Added underlying code to sessions page.

2018-03-26 04:08:35 +02:00 · 2018-03-26 04:08:35 +02:00 · 13c1c0722e
commit 13c1c0722e
parent cc75f3eedd
3 changed files with 38 additions and 4 deletions
--- a/assets/less/mio/classes/settings/sessions.less
+++ b/assets/less/mio/classes/settings/sessions.less
@ -22,6 +22,10 @@
        &:not(:last-child) {
            margin-bottom: 1px;
        }
+
+        &--current {
+            background-color: #c2affe;
+        }
    }

    &__column {
--- a/public/settings.php
+++ b/public/settings.php
@ -84,7 +84,7 @@ if ($settings_mode === null) {
    $settings_mode = key($settings_modes);
 }

-$app->templating->vars(compact('settings_mode', 'settings_modes', 'settings_user'));
+$app->templating->vars(compact('settings_mode', 'settings_modes', 'settings_user', 'settings_session'));

 if (!array_key_exists($settings_mode, $settings_modes)) {
    http_response_code(404);
@ -319,6 +319,34 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {

            $settings_errors[] = "You shouldn't have done that.";
            break;
+
+        case 'sessions':
+            if (!tmp_csrf_verify($_POST['csrf'] ?? '')) {
+                $settings_errors[] = $csrf_error_str;
+                break;
+            }
+
+            $session_id = (int)($_POST['session'] ?? 0);
+
+            if ($session_id < 1) {
+                $settings_errors[] = 'no';
+                break;
+            }
+
+            $session = Session::find($session_id);
+
+            if ($session === null || $session->user_id !== $settings_user->user_id) {
+                $settings_errors[] = 'You may only end your own sessions.';
+                break;
+            }
+
+            if ($session->session_id === $app->getSession()->session_id) {
+                header('Location: /auth.php?m=logout&s=' . tmp_csrf_token());
+                return;
+            }
+
+            $session->delete();
+            break;
    }
 }

--- a/views/mio/settings/sessions.twig
+++ b/views/mio/settings/sessions.twig
@ -3,7 +3,7 @@
 {% block settings_content %}
    <div class="mio__settings__sessions">
        {% for session in user_sessions %}
-            <div class="mio__settings__sessions__entry" id="session-{{ session.session_id }}">
+            <div class="mio__settings__sessions__entry{% if session.session_id == settings_session.session_id %} mio__settings__sessions__entry--current{% endif %}" id="session-{{ session.session_id }}">
                <div class="mio__settings__sessions__column mio__settings__sessions__column--ip">
                    <div class="mio__settings__sessions__column__name">
                        IP
@ -38,9 +38,11 @@
                        </div>
                    </div>
                {% endif %}
-                <div class="mio__settings__sessions__column mio__settings__sessions__column--options">
+                <form class="mio__settings__sessions__column mio__settings__sessions__column--options" method="post" action="?m=sessions">
+                    <input type="hidden" name="csrf" value="{{ csrf_token() }}">
+                    <input type="hidden" name="session" value="{{ session.session_id }}">
                    <button class="mio__input__button mio__settings__sessions__button">Kill</button>
-                </div>
+                </form>
            </div>
        {% endfor %}
    </div>