From 07e7f03373c6459cee3dc599c43d4f18a5a1ba11 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Tue, 16 Dec 2014 09:15:01 +0000
Subject: [PATCH] Updates to the 'Log out everywhere' implementation.  *
 Include a message and a disabled button when you're only logged in at one
 location.  * Avoid leaking the session token in HTML.  * Simplify, simplify,
 simplify.

see #30264.


git-svn-id: https://develop.svn.wordpress.org/trunk@30888 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/css/common.css            |  3 +-
 src/wp-admin/includes/ajax-actions.php | 40 +++++++-------------------
 src/wp-admin/js/user-profile.js        | 30 ++++++++-----------
 src/wp-admin/user-edit.php             | 28 +++++++++---------
 src/wp-includes/script-loader.php      |  2 +-
 5 files changed, 40 insertions(+), 63 deletions(-)

diff --git a/src/wp-admin/css/common.css b/src/wp-admin/css/common.css
index 40332ce184..ac1f575f99 100644
--- a/src/wp-admin/css/common.css
+++ b/src/wp-admin/css/common.css
@@ -1265,7 +1265,8 @@ div.error {
 
 .notice p,
 div.updated p,
-div.error p {
+div.error p,
+.form-table td .notice p {
 	margin: 0.5em 0;
 	padding: 2px;
 }
diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 5dcbd5ad67..9024a2c180 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -2771,42 +2771,25 @@ function wp_ajax_parse_media_shortcode() {
  */
 function wp_ajax_destroy_sessions() {
 
-	if ( empty( $_POST['user_id'] ) ) {
-		$user = new WP_Error();
-	} else {
-		$user = new WP_User( absint( $_POST['user_id'] ) );
-
-		if ( ! $user->exists() ) {
-			$user = new WP_Error();
-		} elseif ( ! current_user_can( 'edit_user', $user->ID ) ) {
-			$user = new WP_Error();
-		} elseif ( ! check_ajax_referer( sprintf( 'destroy_sessions_%d', $user->ID ), false, false ) ) {
-			$user = new WP_Error();
+	$user = get_userdata( (int) $_POST['user_id'] );
+	if ( $user ) {
+		if ( ! current_user_can( 'edit_user', $user->ID ) ) {
+			$user = false;
+		} elseif ( ! wp_verify_nonce( $_POST['nonce'], 'update-user_' . $user->ID ) ) {
+			$user = false;
 		}
 	}
 
-	if ( is_wp_error( $user ) ) {
+	if ( ! $user ) {
 		wp_send_json_error( array(
 			'message' => __( 'Could not log out user sessions. Please try again.' ),
 		) );
 	}
 
-	// 'token' is only set if the initiating user is viewing their own profile-editing screen.
-	if ( isset( $_POST['token'] ) ) {
-		$keep = wp_unslash( $_POST['token'] );
-	} else {
-		$keep = null;
-	}
-
 	$sessions = WP_Session_Tokens::get_instance( $user->ID );
 
-	/*
-	 * If $keep is a string, then the current user is destroying all of their own sessions
-	 * except the current one. If $keep is not a string, the current user is destroying all
-	 * of another user's sessions with no exceptions.
-	 */
-	if ( is_string( $keep ) ) {
-		$sessions->destroy_others( $keep );
+	if ( $user->ID === get_current_user_id() ) {
+		$sessions->destroy_others( wp_get_session_token() );
 		$message = __( 'You are now logged out everywhere else.' );
 	} else {
 		$sessions->destroy_all();
@@ -2814,8 +2797,5 @@ function wp_ajax_destroy_sessions() {
 		$message = sprintf( __( '%s has been logged out.' ), $user->display_name );
 	}
 
-	wp_send_json_success( array(
-		'message' => $message
-	) );
-
+	wp_send_json_success( array( 'message' => $message ) );
 }
diff --git a/src/wp-admin/js/user-profile.js b/src/wp-admin/js/user-profile.js
index 2dd6e2a69d..ae4b97ab89 100644
--- a/src/wp-admin/js/user-profile.js
+++ b/src/wp-admin/js/user-profile.js
@@ -1,4 +1,4 @@
-/* global ajaxurl, pwsL10n, _wpSessionMangager */
+/* global ajaxurl, pwsL10n */
 (function($){
 
 	function check_pass_strength() {
@@ -125,25 +125,19 @@
 	});
 
 	$( '#destroy-sessions' ).on( 'click', function( e ) {
-
 		var $this = $(this);
-		var data = {
-			action      : 'destroy-sessions',
-			_ajax_nonce : _wpSessionMangager.nonce,
-			user_id     : _wpSessionMangager.user_id,
-			token       : $(this).data('token')
-		};
 
-		$.post( ajaxurl, data, function( response ) {
-
-			if ( response.success ) {
-				$this.prop( 'disabled', true );
-				$this.before( '<div class="updated inline"><p>' + response.data.message + '</p></div>' );
-			} else {
-				$this.before( '<div class="error inline"><p>' + response.data.message + '</p></div>' );
-			}
-
-		}, 'json' );
+		wp.ajax.post( 'destroy-sessions', {
+			nonce: $( '#_wpnonce' ).val(),
+			user_id: $( '#user_id' ).val()
+		}).done( function( response ) {
+			$this.prop( 'disabled', true );
+			$this.siblings( '.notice' ).remove();
+			$this.before( '<div class="notice notice-success inline"><p>' + response.message + '</p></div>' );
+		}).fail( function( response ) {
+			$this.siblings( '.notice' ).remove();
+			$this.before( '<div class="notice notice-error inline"><p>' + response.message + '</p></div>' );
+		});
 
 		e.preventDefault();
 	});
diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
index 491f89ab91..e97dfc5836 100644
--- a/src/wp-admin/user-edit.php
+++ b/src/wp-admin/user-edit.php
@@ -25,15 +25,6 @@ elseif ( ! get_userdata( $user_id ) )
 
 wp_enqueue_script('user-profile');
 
-wp_localize_script(
-	'user-profile',
-	'_wpSessionMangager',
-	array(
-		'user_id' => $user_id,
-		'nonce'   => wp_create_nonce( sprintf( 'destroy_sessions_%d', $user_id ) ),
-	)
-);
-
 $title = IS_PROFILE_PAGE ? __('Profile') : __('Edit User');
 if ( current_user_can('edit_users') && !IS_PROFILE_PAGE )
 	$submenu_file = 'users.php';
@@ -493,17 +484,28 @@ if ( $show_password_fields ) :
 </tr>
 <?php endif; ?>
 
-<?php if ( IS_PROFILE_PAGE && ( count( $sessions->get_all() ) > 1 ) ) { ?>
+<?php
+if ( IS_PROFILE_PAGE && count( $sessions->get_all() ) === 1 ) : ?>
 	<tr class="user-sessions-wrap hide-if-no-js">
 		<th>&nbsp;</th>
 		<td aria-live="assertive">
-			<div class="destroy-sessions"><button class="button button-secondary" id="destroy-sessions" data-token="<?php echo esc_attr( wp_get_session_token() ); ?>"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
+			<div class="destroy-sessions"><button disabled class="button button-secondary"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
+			<p class="description">
+				<?php _e( 'You are only logged in at this location.' ); ?>
+			</p>
+		</td>
+	</tr>
+<?php elseif ( IS_PROFILE_PAGE && count( $sessions->get_all() ) > 1 ) : ?>
+	<tr class="user-sessions-wrap hide-if-no-js">
+		<th>&nbsp;</th>
+		<td aria-live="assertive">
+			<div class="destroy-sessions"><button class="button button-secondary" id="destroy-sessions"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
 			<p class="description">
 				<?php _e( 'Left your account logged in at a public computer? Lost your phone? This will log you out everywhere except your current browser.' ); ?>
 			</p>
 		</td>
 	</tr>
-<?php } else if ( ! IS_PROFILE_PAGE && ( count( $sessions->get_all() ) > 0 ) ) { ?>
+<?php elseif ( ! IS_PROFILE_PAGE && $sessions->get_all() ) : ?>
 	<tr class="user-sessions-wrap hide-if-no-js">
 		<th>&nbsp;</th>
 		<td>
@@ -516,7 +518,7 @@ if ( $show_password_fields ) :
 			</p>
 		</td>
 	</tr>
-<?php } ?>
+<?php endif; ?>
 
 </table>
 
diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 3eaa1c89c4..420dcb5148 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -349,7 +349,7 @@ function wp_default_scripts( &$scripts ) {
 		'mismatch' => __('Mismatch')
 	) );
 
-	$scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter' ), false, 1 );
+	$scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter', 'wp-util' ), false, 1 );
 	$scripts->add( 'language-chooser', "/wp-admin/js/language-chooser$suffix.js", array( 'jquery' ), false, 1 );
 
 	$scripts->add( 'user-suggest', "/wp-admin/js/user-suggest$suffix.js", array( 'jquery-ui-autocomplete' ), false, 1 );