setRealName( $this->mRealName );
- $u->setToken();
+ SessionManager::singleton()->invalidateSessionsForUser( $u );
Hooks::run( 'LocalUserCreated', [ $u, $autocreate ] );
$oldUser = $u;
throw new PasswordError( wfMessage( 'externaldberror' )->text() );
}
- $this->setToken();
$this->setOption( 'watchlisttoken', false );
$this->setPasswordInternal( $str );
+ SessionManager::singleton()->invalidateSessionsForUser( $this );
return true;
}
global $wgAuth;
if ( $wgAuth->allowSetLocalPassword() ) {
- $this->setToken();
$this->setOption( 'watchlisttoken', false );
$this->setPasswordInternal( $str );
+ SessionManager::singleton()->invalidateSessionsForUser( $this );
}
}
}
}
+ public function testInvalidateSessionsForUser() {
+ $user = User::newFromName( 'UTSysop' );
+ $manager = $this->getManager();
+
+ $providerBuilder = $this->getMockBuilder( 'DummySessionProvider' )
+ ->setMethods( [ 'invalidateSessionsForUser', '__toString' ] );
+
+ $provider1 = $providerBuilder->getMock();
+ $provider1->expects( $this->once() )->method( 'invalidateSessionsForUser' )
+ ->with( $this->identicalTo( $user ) );
+ $provider1->expects( $this->any() )->method( '__toString' )
+ ->will( $this->returnValue( 'MockProvider1' ) );
+
+ $provider2 = $providerBuilder->getMock();
+ $provider2->expects( $this->once() )->method( 'invalidateSessionsForUser' )
+ ->with( $this->identicalTo( $user ) );
+ $provider2->expects( $this->any() )->method( '__toString' )
+ ->will( $this->returnValue( 'MockProvider2' ) );
+
+ $this->config->set( 'SessionProviders', [
+ $this->objectCacheDef( $provider1 ),
+ $this->objectCacheDef( $provider2 ),
+ ] );
+
+ $oldToken = $user->getToken( true );
+ $manager->invalidateSessionsForUser( $user );
+ $this->assertNotEquals( $oldToken, $user->getToken() );
+ }
+
public function testGetVaryHeaders() {
$manager = $this->getManager();
$this->assertSame( $manager, $priv->manager );
$this->assertSame( $manager, $provider->getManager() );
+ $provider->invalidateSessionsForUser( new \User );
+
$this->assertSame( [], $provider->getVaryHeaders() );
$this->assertSame( [], $provider->getVaryCookies() );
$this->assertSame( null, $provider->suggestLoginUsername( new \FauxRequest ) );