From a1a8a0cf29a680582caf8ff812c76aa12162f944 Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Sun, 25 Jul 2021 05:24:03 +0200 Subject: [PATCH] Logout if logged out and don't allow to get logged in afterwards --- cps/admin.py | 7 +++++-- cps/ub.py | 20 +++++++++++++++++++- cps/web.py | 4 ++++ 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/cps/admin.py b/cps/admin.py index 7507d725..0e5949b2 100644 --- a/cps/admin.py +++ b/cps/admin.py @@ -34,6 +34,7 @@ from babel.dates import format_datetime from flask import Blueprint, flash, redirect, url_for, abort, request, make_response, send_from_directory, g, Response from flask_login import login_required, current_user, logout_user, confirm_login from flask_babel import gettext as _ +from flask import session as flask_session from sqlalchemy import and_ from sqlalchemy.orm.attributes import flag_modified from sqlalchemy.exc import IntegrityError, OperationalError, InvalidRequestError @@ -98,8 +99,10 @@ def admin_required(f): @admi.before_app_request def before_request(): - if current_user.is_authenticated: - confirm_login() + if not ub.check_user_session(current_user.id, flask_session.get('_id')): + logout_user() + # if current_user.is_authenticated: + # confirm_login() g.constants = constants g.user = current_user g.allow_registration = config.config_public_reg diff --git a/cps/ub.py b/cps/ub.py index c334ff59..e98e3dea 100644 --- a/cps/ub.py +++ b/cps/ub.py @@ -60,6 +60,24 @@ app_DB_path = None Base = declarative_base() searched_ids = {} +logged_in = dict() + +def store_user_session(): + if flask_session.get('_user_id', ""): + if logged_in.get(flask_session.get('_user_id', "")): + logged_in[flask_session.get('_user_id', "")].append(flask_session.get('_id', "")) + else: + logged_in[flask_session.get('_user_id', "")] = [flask_session.get('_id', "")] + log.info(flask_session.get('_id', "")) + +def delete_user_session(user_id, session_key): + try: + logged_in.get(str(user_id), []).remove(session_key) + except ValueError: + pass + +def check_user_session(user_id, session_key): + return session_key in logged_in.get(str(user_id), []) def store_ids(result): ids = list() @@ -72,7 +90,7 @@ class UserBase: @property def is_authenticated(self): - return True + return self.is_active def _has_role(self, role_flag): return constants.has_flag(self.role, role_flag) diff --git a/cps/web.py b/cps/web.py index ba3c5ae3..e55a6a29 100644 --- a/cps/web.py +++ b/cps/web.py @@ -1513,6 +1513,7 @@ def login(): login_result, error = services.ldap.bind_user(form['username'], form['password']) if login_result: login_user(user, remember=bool(form.get('remember_me'))) + ub.store_user_session() log.debug(u"You are now logged in as: '%s'", user.name) flash(_(u"you are now logged in as: '%(nickname)s'", nickname=user.name), category="success") @@ -1520,6 +1521,7 @@ def login(): elif login_result is None and user and check_password_hash(str(user.password), form['password']) \ and user.name != "Guest": login_user(user, remember=bool(form.get('remember_me'))) + ub.store_user_session() log.info("Local Fallback Login as: '%s'", user.name) flash(_(u"Fallback Login as: '%(nickname)s', LDAP Server not reachable, or user not known", nickname=user.name), @@ -1549,6 +1551,7 @@ def login(): else: if user and check_password_hash(str(user.password), form['password']) and user.name != "Guest": login_user(user, remember=bool(form.get('remember_me'))) + ub.store_user_session() log.debug(u"You are now logged in as: '%s'", user.name) flash(_(u"You are now logged in as: '%(nickname)s'", nickname=user.name), category="success") config.config_is_initial = False @@ -1572,6 +1575,7 @@ def login(): @login_required def logout(): if current_user is not None and current_user.is_authenticated: + ub.delete_user_session(current_user.id, flask_session.get('_id',"")) logout_user() if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3): logout_oauth_user()