From 8a06f991edf359f9ffeb53cc57173023c44d9644 Mon Sep 17 00:00:00 2001 From: "kiko%async.com.br" <> Date: Sat, 27 Mar 2004 09:28:29 +0000 Subject: Fix for bug 226764: Move InvalidateLogins into Bugzilla::Auth::CGI. Consolidates the logout code into Bugzilla::Auth::CGI, and provides simple front-end wrappers in Bugzilla.pm for use in the CGIs we have. r=bbaetz, joel; a=justdave. Adds a set of constants to the logout() API which allow specifying "how much" we should log out -- all sessions, the current session, or all sessions but the current one. Fixes callsites to use this new API; cleans and documents things a bit while we're at it. Part I in the great COOKIE apocalypse. --- Bugzilla.pm | 72 +++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 53 insertions(+), 19 deletions(-) (limited to 'Bugzilla.pm') diff --git a/Bugzilla.pm b/Bugzilla.pm index 7e7d50004..5cee520c7 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -83,33 +83,53 @@ sub login { # so it needs to be set. $::COOKIE{'Bugzilla_login'} = $_user->login; } else { - # Old compat stuff - - undef $_user; - $::userid = 0; - delete $::COOKIE{'Bugzilla_login'}; - delete $::COOKIE{'Bugzilla_logincookie'}; - # NB - Can't delete from $cgi->cookie, so the cookie data will - # remain there - # People shouldn't rely on the cookie param for the username - # - use Bugzilla->user instead! + logout_request(); } return $_user; } sub logout { + my ($class, $option) = @_; + if (! $_user) { + # If we're not logged in, go away + return; + } + $option = LOGOUT_CURRENT unless defined $option; + + use Bugzilla::Auth::CGI; + Bugzilla::Auth::CGI->logout($_user, $option); + if ($option != LOGOUT_KEEP_CURRENT) { + Bugzilla::Auth::CGI->clear_browser_cookies(); + logout_request(); + } +} + +sub logout_user { + my ($class, $user) = @_; + # When we're logging out another user we leave cookies alone, and + # therefore avoid calling logout() directly. use Bugzilla::Auth::CGI; - # remove cookies and clean up database state - Bugzilla::Auth::CGI->logout(); - logout_request(); + Bugzilla::Auth::CGI->logout($user, LOGOUT_ALL); } +# just a compatibility front-end to logout_user that gets a user by id +sub logout_user_by_id { + my ($class, $id) = @_; + my $user = new Bugzilla::User($id); + $class->logout_user($user); +} + +# hack that invalidates credentials for a single request sub logout_request { undef $_user; $::userid = 0; + # XXX clean these up eventually delete $::COOKIE{"Bugzilla_login"}; - delete $::COOKIE{"Bugzilla_logincookie"}; + # NB - Can't delete from $cgi->cookie, so the logincookie data will + # remain there; it's only used in Bugzilla::Auth::CGI->logout anyway + # People shouldn't rely on the cookie param for the username + # - use Bugzilla->user instead! } my $_dbh; @@ -264,7 +284,7 @@ method for those scripts/templates which are only use via CGI, though. =item C -The current L. C if there is no currently logged in user +The current C. C if there is no currently logged in user or if the login code has not yet been run. =item C @@ -273,15 +293,29 @@ Logs in a user, returning a C object, or C if there is no logged in user. See L and L. -=item C +=item C + +Logs out the current user, which involves invalidating user sessions and +cookies. Three options are available from +L: LOGOUT_CURRENT (the +default), LOGOUT_ALL or LOGOUT_KEEP_CURRENT. + +=item C + +Logs out the specified user (invalidating all his sessions), taking a +Bugzilla::User instance. + +=item C -Logs out the current user. +Logs out the user with the id specified. This is a compatibility +function to be used in callsites where there is only a userid and no +Bugzilla::User instance. =item C -Essentially, causes calls to C to return C. This has the +Essentially, causes calls to Cuser> to return C. This has the effect of logging out a user for the current request only; cookies and -database state are left intact. +database sessions are left intact. =item C -- cgit v1.2.3-24-g4f1b