From 13c1c0722e39d8a9740c4307236009d2af76b127 Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Mon, 26 Mar 2018 04:08:35 +0200
Subject: [PATCH] Added underlying code to sessions page.

---
 .../less/mio/classes/settings/sessions.less   |  4 +++
 public/settings.php                           | 30 ++++++++++++++++++-
 views/mio/settings/sessions.twig              |  8 +++--
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/assets/less/mio/classes/settings/sessions.less b/assets/less/mio/classes/settings/sessions.less
index 8201310f..87ca09c7 100644
--- a/assets/less/mio/classes/settings/sessions.less
+++ b/assets/less/mio/classes/settings/sessions.less
@@ -22,6 +22,10 @@
         &:not(:last-child) {
             margin-bottom: 1px;
         }
+
+        &--current {
+            background-color: #c2affe;
+        }
     }
 
     &__column {
diff --git a/public/settings.php b/public/settings.php
index 6b232b30..897e3a32 100644
--- a/public/settings.php
+++ b/public/settings.php
@@ -84,7 +84,7 @@ if ($settings_mode === null) {
     $settings_mode = key($settings_modes);
 }
 
-$app->templating->vars(compact('settings_mode', 'settings_modes', 'settings_user'));
+$app->templating->vars(compact('settings_mode', 'settings_modes', 'settings_user', 'settings_session'));
 
 if (!array_key_exists($settings_mode, $settings_modes)) {
     http_response_code(404);
@@ -319,6 +319,34 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 
             $settings_errors[] = "You shouldn't have done that.";
             break;
+
+        case 'sessions':
+            if (!tmp_csrf_verify($_POST['csrf'] ?? '')) {
+                $settings_errors[] = $csrf_error_str;
+                break;
+            }
+
+            $session_id = (int)($_POST['session'] ?? 0);
+
+            if ($session_id < 1) {
+                $settings_errors[] = 'no';
+                break;
+            }
+
+            $session = Session::find($session_id);
+
+            if ($session === null || $session->user_id !== $settings_user->user_id) {
+                $settings_errors[] = 'You may only end your own sessions.';
+                break;
+            }
+
+            if ($session->session_id === $app->getSession()->session_id) {
+                header('Location: /auth.php?m=logout&s=' . tmp_csrf_token());
+                return;
+            }
+
+            $session->delete();
+            break;
     }
 }
 
diff --git a/views/mio/settings/sessions.twig b/views/mio/settings/sessions.twig
index aa2d4ba2..793c415a 100644
--- a/views/mio/settings/sessions.twig
+++ b/views/mio/settings/sessions.twig
@@ -3,7 +3,7 @@
 {% block settings_content %}
     <div class="mio__settings__sessions">
         {% for session in user_sessions %}
-            <div class="mio__settings__sessions__entry" id="session-{{ session.session_id }}">
+            <div class="mio__settings__sessions__entry{% if session.session_id == settings_session.session_id %} mio__settings__sessions__entry--current{% endif %}" id="session-{{ session.session_id }}">
                 <div class="mio__settings__sessions__column mio__settings__sessions__column--ip">
                     <div class="mio__settings__sessions__column__name">
                         IP
@@ -38,9 +38,11 @@
                         </div>
                     </div>
                 {% endif %}
-                <div class="mio__settings__sessions__column mio__settings__sessions__column--options">
+                <form class="mio__settings__sessions__column mio__settings__sessions__column--options" method="post" action="?m=sessions">
+                    <input type="hidden" name="csrf" value="{{ csrf_token() }}">
+                    <input type="hidden" name="session" value="{{ session.session_id }}">
                     <button class="mio__input__button mio__settings__sessions__button">Kill</button>
-                </div>
+                </form>
             </div>
         {% endfor %}
     </div>