diff options
author | kiko%async.com.br <> | 2004-03-27 10:28:29 +0100 |
---|---|---|
committer | kiko%async.com.br <> | 2004-03-27 10:28:29 +0100 |
commit | 8a06f991edf359f9ffeb53cc57173023c44d9644 (patch) | |
tree | 2e5196831333da56330b1a5c00c9165991a0ac78 /Bugzilla.pm | |
parent | a66d86a8e68f82de2d17d086204f538238ce0727 (diff) | |
download | bugzilla-8a06f991edf359f9ffeb53cc57173023c44d9644.tar.gz bugzilla-8a06f991edf359f9ffeb53cc57173023c44d9644.tar.xz |
Fix for bug 226764: Move InvalidateLogins into Bugzilla::Auth::CGI.
Consolidates the logout code into Bugzilla::Auth::CGI, and provides
simple front-end wrappers in Bugzilla.pm for use in the CGIs we have.
r=bbaetz, joel; a=justdave.
Adds a set of constants to the logout() API which allow specifying "how
much" we should log out -- all sessions, the current session, or all
sessions but the current one.
Fixes callsites to use this new API; cleans and documents things a
bit while we're at it. Part I in the great COOKIE apocalypse.
Diffstat (limited to 'Bugzilla.pm')
-rw-r--r-- | Bugzilla.pm | 72 |
1 files changed, 53 insertions, 19 deletions
diff --git a/Bugzilla.pm b/Bugzilla.pm index 7e7d50004..5cee520c7 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -83,33 +83,53 @@ sub login { # so it needs to be set. $::COOKIE{'Bugzilla_login'} = $_user->login; } else { - # Old compat stuff - - undef $_user; - $::userid = 0; - delete $::COOKIE{'Bugzilla_login'}; - delete $::COOKIE{'Bugzilla_logincookie'}; - # NB - Can't delete from $cgi->cookie, so the cookie data will - # remain there - # People shouldn't rely on the cookie param for the username - # - use Bugzilla->user instead! + logout_request(); } return $_user; } sub logout { + my ($class, $option) = @_; + if (! $_user) { + # If we're not logged in, go away + return; + } + $option = LOGOUT_CURRENT unless defined $option; + + use Bugzilla::Auth::CGI; + Bugzilla::Auth::CGI->logout($_user, $option); + if ($option != LOGOUT_KEEP_CURRENT) { + Bugzilla::Auth::CGI->clear_browser_cookies(); + logout_request(); + } +} + +sub logout_user { + my ($class, $user) = @_; + # When we're logging out another user we leave cookies alone, and + # therefore avoid calling logout() directly. use Bugzilla::Auth::CGI; - # remove cookies and clean up database state - Bugzilla::Auth::CGI->logout(); - logout_request(); + Bugzilla::Auth::CGI->logout($user, LOGOUT_ALL); } +# just a compatibility front-end to logout_user that gets a user by id +sub logout_user_by_id { + my ($class, $id) = @_; + my $user = new Bugzilla::User($id); + $class->logout_user($user); +} + +# hack that invalidates credentials for a single request sub logout_request { undef $_user; $::userid = 0; + # XXX clean these up eventually delete $::COOKIE{"Bugzilla_login"}; - delete $::COOKIE{"Bugzilla_logincookie"}; + # NB - Can't delete from $cgi->cookie, so the logincookie data will + # remain there; it's only used in Bugzilla::Auth::CGI->logout anyway + # People shouldn't rely on the cookie param for the username + # - use Bugzilla->user instead! } my $_dbh; @@ -264,7 +284,7 @@ method for those scripts/templates which are only use via CGI, though. =item C<user> -The current L<Bugzilla::User>. C<undef> if there is no currently logged in user +The current C<Bugzilla::User>. C<undef> if there is no currently logged in user or if the login code has not yet been run. =item C<login> @@ -273,15 +293,29 @@ Logs in a user, returning a C<Bugzilla::User> object, or C<undef> if there is no logged in user. See L<Bugzilla::Auth|Bugzilla::Auth> and L<Bugzilla::User|Bugzilla::User>. -=item C<logout> +=item C<logout($option)> + +Logs out the current user, which involves invalidating user sessions and +cookies. Three options are available from +L<Bugzilla::Constants|Bugzilla::Constants>: LOGOUT_CURRENT (the +default), LOGOUT_ALL or LOGOUT_KEEP_CURRENT. + +=item C<logout_user($user)> + +Logs out the specified user (invalidating all his sessions), taking a +Bugzilla::User instance. + +=item C<logout_by_id($id)> -Logs out the current user. +Logs out the user with the id specified. This is a compatibility +function to be used in callsites where there is only a userid and no +Bugzilla::User instance. =item C<logout_request> -Essentially, causes calls to C<user> to return C<undef>. This has the +Essentially, causes calls to C<Bugzilla->user> to return C<undef>. This has the effect of logging out a user for the current request only; cookies and -database state are left intact. +database sessions are left intact. =item C<dbh> |