diff options
author | Imre Farkas <ifarkas@gitlab.com> | 2019-02-25 16:52:40 +0300 |
---|---|---|
committer | Imre Farkas <ifarkas@gitlab.com> | 2019-02-27 13:45:27 +0300 |
commit | 038d530565bc64729706bbd9afad275699be459d (patch) | |
tree | 7cb6741e2490a943a8e3dc1e61011bc7e56385ae /app/controllers/profiles | |
parent | 44c4aad983570ea1832aa08c39f46dbc1b475fd3 (diff) |
Remove ability to revoke active session
Session ID is used as a parameter for the revoke session endpoint but it
should never be included in the HTML as an attacker could obtain it via
XSS.
Diffstat (limited to 'app/controllers/profiles')
-rw-r--r-- | app/controllers/profiles/active_sessions_controller.rb | 9 |
1 files changed, 0 insertions, 9 deletions
diff --git a/app/controllers/profiles/active_sessions_controller.rb b/app/controllers/profiles/active_sessions_controller.rb index 6cf7a120449..c473023cacb 100644 --- a/app/controllers/profiles/active_sessions_controller.rb +++ b/app/controllers/profiles/active_sessions_controller.rb @@ -4,13 +4,4 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController def index @sessions = ActiveSession.list(current_user).reject(&:is_impersonated) end - - def destroy - ActiveSession.destroy(current_user, params[:id]) - - respond_to do |format| - format.html { redirect_to profile_active_sessions_url, status: :found } - format.js { head :ok } - end - end end |