From 71740a75a210907cee418a6c404e05ef4710fa9b Mon Sep 17 00:00:00 2001
From: Eli Schwartz <eschwartz@archlinux.org>
Date: Tue, 16 Feb 2021 22:09:36 -0500
Subject: rewrite query to support both mysql/sqlite

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/lib/acctfuncs.inc.php | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 30c4cfe0..752abe97 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -597,21 +597,17 @@ function try_login() {
 	/* Generate a session ID and store it. */
 	while (!$logged_in && $num_tries < 5) {
 		$session_limit = config_get_int('options', 'max_sessions_per_user');
-		# FIXME: this does not work for sqlite (JOIN in a DELETE clause)
-		# hence non-prod instances can have a naughty amount of simultaneous logins
-		if ($backend == "mysql" && $session_limit) {
+		if ($session_limit) {
 			/*
 			 * Delete all user sessions except the
 			 * last ($session_limit - 1).
 			 */
-			$q = "DELETE s.* FROM Sessions s ";
-			$q.= "LEFT JOIN (SELECT SessionID FROM Sessions ";
+			$q = "DELETE FROM Sessions ";
 			$q.= "WHERE UsersId = " . $userID . " ";
+			$q.= "AND SessionID NOT IN (SELECT SessionID FROM Sessions ";
+			$q.= "WHERE UsersID = " . $userID . " ";
 			$q.= "ORDER BY LastUpdateTS DESC ";
-			$q.= "LIMIT " . ($session_limit - 1) . ") q ";
-			$q.= "ON s.SessionID = q.SessionID ";
-			$q.= "WHERE s.UsersId = " . $userID . " ";
-			$q.= "AND q.SessionID IS NULL;";
+			$q.= "LIMIT " . ($session_limit - 1) . ")";
 			$dbh->query($q);
 		}
 
-- 
cgit v1.2.3-24-g4f1b