From 05b73def59701d7b2e15a4af18950f440df6511b Mon Sep 17 00:00:00 2001 From: Heinrich Klobuczek Date: Mon, 19 Aug 2013 13:13:41 -0700 Subject: [PATCH 1/3] removal of unique_session_id on explicit user logout --- VERSION | 2 +- devise_security_extension.gemspec | 2 +- lib/devise_security_extension/hooks/session_limitable.rb | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 7486fdbc..0a1ffad4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.2 +0.7.4 diff --git a/devise_security_extension.gemspec b/devise_security_extension.gemspec index fdacdabf..38026785 100644 --- a/devise_security_extension.gemspec +++ b/devise_security_extension.gemspec @@ -5,7 +5,7 @@ Gem::Specification.new do |s| s.name = "devise_security_extension" - s.version = "0.7.3" + s.version = "0.7.4" s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= s.authors = ["Marco Scholl", "Alexander Dreher"] diff --git a/lib/devise_security_extension/hooks/session_limitable.rb b/lib/devise_security_extension/hooks/session_limitable.rb index 53e6c7aa..67b3aa6a 100644 --- a/lib/devise_security_extension/hooks/session_limitable.rb +++ b/lib/devise_security_extension/hooks/session_limitable.rb @@ -19,8 +19,14 @@ if warden.authenticated?(scope) && options[:store] != false if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable'] + def record.skip_before_logout?; end warden.logout(scope) throw :warden, :scope => scope, :message => :session_limited end end +end + +#Remove unique_session_id on explicit logout +Warden::Manager.before_logout do |record, warden, options| + record.update_unique_session_id!(nil) unless record.respond_to? :skip_before_logout? end \ No newline at end of file From 58d955188478abceefaa412f716511084d4d7a51 Mon Sep 17 00:00:00 2001 From: Heinrich Klobuczek Date: Tue, 20 Aug 2013 08:01:19 -0700 Subject: [PATCH 2/3] fixed bug in pull #56 --- lib/devise_security_extension/models/password_archivable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise_security_extension/models/password_archivable.rb b/lib/devise_security_extension/models/password_archivable.rb index 987a1a45..aa80210e 100644 --- a/lib/devise_security_extension/models/password_archivable.rb +++ b/lib/devise_security_extension/models/password_archivable.rb @@ -62,7 +62,7 @@ def old_password_params salt_change = if self.respond_to?(:password_salt_change) and not self.password_salt_change.nil? self.password_salt_change.first end - { :encrypted_password => self.encrypted_password_change.first, :password_salt => salt_change }.permit! + { :encrypted_password => self.encrypted_password_change.first, :password_salt => salt_change } end module ClassMethods From 4a4cff63abd2c8d743db48713fa04ad207c710b4 Mon Sep 17 00:00:00 2001 From: Heinrich Klobuczek Date: Thu, 22 Aug 2013 10:01:06 -0700 Subject: [PATCH 3/3] added a check before updating unique_session_id since if the user tries to logout after session timeout the record will be nil --- lib/devise_security_extension/hooks/session_limitable.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/devise_security_extension/hooks/session_limitable.rb b/lib/devise_security_extension/hooks/session_limitable.rb index 67b3aa6a..10e917a7 100644 --- a/lib/devise_security_extension/hooks/session_limitable.rb +++ b/lib/devise_security_extension/hooks/session_limitable.rb @@ -28,5 +28,7 @@ def record.skip_before_logout?; end #Remove unique_session_id on explicit logout Warden::Manager.before_logout do |record, warden, options| - record.update_unique_session_id!(nil) unless record.respond_to? :skip_before_logout? + if record.respond_to?(:update_unique_session_id!) && !record.respond_to?(:skip_before_logout?) + record.update_unique_session_id!(nil) + end end \ No newline at end of file