From d03b432557e0422d5b0dbd32e82d36d3f9a5b68a Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Mon, 24 Aug 2015 14:04:19 -0400
Subject: Bug 1192687 - add the ability for users to view and revoke existing
 sessions

---
 userprefs.cgi | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

(limited to 'userprefs.cgi')

diff --git a/userprefs.cgi b/userprefs.cgi
index 8f18de8c4..72a8dfb69 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -35,9 +35,12 @@ use Bugzilla::Util;
 use Bugzilla::Error;
 use Bugzilla::User;
 use Bugzilla::User::Setting qw(clear_settings_cache);
+use Bugzilla::User::Session;
 use Bugzilla::User::APIKey;
 use Bugzilla::Token;
 
+use constant SESSION_MAX => 20;
+
 my $template = Bugzilla->template;
 local our $vars = {};
 
@@ -539,6 +542,51 @@ sub SaveSavedSearches {
     Bugzilla->memcached->clear({ table => 'profiles', id => $user->id });
 }
 
+sub SaveSessions {
+    my $cgi = Bugzilla->cgi;
+    my $dbh = Bugzilla->dbh;
+    my $user = Bugzilla->user;
+
+    # Do it in a transaction.
+    $dbh->bz_start_transaction;
+    if ($cgi->param("session_logout_all")) {
+        my $info_getter = $user->authorizer && $user->authorizer->successful_info_getter();
+        if ($info_getter->cookie) {
+            $dbh->do("DELETE FROM logincookies WHERE userid = ? AND cookie != ?", undef,
+                     $user->id, $info_getter->cookie);
+        }
+    }
+    else {
+        my @logout_ids = $cgi->param('session_logout_id');
+        my $sessions = Bugzilla::User::Session->new_from_list(\@logout_ids);
+        foreach my $session (@$sessions) {
+            $session->remove_from_db if $session->userid == $user->id;
+        }
+    }
+
+    $dbh->bz_commit_transaction;
+}
+
+sub DoSessions {
+    my $user        = Bugzilla->user;
+    my $dbh         = Bugzilla->dbh;
+    my $sessions    = Bugzilla::User::Session->match({ userid => $user->id, LIMIT => SESSION_MAX + 1 });
+    my $info_getter = $user->authorizer && $user->authorizer->successful_info_getter();
+
+    if ($info_getter) {
+        foreach my $session (@$sessions) { 
+            $session->{current} = $info_getter->cookie eq $session->{cookie};
+        }
+    }
+    my ($count) = $dbh->selectrow_array("SELECT count(*) FROM logincookies WHERE userid = ?", undef,
+                                        $user->id);
+
+    $vars->{too_many_sessions} = @$sessions == SESSION_MAX + 1;
+    $vars->{sessions}          = $sessions;
+    $vars->{session_count}     = $count;
+    $vars->{session_max}       = SESSION_MAX;
+    pop @$sessions if $vars->{too_many_sessions};
+}
 
 sub DoApiKey {
     my $user = Bugzilla->user;
@@ -669,6 +717,11 @@ SWITCH: for ($current_tab_name) {
         DoApiKey();
         last SWITCH;
     };
+    /^sessions$/ && do {
+        SaveSessions() if $save_changes;
+        DoSessions();
+        last SWITCH;
+    };
 
     ThrowUserError("unknown_tab",
                    { current_tab_name => $current_tab_name });
-- 
cgit v1.2.3-24-g4f1b