diff --git a/pagure/templates/user_settings.html b/pagure/templates/user_settings.html index f5a6ae1..023ad3f 100644 --- a/pagure/templates/user_settings.html +++ b/pagure/templates/user_settings.html @@ -271,9 +271,11 @@
Forcefully log out from every current open session.
- - Log out all currently active sessions - + diff --git a/pagure/ui/app.py b/pagure/ui/app.py index c4f3425..81a0a70 100644 --- a/pagure/ui/app.py +++ b/pagure/ui/app.py @@ -1448,16 +1448,18 @@ def force_logout(): """ Set refuse_sessions_before, logging the user out everywhere """ if admin_session_timedout(): - if flask.request.method == "POST": - flask.flash("Action canceled, try it again", "error") + flask.flash("Action canceled, try it again", "error") return flask.redirect( flask.url_for("auth_login", next=flask.request.url) ) - # Ensure the user is in the DB at least - user = _get_user(username=flask.g.fas_user.username) + # we just need an empty form here to validate that csrf token is present + form = pagure.forms.PagureForm() + if form.validate_on_submit(): + # Ensure the user is in the DB at least + user = _get_user(username=flask.g.fas_user.username) - user.refuse_sessions_before = datetime.datetime.utcnow() - flask.g.session.commit() - flask.flash("All active sessions logged out") + user.refuse_sessions_before = datetime.datetime.utcnow() + flask.g.session.commit() + flask.flash("All active sessions logged out") return flask.redirect(flask.url_for("ui_ns.user_settings")) diff --git a/tests/test_pagure_flask_ui_login.py b/tests/test_pagure_flask_ui_login.py index 6a95f07..10ea36d 100644 --- a/tests/test_pagure_flask_ui_login.py +++ b/tests/test_pagure_flask_ui_login.py @@ -909,7 +909,8 @@ class PagureFlaskLogintests(tests.SimplePagureTest): self.assertEqual(output.status_code, 200) # Now logout everywhere - output = self.app.post('/settings/forcelogout/') + data = {'csrf_token': self.get_csrf()} + output = self.app.post('/settings/forcelogout/', data=data) self.assertEqual(output.status_code, 302) self.assertEqual(output.headers['Location'], 'http://localhost/settings')