Return-Path: 
 <commits-return-10685-apmail-allura-commits-archive=allura.apache.org@allura.apache.org>
X-Original-To: apmail-allura-commits-archive@www.apache.org
Delivered-To: apmail-allura-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 792D210E80
	for <apmail-allura-commits-archive@www.apache.org>;
 Wed, 19 Nov 2014 14:42:21 +0000 (UTC)
Received: (qmail 27599 invoked by uid 500); 19 Nov 2014 14:42:21 -0000
Delivered-To: apmail-allura-commits-archive@allura.apache.org
Received: (qmail 27579 invoked by uid 500); 19 Nov 2014 14:42:21 -0000
Mailing-List: contact commits-help@allura.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@allura.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@allura.apache.org>
List-Post: <mailto:commits@allura.apache.org>
List-Id: <commits.allura.apache.org>
Reply-To: dev@allura.apache.org
Delivered-To: mailing list commits@allura.apache.org
Received: (qmail 27568 invoked by uid 99); 19 Nov 2014 14:42:21 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Nov 2014 14:42:21 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id CABC39AB476; Wed, 19 Nov 2014 14:42:20 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: jetmind@apache.org
To: commits@allura.apache.org
Message-Id: <275619fe04e04867893db08350e80e44@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: allura git commit: [#7799] invalidate all other sessions when
 changing your password
Date: Wed, 19 Nov 2014 14:42:20 +0000 (UTC)

Repository: allura
Updated Branches:
  refs/heads/master 28cd97697 -> f2baa55c7


[#7799] invalidate all other sessions when changing your password

logout() uses invalidate() so that a new session is created, and a force-logged-out
session isn't stuck forever unable to log in again

minor other cleanup of unneeded beaker.session things.


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/f2baa55c
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/f2baa55c
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/f2baa55c

Branch: refs/heads/master
Commit: f2baa55c7822bceee00242d836db13f01ef6b11f
Parents: 28cd976
Author: Dave Brondsema <dbrondsema@slashdotmedia.com>
Authored: Mon Nov 17 19:09:16 2014 +0000
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Tue Nov 18 19:39:59 2014 +0000

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py                  |  3 +++
 Allura/allura/controllers/basetest_project_root.py |  3 +++
 Allura/allura/lib/plugin.py                        | 17 ++++++++++++-----
 Allura/development.ini                             |  1 -
 AlluraTest/alluratest/controller.py                |  1 -
 5 files changed, 18 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/f2baa55c/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index ef7935f..f971b0a 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -229,6 +229,7 @@ class AuthController(BaseController):
                  display_name=display_name,
                  password=pw,
                  pending=require_email))
+        user.set_tool_data('allura', pwd_reset_preserve_session=session.id)  # else the first password set causes this session to be invalidated
         if require_email:
             em = user.claim_address(email)
             em.send_verification_link()
@@ -406,6 +407,7 @@ class AuthController(BaseController):
             expired_username = session.get('expired-username')
             expired_user = M.User.query.get(username=expired_username) if expired_username else None
             ap.set_password(expired_user or c.user, kw['oldpw'], kw['pw'])
+            expired_user.set_tool_data('allura', pwd_reset_preserve_session=session.id)
         except wexc.HTTPUnauthorized:
             flash('Incorrect password', 'error')
             redirect(tg.url('/auth/pwd_expired', dict(return_to=return_to)))
@@ -554,6 +556,7 @@ class PreferencesController(BaseController):
         ap = plugin.AuthenticationProvider.get(request)
         try:
             ap.set_password(c.user, kw['oldpw'], kw['pw'])
+            c.user.set_tool_data('allura', pwd_reset_preserve_session=session.id)
         except wexc.HTTPUnauthorized:
             flash('Incorrect password', 'error')
             redirect('.')

http://git-wip-us.apache.org/repos/asf/allura/blob/f2baa55c/Allura/allura/controllers/basetest_project_root.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/basetest_project_root.py b/Allura/allura/controllers/basetest_project_root.py
index 91c16da..a2df7a2 100644
--- a/Allura/allura/controllers/basetest_project_root.py
+++ b/Allura/allura/controllers/basetest_project_root.py
@@ -127,6 +127,9 @@ class BasetestProjectRootController(WsgiDispatchController, ProjectController):
         if not user:
             user = M.User.anonymous()
         environ['beaker.session']['username'] = user.username
+        # save and persist, so that a creation time is set
+        environ['beaker.session'].save()
+        environ['beaker.session'].persist()
         c.user = auth.authenticate_request()
         return WsgiDispatchController.__call__(self, environ, start_response)
 

http://git-wip-us.apache.org/repos/asf/allura/blob/f2baa55c/Allura/allura/lib/plugin.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index c0dbf51..ea66b60 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -106,6 +106,13 @@ class AuthenticationProvider(object):
         if user.disabled or user.pending:
             self.logout()
             return M.User.anonymous()
+        if not user.is_anonymous() and \
+                        self.get_last_password_updated(user) > datetime.utcfromtimestamp(self.session.created) and \
+                        user.get_tool_data('allura', 'pwd_reset_preserve_session') != self.session.id:
+            log.debug('Session logged out: due to user %s pwd change %s > %s', user.username,
+                      self.get_last_password_updated(user), datetime.utcfromtimestamp(self.session.created))
+            self.logout()
+            return M.User.anonymous()
 
         if self.session.get('pwd-expired') and request.path not in self.pwd_expired_allowed_urls:
             if self.request.environ['REQUEST_METHOD'] == 'GET':
@@ -130,7 +137,7 @@ class AuthenticationProvider(object):
 
     def _login(self):
         '''
-        Authorize a user, usually using self.request.params['username'] and ['password']
+        Authorize a user, usually using ``self.request.params['username']`` and ``['password']``
 
         :rtype: :class:`User <allura.model.auth.User>`
         :raises: HTTPUnauthorized if user not found, or credentials are not valid
@@ -168,10 +175,7 @@ class AuthenticationProvider(object):
             raise
 
     def logout(self):
-        self.session['login_expires'] = None
-        self.session['username'] = None
-        self.session['pwd-expired'] = False
-        self.session.save()
+        self.session.invalidate()
         response.delete_cookie('allura-loggedin')
 
     def validate_password(self, user, password):
@@ -205,6 +209,9 @@ class AuthenticationProvider(object):
         '''
         Set a user's password.
 
+        A provider implementing this method should store the timestamp of this change, either on ``user.last_password_updated`` or
+        somewhere else that a custom ``get_last_password_updated`` method uses.
+
         :param user: a :class:`User <allura.model.auth.User>`
         :rtype: None
         :raises: HTTPUnauthorized if old_password is not valid

http://git-wip-us.apache.org/repos/asf/allura/blob/f2baa55c/Allura/development.ini
----------------------------------------------------------------------
diff --git a/Allura/development.ini b/Allura/development.ini
index c772e5f..0de4e80 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -311,7 +311,6 @@ full_stack = true
 cache_dir = %(here)s/data
 beaker.session.key = allura
 beaker.session.type = cookie
-beaker.session.secret = 61ece7db-ba8d-49fe-a923-ab444741708c
 beaker.session.validate_key = 714bfe3612c42390726f
 
 # Ming setup

http://git-wip-us.apache.org/repos/asf/allura/blob/f2baa55c/AlluraTest/alluratest/controller.py
----------------------------------------------------------------------
diff --git a/AlluraTest/alluratest/controller.py b/AlluraTest/alluratest/controller.py
index 433431f..4237624 100644
--- a/AlluraTest/alluratest/controller.py
+++ b/AlluraTest/alluratest/controller.py
@@ -125,7 +125,6 @@ def setup_unit_test():
     REGISTRY.register(url, lambda: None)
     REGISTRY.register(request, Request.blank('/'))
     REGISTRY.register(response, Response())
-    REGISTRY.register(session, beaker.session.SessionObject({}))
     REGISTRY.register(allura.credentials, allura.lib.security.Credentials())
     c.model_cache = None
     ThreadLocalORMSession.close_all()