Updates to the 'Log out everywhere' implementation.
* Include a message and a disabled button when you're only logged in at one location. * Avoid leaking the session token in HTML. * Simplify, simplify, simplify. see #30264. git-svn-id: https://develop.svn.wordpress.org/trunk@30888 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin
parent
82d0ba4b60
commit
07e7f03373
@ -1265,7 +1265,8 @@ div.error {
|
||||
|
||||
.notice p,
|
||||
div.updated p,
|
||||
div.error p {
|
||||
div.error p,
|
||||
.form-table td .notice p {
|
||||
margin: 0.5em 0;
|
||||
padding: 2px;
|
||||
}
|
||||
|
||||
@ -2771,42 +2771,25 @@ function wp_ajax_parse_media_shortcode() {
|
||||
*/
|
||||
function wp_ajax_destroy_sessions() {
|
||||
|
||||
if ( empty( $_POST['user_id'] ) ) {
|
||||
$user = new WP_Error();
|
||||
} else {
|
||||
$user = new WP_User( absint( $_POST['user_id'] ) );
|
||||
|
||||
if ( ! $user->exists() ) {
|
||||
$user = new WP_Error();
|
||||
} elseif ( ! current_user_can( 'edit_user', $user->ID ) ) {
|
||||
$user = new WP_Error();
|
||||
} elseif ( ! check_ajax_referer( sprintf( 'destroy_sessions_%d', $user->ID ), false, false ) ) {
|
||||
$user = new WP_Error();
|
||||
$user = get_userdata( (int) $_POST['user_id'] );
|
||||
if ( $user ) {
|
||||
if ( ! current_user_can( 'edit_user', $user->ID ) ) {
|
||||
$user = false;
|
||||
} elseif ( ! wp_verify_nonce( $_POST['nonce'], 'update-user_' . $user->ID ) ) {
|
||||
$user = false;
|
||||
}
|
||||
}
|
||||
|
||||
if ( is_wp_error( $user ) ) {
|
||||
if ( ! $user ) {
|
||||
wp_send_json_error( array(
|
||||
'message' => __( 'Could not log out user sessions. Please try again.' ),
|
||||
) );
|
||||
}
|
||||
|
||||
// 'token' is only set if the initiating user is viewing their own profile-editing screen.
|
||||
if ( isset( $_POST['token'] ) ) {
|
||||
$keep = wp_unslash( $_POST['token'] );
|
||||
} else {
|
||||
$keep = null;
|
||||
}
|
||||
|
||||
$sessions = WP_Session_Tokens::get_instance( $user->ID );
|
||||
|
||||
/*
|
||||
* If $keep is a string, then the current user is destroying all of their own sessions
|
||||
* except the current one. If $keep is not a string, the current user is destroying all
|
||||
* of another user's sessions with no exceptions.
|
||||
*/
|
||||
if ( is_string( $keep ) ) {
|
||||
$sessions->destroy_others( $keep );
|
||||
if ( $user->ID === get_current_user_id() ) {
|
||||
$sessions->destroy_others( wp_get_session_token() );
|
||||
$message = __( 'You are now logged out everywhere else.' );
|
||||
} else {
|
||||
$sessions->destroy_all();
|
||||
@ -2814,8 +2797,5 @@ function wp_ajax_destroy_sessions() {
|
||||
$message = sprintf( __( '%s has been logged out.' ), $user->display_name );
|
||||
}
|
||||
|
||||
wp_send_json_success( array(
|
||||
'message' => $message
|
||||
) );
|
||||
|
||||
wp_send_json_success( array( 'message' => $message ) );
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* global ajaxurl, pwsL10n, _wpSessionMangager */
|
||||
/* global ajaxurl, pwsL10n */
|
||||
(function($){
|
||||
|
||||
function check_pass_strength() {
|
||||
@ -125,25 +125,19 @@
|
||||
});
|
||||
|
||||
$( '#destroy-sessions' ).on( 'click', function( e ) {
|
||||
|
||||
var $this = $(this);
|
||||
var data = {
|
||||
action : 'destroy-sessions',
|
||||
_ajax_nonce : _wpSessionMangager.nonce,
|
||||
user_id : _wpSessionMangager.user_id,
|
||||
token : $(this).data('token')
|
||||
};
|
||||
|
||||
$.post( ajaxurl, data, function( response ) {
|
||||
|
||||
if ( response.success ) {
|
||||
$this.prop( 'disabled', true );
|
||||
$this.before( '<div class="updated inline"><p>' + response.data.message + '</p></div>' );
|
||||
} else {
|
||||
$this.before( '<div class="error inline"><p>' + response.data.message + '</p></div>' );
|
||||
}
|
||||
|
||||
}, 'json' );
|
||||
wp.ajax.post( 'destroy-sessions', {
|
||||
nonce: $( '#_wpnonce' ).val(),
|
||||
user_id: $( '#user_id' ).val()
|
||||
}).done( function( response ) {
|
||||
$this.prop( 'disabled', true );
|
||||
$this.siblings( '.notice' ).remove();
|
||||
$this.before( '<div class="notice notice-success inline"><p>' + response.message + '</p></div>' );
|
||||
}).fail( function( response ) {
|
||||
$this.siblings( '.notice' ).remove();
|
||||
$this.before( '<div class="notice notice-error inline"><p>' + response.message + '</p></div>' );
|
||||
});
|
||||
|
||||
e.preventDefault();
|
||||
});
|
||||
|
||||
@ -25,15 +25,6 @@ elseif ( ! get_userdata( $user_id ) )
|
||||
|
||||
wp_enqueue_script('user-profile');
|
||||
|
||||
wp_localize_script(
|
||||
'user-profile',
|
||||
'_wpSessionMangager',
|
||||
array(
|
||||
'user_id' => $user_id,
|
||||
'nonce' => wp_create_nonce( sprintf( 'destroy_sessions_%d', $user_id ) ),
|
||||
)
|
||||
);
|
||||
|
||||
$title = IS_PROFILE_PAGE ? __('Profile') : __('Edit User');
|
||||
if ( current_user_can('edit_users') && !IS_PROFILE_PAGE )
|
||||
$submenu_file = 'users.php';
|
||||
@ -493,17 +484,28 @@ if ( $show_password_fields ) :
|
||||
</tr>
|
||||
<?php endif; ?>
|
||||
|
||||
<?php if ( IS_PROFILE_PAGE && ( count( $sessions->get_all() ) > 1 ) ) { ?>
|
||||
<?php
|
||||
if ( IS_PROFILE_PAGE && count( $sessions->get_all() ) === 1 ) : ?>
|
||||
<tr class="user-sessions-wrap hide-if-no-js">
|
||||
<th> </th>
|
||||
<td aria-live="assertive">
|
||||
<div class="destroy-sessions"><button class="button button-secondary" id="destroy-sessions" data-token="<?php echo esc_attr( wp_get_session_token() ); ?>"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
|
||||
<div class="destroy-sessions"><button disabled class="button button-secondary"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
|
||||
<p class="description">
|
||||
<?php _e( 'You are only logged in at this location.' ); ?>
|
||||
</p>
|
||||
</td>
|
||||
</tr>
|
||||
<?php elseif ( IS_PROFILE_PAGE && count( $sessions->get_all() ) > 1 ) : ?>
|
||||
<tr class="user-sessions-wrap hide-if-no-js">
|
||||
<th> </th>
|
||||
<td aria-live="assertive">
|
||||
<div class="destroy-sessions"><button class="button button-secondary" id="destroy-sessions"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
|
||||
<p class="description">
|
||||
<?php _e( 'Left your account logged in at a public computer? Lost your phone? This will log you out everywhere except your current browser.' ); ?>
|
||||
</p>
|
||||
</td>
|
||||
</tr>
|
||||
<?php } else if ( ! IS_PROFILE_PAGE && ( count( $sessions->get_all() ) > 0 ) ) { ?>
|
||||
<?php elseif ( ! IS_PROFILE_PAGE && $sessions->get_all() ) : ?>
|
||||
<tr class="user-sessions-wrap hide-if-no-js">
|
||||
<th> </th>
|
||||
<td>
|
||||
@ -516,7 +518,7 @@ if ( $show_password_fields ) :
|
||||
</p>
|
||||
</td>
|
||||
</tr>
|
||||
<?php } ?>
|
||||
<?php endif; ?>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
@ -349,7 +349,7 @@ function wp_default_scripts( &$scripts ) {
|
||||
'mismatch' => __('Mismatch')
|
||||
) );
|
||||
|
||||
$scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter' ), false, 1 );
|
||||
$scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter', 'wp-util' ), false, 1 );
|
||||
$scripts->add( 'language-chooser', "/wp-admin/js/language-chooser$suffix.js", array( 'jquery' ), false, 1 );
|
||||
|
||||
$scripts->add( 'user-suggest', "/wp-admin/js/user-suggest$suffix.js", array( 'jquery-ui-autocomplete' ), false, 1 );
|
||||
|
||||
Loading…
Reference in New Issue
Block a user