mirror of
https://github.com/jiojciojsioe3/a3cjroijsiojiorj.git
synced 2024-11-15 07:21:50 +08:00
log out other sessions after password change
This commit is contained in:
parent
0144367c6e
commit
0fd0cb97a0
19
app.py
19
app.py
@ -56,13 +56,20 @@ def admin_required(f):
|
|||||||
return abort(403)
|
return abort(403)
|
||||||
|
|
||||||
user = db.users.find_one({'username': session.get('username')})
|
user = db.users.find_one({'username': session.get('username')})
|
||||||
if user['user_level'] < 100:
|
if user['user_level'] < 50:
|
||||||
return abort(403)
|
return abort(403)
|
||||||
|
|
||||||
return f(*args, **kwargs)
|
return f(*args, **kwargs)
|
||||||
return decorated_function
|
return decorated_function
|
||||||
|
|
||||||
|
|
||||||
|
@app.before_request
|
||||||
|
def before_request_func():
|
||||||
|
if session.get('session_id'):
|
||||||
|
if not db.users.find_one({'session_id': session.get('session_id')}):
|
||||||
|
session.clear()
|
||||||
|
|
||||||
|
|
||||||
def get_config():
|
def get_config():
|
||||||
if os.path.isfile('config.json'):
|
if os.path.isfile('config.json'):
|
||||||
try:
|
try:
|
||||||
@ -211,14 +218,17 @@ def route_api_register():
|
|||||||
salt = bcrypt.gensalt()
|
salt = bcrypt.gensalt()
|
||||||
hashed = bcrypt.hashpw(password, salt)
|
hashed = bcrypt.hashpw(password, salt)
|
||||||
|
|
||||||
|
session_id = os.urandom(24).hex()
|
||||||
db.users.insert_one({
|
db.users.insert_one({
|
||||||
'username': username,
|
'username': username,
|
||||||
'username_lower': username.lower(),
|
'username_lower': username.lower(),
|
||||||
'password': hashed,
|
'password': hashed,
|
||||||
'display_name': username,
|
'display_name': username,
|
||||||
'user_level': 1
|
'user_level': 1,
|
||||||
|
'session_id': session_id
|
||||||
})
|
})
|
||||||
|
|
||||||
|
session['session_id'] = session_id
|
||||||
session['username'] = username
|
session['username'] = username
|
||||||
session.permanent = True
|
session.permanent = True
|
||||||
return jsonify({'status': 'ok', 'username': username, 'display_name': username})
|
return jsonify({'status': 'ok', 'username': username, 'display_name': username})
|
||||||
@ -242,6 +252,7 @@ def route_api_login():
|
|||||||
if not bcrypt.checkpw(password, result['password']):
|
if not bcrypt.checkpw(password, result['password']):
|
||||||
return api_error('invalid_username_password')
|
return api_error('invalid_username_password')
|
||||||
|
|
||||||
|
session['session_id'] = result['session_id']
|
||||||
session['username'] = result['username']
|
session['username'] = result['username']
|
||||||
if data.get('remember'):
|
if data.get('remember'):
|
||||||
session.permanent = True
|
session.permanent = True
|
||||||
@ -294,11 +305,13 @@ def route_api_account_password():
|
|||||||
|
|
||||||
salt = bcrypt.gensalt()
|
salt = bcrypt.gensalt()
|
||||||
hashed = bcrypt.hashpw(new_password, salt)
|
hashed = bcrypt.hashpw(new_password, salt)
|
||||||
|
session_id = os.urandom(24).hex()
|
||||||
|
|
||||||
db.users.update_one({'username': session.get('username')}, {
|
db.users.update_one({'username': session.get('username')}, {
|
||||||
'$set': {'password': hashed}
|
'$set': {'password': hashed, 'session_id': session_id}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
session['session_id'] = session_id
|
||||||
return jsonify({'status': 'ok'})
|
return jsonify({'status': 'ok'})
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user