[5.x] Logout user from other devices when changing password (#10548)

Co-authored-by: duncanmcclean <duncanmcclean@users.noreply.github.com> Co-authored-by: Jason Varga <jason@pixelfear.com>
statamic · Aug 13, 2024 · c4f5f7b · c4f5f7b
1 parent e21385d
commit c4f5f7b
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 1 deletion.
diff --git a/src/Http/Controllers/CP/Users/PasswordController.php b/src/Http/Controllers/CP/Users/PasswordController.php
@@ -3,6 +3,7 @@
 namespace Statamic\Http\Controllers\CP\Users;
 
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Validation\Rules\Password;
 use Statamic\Events\UserPasswordChanged;
 use Statamic\Exceptions\NotFoundHttpException;
@@ -15,20 +16,26 @@ public function update(Request $request, $user)
     {
         throw_unless($user = User::find($user), new NotFoundHttpException);
 
+        $updatingOwnPassword = $user->id() == $request->user()->id();
+
         $this->authorize('editPassword', $user);
 
         $rules = [
             'password' => ['required', 'confirmed', Password::default()],
         ];
 
-        if ($request->user()->id === $user) {
+        if ($updatingOwnPassword) {
             $rules['current_password'] = ['required', 'current_password'];
         }
 
         $request->validate($rules);
 
         $user->password($request->password)->save();
 
+        if ($updatingOwnPassword) {
+            Auth::login($user);
+        }
+
         UserPasswordChanged::dispatch($user);
 
         return response('', 204);

diff --git a/src/Http/Middleware/CP/AuthenticateSession.php b/src/Http/Middleware/CP/AuthenticateSession.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Statamic\Http\Middleware\CP;
+
+use Illuminate\Http\Request;
+
+class AuthenticateSession extends \Illuminate\Session\Middleware\AuthenticateSession
+{
+    protected function redirectTo(Request $request)
+    {
+        return cp_route('login');
+    }
+}
diff --git a/src/Providers/CpServiceProvider.php b/src/Providers/CpServiceProvider.php
@@ -86,6 +86,7 @@ protected function registerMiddlewareGroups()
         ]);
 
         $router->middlewareGroup('statamic.cp.authenticated', [
+            \Statamic\Http\Middleware\CP\AuthenticateSession::class,
             \Statamic\Http\Middleware\CP\Authorize::class,
             \Statamic\Http\Middleware\CP\Localize::class,
             \Statamic\Http\Middleware\CP\SelectedSite::class,

diff --git a/tests/TestCase.php b/tests/TestCase.php
@@ -9,6 +9,7 @@
 use Statamic\Facades\File;
 use Statamic\Facades\Site;
 use Statamic\Facades\YAML;
+use Statamic\Http\Middleware\CP\AuthenticateSession;
 
 abstract class TestCase extends \Orchestra\Testbench\TestCase
 {
@@ -24,6 +25,8 @@ protected function setUp(): void
 
         $this->withoutVite();
 
+        $this->withoutMiddleware(AuthenticateSession::class);
+
         $uses = array_flip(class_uses_recursive(static::class));
 
         if (isset($uses[PreventSavingStacheItemsToDisk::class])) {