From f8be47dfbf567ab75657e02a4e75661a12381a8f Mon Sep 17 00:00:00 2001 From: snipe Date: Thu, 9 Jul 2015 00:41:46 -0700 Subject: [PATCH 1/3] Fixes #903 - adds config variable for multi_login, overrides Sentry method --- .gitignore | 1 + app/config/local/session.example.php | 140 ++++++++++++++++++++ app/config/production/session.example.php | 154 ++++++++++++++++++++++ app/config/staging/session.example.php | 154 ++++++++++++++++++++++ app/models/User.php | 43 ++++-- 5 files changed, 480 insertions(+), 12 deletions(-) create mode 100644 app/config/local/session.example.php create mode 100644 app/config/production/session.example.php create mode 100644 app/config/staging/session.example.php diff --git a/.gitignore b/.gitignore index be61c57aa829..46ab184f9b1d 100755 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ public/uploads/logo.gif public/uploads/logo.png .siteflow public/assets/.siteflow +app/config/local/session.php diff --git a/app/config/local/session.example.php b/app/config/local/session.example.php new file mode 100644 index 000000000000..586da3600ee1 --- /dev/null +++ b/app/config/local/session.example.php @@ -0,0 +1,140 @@ + 'file', + + /* + |-------------------------------------------------------------------------- + | Session Lifetime + |-------------------------------------------------------------------------- + | + | Here you may specify the number of minutes that you wish the session + | to be allowed to remain idle before it expires. If you want them + | to immediately expire on the browser closing, set that option. + | + */ + + 'lifetime' => 12000, + + 'expire_on_close' => false, + + /* + |-------------------------------------------------------------------------- + | Session File Location + |-------------------------------------------------------------------------- + | + | When using the native session driver, we need a location where session + | files may be stored. A default has been set for you but a different + | location may be specified. This is only needed for file sessions. + | + */ + + 'files' => storage_path().'/sessions', + + /* + |-------------------------------------------------------------------------- + | Session Database Connection + |-------------------------------------------------------------------------- + | + | When using the "database" or "redis" session drivers, you may specify a + | connection that should be used to manage these sessions. This should + | correspond to a connection in your database configuration options. + | + */ + + 'connection' => null, + + /* + |-------------------------------------------------------------------------- + | Session Database Table + |-------------------------------------------------------------------------- + | + | When using the "database" session driver, you may specify the table we + | should use to manage the sessions. Of course, a sensible default is + | provided for you; however, you are free to change this as needed. + | + */ + + 'table' => 'sessions', + + /* + |-------------------------------------------------------------------------- + | Session Sweeping Lottery + |-------------------------------------------------------------------------- + | + | Some session drivers must manually sweep their storage location to get + | rid of old sessions from storage. Here are the chances that it will + | happen on a given request. By default, the odds are 2 out of 100. + | + */ + + 'lottery' => array(2, 100), + + /* + |-------------------------------------------------------------------------- + | Session Cookie Name + |-------------------------------------------------------------------------- + | + | Here you may change the name of the cookie used to identify a session + | instance by ID. The name specified here will get used every time a + | new session cookie is created by the framework for every driver. + | + */ + + 'cookie' => 'snipeit_session', + + /* + |-------------------------------------------------------------------------- + | Session Cookie Path + |-------------------------------------------------------------------------- + | + | The session cookie path determines the path for which the cookie will + | be regarded as available. Typically, this will be the root path of + | your application but you are free to change this when necessary. + | + */ + + 'path' => '/', + + /* + |-------------------------------------------------------------------------- + | Session Cookie Domain + |-------------------------------------------------------------------------- + | + | Here you may change the domain of the cookie used to identify a session + | in your application. This will determine which domains the cookie is + | available to in your application. A sensible default has been set. + | + */ + + 'domain' => null, + + /* + |-------------------------------------------------------------------------- + | HTTPS Only Cookies + |-------------------------------------------------------------------------- + | + | By setting this option to true, session cookies will only be sent back + | to the server if the browser has a HTTPS connection. This will keep + | the cookie from being sent to you if it can not be done securely. + | + */ + + 'secure' => false, + +); diff --git a/app/config/production/session.example.php b/app/config/production/session.example.php new file mode 100644 index 000000000000..5d28296192a4 --- /dev/null +++ b/app/config/production/session.example.php @@ -0,0 +1,154 @@ + 'file', + + /* + |-------------------------------------------------------------------------- + | Session Lifetime + |-------------------------------------------------------------------------- + | + | Here you may specify the number of minutes that you wish the session + | to be allowed to remain idle before it expires. If you want them + | to immediately expire on the browser closing, set that option. + | + */ + + 'lifetime' => 12000, + + 'expire_on_close' => false, + + /* + |-------------------------------------------------------------------------- + | Session File Location + |-------------------------------------------------------------------------- + | + | When using the native session driver, we need a location where session + | files may be stored. A default has been set for you but a different + | location may be specified. This is only needed for file sessions. + | + */ + + 'files' => storage_path().'/sessions', + + /* + |-------------------------------------------------------------------------- + | Session Database Connection + |-------------------------------------------------------------------------- + | + | When using the "database" or "redis" session drivers, you may specify a + | connection that should be used to manage these sessions. This should + | correspond to a connection in your database configuration options. + | + */ + + 'connection' => null, + + /* + |-------------------------------------------------------------------------- + | Session Database Table + |-------------------------------------------------------------------------- + | + | When using the "database" session driver, you may specify the table we + | should use to manage the sessions. Of course, a sensible default is + | provided for you; however, you are free to change this as needed. + | + */ + + 'table' => 'sessions', + + /* + |-------------------------------------------------------------------------- + | Session Sweeping Lottery + |-------------------------------------------------------------------------- + | + | Some session drivers must manually sweep their storage location to get + | rid of old sessions from storage. Here are the chances that it will + | happen on a given request. By default, the odds are 2 out of 100. + | + */ + + 'lottery' => array(2, 100), + + /* + |-------------------------------------------------------------------------- + | Session Cookie Name + |-------------------------------------------------------------------------- + | + | Here you may change the name of the cookie used to identify a session + | instance by ID. The name specified here will get used every time a + | new session cookie is created by the framework for every driver. + | + */ + + 'cookie' => 'snipeit_session', + + /* + |-------------------------------------------------------------------------- + | Session Cookie Path + |-------------------------------------------------------------------------- + | + | The session cookie path determines the path for which the cookie will + | be regarded as available. Typically, this will be the root path of + | your application but you are free to change this when necessary. + | + */ + + 'path' => '/', + + /* + |-------------------------------------------------------------------------- + | Session Cookie Domain + |-------------------------------------------------------------------------- + | + | Here you may change the domain of the cookie used to identify a session + | in your application. This will determine which domains the cookie is + | available to in your application. A sensible default has been set. + | + */ + + 'domain' => null, + + /* + |-------------------------------------------------------------------------- + | HTTPS Only Cookies + |-------------------------------------------------------------------------- + | + | By setting this option to true, session cookies will only be sent back + | to the server if the browser has a HTTPS connection. This will keep + | the cookie from being sent to you if it can not be done securely. + | + */ + + 'secure' => false, + + + /* + |-------------------------------------------------------------------------- + | Allow multiple logins from different devices at the same time + |-------------------------------------------------------------------------- + | + | By default, if a user logs into an account where someone is already + | logged in, the previous user will be logged out. We recommend leaving + | this set to false for security reasons. + | + */ + + 'multi_login' => true, + +); diff --git a/app/config/staging/session.example.php b/app/config/staging/session.example.php new file mode 100644 index 000000000000..99e208551d60 --- /dev/null +++ b/app/config/staging/session.example.php @@ -0,0 +1,154 @@ + 'file', + + /* + |-------------------------------------------------------------------------- + | Session Lifetime + |-------------------------------------------------------------------------- + | + | Here you may specify the number of minutes that you wish the session + | to be allowed to remain idle before it expires. If you want them + | to immediately expire on the browser closing, set that option. + | + */ + + 'lifetime' => 12000, + + 'expire_on_close' => false, + + /* + |-------------------------------------------------------------------------- + | Session File Location + |-------------------------------------------------------------------------- + | + | When using the native session driver, we need a location where session + | files may be stored. A default has been set for you but a different + | location may be specified. This is only needed for file sessions. + | + */ + + 'files' => storage_path().'/sessions', + + /* + |-------------------------------------------------------------------------- + | Session Database Connection + |-------------------------------------------------------------------------- + | + | When using the "database" or "redis" session drivers, you may specify a + | connection that should be used to manage these sessions. This should + | correspond to a connection in your database configuration options. + | + */ + + 'connection' => null, + + /* + |-------------------------------------------------------------------------- + | Session Database Table + |-------------------------------------------------------------------------- + | + | When using the "database" session driver, you may specify the table we + | should use to manage the sessions. Of course, a sensible default is + | provided for you; however, you are free to change this as needed. + | + */ + + 'table' => 'sessions', + + /* + |-------------------------------------------------------------------------- + | Session Sweeping Lottery + |-------------------------------------------------------------------------- + | + | Some session drivers must manually sweep their storage location to get + | rid of old sessions from storage. Here are the chances that it will + | happen on a given request. By default, the odds are 2 out of 100. + | + */ + + 'lottery' => array(2, 100), + + /* + |-------------------------------------------------------------------------- + | Session Cookie Name + |-------------------------------------------------------------------------- + | + | Here you may change the name of the cookie used to identify a session + | instance by ID. The name specified here will get used every time a + | new session cookie is created by the framework for every driver. + | + */ + + 'cookie' => 'snipeit_session', + + /* + |-------------------------------------------------------------------------- + | Session Cookie Path + |-------------------------------------------------------------------------- + | + | The session cookie path determines the path for which the cookie will + | be regarded as available. Typically, this will be the root path of + | your application but you are free to change this when necessary. + | + */ + + 'path' => '/', + + /* + |-------------------------------------------------------------------------- + | Session Cookie Domain + |-------------------------------------------------------------------------- + | + | Here you may change the domain of the cookie used to identify a session + | in your application. This will determine which domains the cookie is + | available to in your application. A sensible default has been set. + | + */ + + 'domain' => null, + + /* + |-------------------------------------------------------------------------- + | HTTPS Only Cookies + |-------------------------------------------------------------------------- + | + | By setting this option to true, session cookies will only be sent back + | to the server if the browser has a HTTPS connection. This will keep + | the cookie from being sent to you if it can not be done securely. + | + */ + + 'secure' => true, + + + /* + |-------------------------------------------------------------------------- + | Allow multiple logins from different devices at the same time + |-------------------------------------------------------------------------- + | + | By default, if a user logs into an account where someone is already + | logged in, the previous user will be logged out. We recommend leaving + | this set to false for security reasons. + | + */ + + 'multi_login' => false, + +); diff --git a/app/models/User.php b/app/models/User.php index 31a30ae08cda..b813e639fc3d 100755 --- a/app/models/User.php +++ b/app/models/User.php @@ -23,7 +23,7 @@ public function fullName() { return "{$this->first_name} {$this->last_name}"; } - + /** * Returns the user Gravatar image url. @@ -43,7 +43,7 @@ public function assets() { return $this->hasMany('Asset', 'assigned_to')->withTrashed(); } - + public function accessories() { return $this->belongsToMany('Accessory', 'accessories_users', 'assigned_to','accessory_id')->withPivot('id')->withTrashed(); @@ -77,36 +77,55 @@ public function manager() { return $this->belongsTo('User','manager_id')->withTrashed(); } - - + + public function accountStatus() { if ($this->sentryThrottle) { if ($this->sentryThrottle->suspended==1) { - return 'suspended'; + return 'suspended'; } elseif ($this->sentryThrottle->banned==1) { - return 'banned'; - } else { + return 'banned'; + } else { return false; } } else { return false; } } - - public function sentryThrottle() { - return $this->hasOne('Throttle'); + + public function sentryThrottle() { + return $this->hasOne('Throttle'); } - + public function scopeGetDeleted($query) { return $query->withTrashed()->whereNotNull('deleted_at'); } - + public function scopeGetNotDeleted($query) { return $query->whereNull('deleted_at'); } + /** + * Override the SentryUser getPersistCode method for + * multiple logins at one time + **/ + public function getPersistCode() + { + + if (!Config::get('multi_login') || (!$this->persist_code)) + { + $this->persist_code = $this->getRandomString(); + + // Our code got hashed + $persistCode = $this->persist_code; + $this->save(); + return $persistCode; + } + return $this->persist_code; + } + } From e9443a244cdf7f9495d1b780ae6478204988f207 Mon Sep 17 00:00:00 2001 From: snipe Date: Thu, 9 Jul 2015 00:52:05 -0700 Subject: [PATCH 2/3] Small fix to config value --- app/config/version.php | 4 ++-- app/models/User.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/config/version.php b/app/config/version.php index a19729143558..55b52a62917d 100644 --- a/app/config/version.php +++ b/app/config/version.php @@ -1,5 +1,5 @@ 'v1.2.8-18', - 'hash_version' => 'v1.2.8-18-g05f0b94', + 'app_version' => 'v1.2.8-21', + 'hash_version' => 'v1.2.8-21-gc2d6391', ); \ No newline at end of file diff --git a/app/models/User.php b/app/models/User.php index b813e639fc3d..e3d7211463b8 100755 --- a/app/models/User.php +++ b/app/models/User.php @@ -115,7 +115,7 @@ public function scopeGetNotDeleted($query) public function getPersistCode() { - if (!Config::get('multi_login') || (!$this->persist_code)) + if (!Config::get('session.multi_login') || (!$this->persist_code)) { $this->persist_code = $this->getRandomString(); From 9936cf4a436cd7faa8295a676f572bd9627eb4a2 Mon Sep 17 00:00:00 2001 From: snipe Date: Thu, 9 Jul 2015 00:53:58 -0700 Subject: [PATCH 3/3] Better production default for #903 --- app/config/production/session.example.php | 2 +- app/config/staging/session.example.php | 2 +- app/config/version.php | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/config/production/session.example.php b/app/config/production/session.example.php index 5d28296192a4..16a3f4c17676 100644 --- a/app/config/production/session.example.php +++ b/app/config/production/session.example.php @@ -149,6 +149,6 @@ | */ - 'multi_login' => true, + 'multi_login' => false, ); diff --git a/app/config/staging/session.example.php b/app/config/staging/session.example.php index 99e208551d60..6f5443b6db11 100644 --- a/app/config/staging/session.example.php +++ b/app/config/staging/session.example.php @@ -149,6 +149,6 @@ | */ - 'multi_login' => false, + 'multi_login' => true, ); diff --git a/app/config/version.php b/app/config/version.php index 55b52a62917d..c7c437208b3c 100644 --- a/app/config/version.php +++ b/app/config/version.php @@ -1,5 +1,5 @@ 'v1.2.8-21', - 'hash_version' => 'v1.2.8-21-gc2d6391', + 'app_version' => 'v1.2.8-22', + 'hash_version' => 'v1.2.8-22-gf8be47d', ); \ No newline at end of file