NEW Add onBeforeRemoveLoginSession extension hook

silverstripe · Mar 8, 2021 · 05b45a1 · 05b45a1
1 parent 243999c
commit 05b45a1
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 11 deletions.
diff --git a/composer.json b/composer.json
@@ -32,7 +32,8 @@
         "squizlabs/php_codesniffer": "^3.0"
     },
     "suggest": {
-        "silverstripe/crontask": "^2.0"
+        "silverstripe/crontask": "^2.0",
+        "silverstripe/auditor": "^2.3"
     },
     "autoload": {
         "psr-4": {

diff --git a/src/Control/LoginSessionController.php b/src/Control/LoginSessionController.php
@@ -0,0 +1,88 @@
+<?php
+
+namespace SilverStripe\SessionManager\Control;
+
+use SilverStripe\Admin\LeftAndMain;
+use SilverStripe\Control\HTTPRequest;
+use SilverStripe\Control\HTTPResponse;
+use SilverStripe\Security\Member;
+use SilverStripe\Security\Security;
+use SilverStripe\Security\SecurityToken;
+use SilverStripe\SessionManager\Model\LoginSession;
+
+// TODO: extend Controller instead of LeftAndMain?
+class LoginSessionController extends LeftAndMain
+{
+    private static $url_segment = 'loginsession';
+
+    // TODO: ignore_menuitem is legacy and not used anywhere else, work out what intention behind
+    // this was an reimplement
+    private static $ignore_menuitem = true;
+
+    private static $url_handlers = [
+        // TODO: 'DELETE remove/$ID' => 'remove',
+        'DELETE remove/$ID' => 'removeLoginSession'
+    ];
+
+    private static $allowed_actions = [
+        // TODO: 'remove'
+        'removeLoginSession',
+    ];
+
+    /**
+     * Remove the specified login session
+     *
+     * @param HTTPRequest $request
+     * @return HTTPResponse
+     */
+    // TODO: rename to 'remove'
+    public function removeLoginSession(HTTPRequest $request): HTTPResponse
+    {
+        // Ensure CSRF protection
+        if (!SecurityToken::inst()->checkRequest($request)) {
+            return $this->jsonResponse(
+                ['errors' => 'Request timed out, please try again'],
+                400
+            );
+        }
+
+        $id = $request->param('ID');
+        $loginSession = LoginSession::get()->byID($id);
+        if (!$loginSession) {
+            return $this->jsonResponse(
+                ['errors' => 'Something went wrong.'],
+                400
+            );
+        }
+
+        if (!$loginSession->canDelete()) {
+            return $this->jsonResponse(
+                ['errors' => 'You do not have permission to delete this record.'],
+                400
+            );
+        }
+
+        $this->extend('onBeforeRemoveLoginSession', $loginSession);
+
+        $loginSession->delete();
+
+        return $this->jsonResponse([
+            'success' => true,
+        ]);
+    }
+
+    /**
+     * Respond with the given array as a JSON response
+     *
+     * @param array $response
+     * @param int $code The HTTP response code to set on the response
+     * @return HTTPResponse
+     */
+    // TODO: change visibility to private
+    protected function jsonResponse(array $response, int $code = 200): HTTPResponse
+    {
+        return HTTPResponse::create(json_encode($response))
+            ->addHeader('Content-Type', 'application/json')
+            ->setStatusCode($code);
+    }
+}
diff --git a/src/Model/LoginSession.php b/src/Model/LoginSession.php
@@ -126,14 +126,14 @@ public function handlePermission($fn, $member)
 
     /**
      * @param Member $member
-     * @param HTTPRequest $request
+     * @param HTTPRequest|null $request
      * @return static|null
      */
-    public static function find(Member $member, HTTPRequest $request)
+    public static function find(Member $member, ?HTTPRequest $request)
     {
         $session = static::get()->filter([
-            'IPAddress' => $request->getIP(),
-            'UserAgent' => $request->getHeader('User-Agent'),
+            'IPAddress' => $request ? $request->getIP() : '',
+            'UserAgent' => $request ? $request->getHeader('User-Agent') : '',
             'MemberID' => $member->ID,
             'Persistent' => true
         ])->first();
@@ -144,15 +144,15 @@ public static function find(Member $member, HTTPRequest $request)
     /**
      * @param Member $member
      * @param boolean $persistent
-     * @param HTTPRequest $request
+     * @param HTTPRequest|null $request
      * @return static
      */
-    public static function generate(Member $member, bool $persistent, HTTPRequest $request)
+    public static function generate(Member $member, bool $persistent, ?HTTPRequest $request)
     {
         $session = static::create()->update([
             'LastAccessed' => DBDatetime::now()->Rfc2822(),
-            'IPAddress' => $request->getIP(),
-            'UserAgent' => $request->getHeader('User-Agent'),
+            'IPAddress' => $request ? $request->getIP() : '',
+            'UserAgent' => $request ? $request->getHeader('User-Agent') : '',
             'MemberID' => $member->ID,
             'Persistent' => $persistent
         ]);

diff --git a/src/Security/LogInAuthenticationHandler.php b/src/Security/LogInAuthenticationHandler.php
@@ -69,15 +69,17 @@ public function logIn(Member $member, $persistent = false, HTTPRequest $request
         }
 
         $loginSession->LastAccessed = DBDatetime::now()->Rfc2822();
-        $loginSession->IPAddress = $request->getIP();
+        $loginSession->IPAddress = $request ? $request->getIP() : '';
         $loginSession->write();
 
         if ($persistent && $rememberLoginHash = $this->getRememberLoginHash()) {
             $rememberLoginHash->LoginSessionID = $loginSession->ID;
             $rememberLoginHash->write();
         }
 
-        $request->getSession()->set($this->getSessionVariable(), $loginSession->ID);
+        if ($request) {
+            $request->getSession()->set($this->getSessionVariable(), $loginSession->ID);
+        }
     }
 
     public function logOut(HTTPRequest $request = null)