From 9ec826364ada5906c775152c1f681292ffea1b92 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 15 Feb 2008 12:49:23 +0100
Subject: [PATCH] invalidate all user session cache when userdatabase is
 changed FS#1085

A reference file is now stored in data/cache/sessionpurge and is used to
check if user sessions are still valid.

To accomondate for slow auth backends DokuWiki caches user info for
a certain time in the user session.

darcs-hash:20080215114923-7ad00-6874d5211efce7d07e54de37244becc2387c1ba7.gz
---
 inc/auth.php                      |  1 +
 lib/plugins/usermanager/admin.php | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/inc/auth.php b/inc/auth.php
index d511930dc..48888da1e 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -157,6 +157,7 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
     if($user && $pass){
       // we got a cookie - see if we can trust it
       if(isset($session) &&
+        ($session['time'] >= @filemtime($conf['cachedir'].'/sessionpurge')) &&
         ($session['time'] >= time()-$conf['auth_security_timeout']) &&
         ($session['user'] == $user) &&
         ($session['pass'] == $pass) &&  //still crypted
diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php
index e20078d04..c5b720444 100644
--- a/lib/plugins/usermanager/admin.php
+++ b/lib/plugins/usermanager/admin.php
@@ -364,6 +364,8 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
      * Delete user
      */
     function _deleteUser(){
+        global $conf;
+
         if (!checkSecurityToken()) return false;
         if (!$this->_auth->canDo('delUser')) return false;
 
@@ -381,6 +383,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
           msg("$part1, $part2",-1);
         }
 
+        // invalidate all sessions
+        io_saveFile($conf['cachedir'].'/sessionpurge',time());
+
         return true;
     }
 
@@ -410,6 +415,8 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
      * Modify user (modified user data has been recieved)
      */
     function _modifyUser(){
+        global $conf;
+
         if (!checkSecurityToken()) return false;
         if (!$this->_auth->canDo('UserMod')) return false;
 
@@ -455,6 +462,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
             $this->_notifyUser($notify,$newpass);
           }
 
+          // invalidate all sessions
+          io_saveFile($conf['cachedir'].'/sessionpurge',time());
+
         } else {
           msg($this->lang['update_fail'],-1);
         }
-- 
GitLab