diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 21:16:15 +0300 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 21:16:15 +0300 |
| commit | ab8185edc470c3be34c8ef69e9f6004f128a5485 (patch) | |
| tree | ce97449f596d27c56b6451f8851a36aa09aeec85 /app | |
| parent | 2eb2d08136bc0e23fde1cb2b8da30d4087160f2d (diff) | |
| parent | c2b430c73bb12f9fbd82695e79217876ebc58fd1 (diff) | |
Merge branch 'security-2818_filter_impersonated_sessions-11-7' into '11-7-stable'
Filter impersonated sessions from active sessions and remove ability to revoke session
See merge request gitlab/gitlabhq!2982
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/profiles/active_sessions_controller.rb | 11 | ||||
| -rw-r--r-- | app/models/active_session.rb | 6 | ||||
| -rw-r--r-- | app/views/profiles/active_sessions/_active_session.html.haml | 6 |
3 files changed, 5 insertions, 18 deletions
diff --git a/app/controllers/profiles/active_sessions_controller.rb b/app/controllers/profiles/active_sessions_controller.rb index efe7ede5efa..c473023cacb 100644 --- a/app/controllers/profiles/active_sessions_controller.rb +++ b/app/controllers/profiles/active_sessions_controller.rb @@ -2,15 +2,6 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController def index - @sessions = ActiveSession.list(current_user) - end - - def destroy - ActiveSession.destroy(current_user, params[:id]) - - respond_to do |format| - format.html { redirect_to profile_active_sessions_url, status: :found } - format.js { head :ok } - end + @sessions = ActiveSession.list(current_user).reject(&:is_impersonated) end end diff --git a/app/models/active_session.rb b/app/models/active_session.rb index 0d9c6a4a1f0..1e01f1d17e6 100644 --- a/app/models/active_session.rb +++ b/app/models/active_session.rb @@ -5,7 +5,8 @@ class ActiveSession attr_accessor :created_at, :updated_at, :session_id, :ip_address, - :browser, :os, :device_name, :device_type + :browser, :os, :device_name, :device_type, + :is_impersonated def current?(session) return false if session_id.nil? || session.id.nil? @@ -31,7 +32,8 @@ class ActiveSession device_type: client.device_type, created_at: user.current_sign_in_at || timestamp, updated_at: timestamp, - session_id: session_id + session_id: session_id, + is_impersonated: request.session[:impersonator_id].present? ) redis.pipelined do diff --git a/app/views/profiles/active_sessions/_active_session.html.haml b/app/views/profiles/active_sessions/_active_session.html.haml index 23ef31a0c85..2bf514d72a5 100644 --- a/app/views/profiles/active_sessions/_active_session.html.haml +++ b/app/views/profiles/active_sessions/_active_session.html.haml @@ -23,9 +23,3 @@ %strong Signed in on = l(active_session.created_at, format: :short) - - - unless is_current_session - .float-right - = link_to profile_active_session_path(active_session.session_id), data: { confirm: 'Are you sure? The device will be signed out of GitLab.' }, method: :delete, class: "btn btn-danger prepend-left-10" do - %span.sr-only Revoke - Revoke |