diff --git a/db/factories/SessionFactory.php b/db/factories/SessionFactory.php index ee874341..1f455140 100644 --- a/db/factories/SessionFactory.php +++ b/db/factories/SessionFactory.php @@ -16,7 +16,7 @@ class SessionFactory extends Factory public function definition(): array { return [ - 'id' => $this->faker->lexify('??????????'), + 'id' => $this->faker->lexify('????????????????????????????????'), 'payload' => $this->faker->text(100), 'user_id' => $this->faker->optional()->passthrough(User::factory()), ]; diff --git a/resources/views/pages/settings/sessions.twig b/resources/views/pages/settings/sessions.twig index 2b0df9c9..7e0df8c1 100644 --- a/resources/views/pages/settings/sessions.twig +++ b/resources/views/pages/settings/sessions.twig @@ -34,14 +34,14 @@ {% for session in sessions %} - 
{{ session['id'] }}
+ 
{{ session.id[:15] }}…
{{ session.last_activity.format(__('Y-m-d H:i:s')) }} {% if session.id != current_session %}
{{ csrf() }} - {{ f.hidden('id', session.id) }} + {{ f.hidden('id', session.id[:15]) }} {{ f.submit( __('form.delete'), {'name': 'delete', 'btn_type': 'danger', 'size': 'sm', 'icon_left': 'trash'} diff --git a/src/Controllers/SettingsController.php b/src/Controllers/SettingsController.php index 0002ee3e..a2a5e6e8 100644 --- a/src/Controllers/SettingsController.php +++ b/src/Controllers/SettingsController.php @@ -307,7 +307,10 @@ class SettingsController extends BaseController ->where('id', '!=', session()->getId()); if ($id != 'all') { - $query = $query->where('id', $id); + $this->validate($request, [ + 'id' => 'required|alnum|length:15:15', + ]); + $query = $query->where('id', 'LIKE', $id . '%'); } $query->delete(); diff --git a/tests/Unit/Controllers/SettingsControllerTest.php b/tests/Unit/Controllers/SettingsControllerTest.php index 1ae5e1b1..661f7bdb 100644 --- a/tests/Unit/Controllers/SettingsControllerTest.php +++ b/tests/Unit/Controllers/SettingsControllerTest.php @@ -14,6 +14,7 @@ use Engelsystem\Http\Response; use Engelsystem\Models\Session as SessionModel; use Engelsystem\Models\User\License; use Engelsystem\Models\User\Settings; +use Illuminate\Support\Str; use PHPUnit\Framework\MockObject\MockObject; use Symfony\Component\HttpFoundation\Session\Session; use Engelsystem\Helpers\Authenticator; @@ -595,7 +596,7 @@ class SettingsControllerTest extends ControllerTest $this->response->expects($this->once()) ->method('withView') - ->willReturnCallback(function ($view, $data) { + ->willReturnCallback(function ($view, $data) { $this->assertEquals('pages/settings/sessions', $view); $this->assertArrayHasKey('sessions', $data); @@ -619,7 +620,7 @@ class SettingsControllerTest extends ControllerTest $this->setExpects($this->response, 'redirectTo', ['http://localhost/settings/sessions'], $this->response); // Delete old user session - $this->request = $this->request->withParsedBody(['id' => $this->secondSession->id]); + $this->request = $this->request->withParsedBody(['id' => Str::substr($this->secondSession->id, 0, 15)]); $this->controller->sessionsDelete($this->request); $this->assertHasNotification('settings.sessions.delete_success'); @@ -636,7 +637,7 @@ class SettingsControllerTest extends ControllerTest $this->setExpects($this->response, 'redirectTo', null, $this->response); // Delete active user session - $this->request = $this->request->withParsedBody(['id' => $this->currentSession->id]); + $this->request = $this->request->withParsedBody(['id' => Str::substr($this->currentSession->id, 0, 15)]); $this->controller->sessionsDelete($this->request); $this->assertCount(4, SessionModel::all()); // None got deleted @@ -652,7 +653,7 @@ class SettingsControllerTest extends ControllerTest $this->setExpects($this->response, 'redirectTo', null, $this->response); // Delete another users session - $this->request = $this->request->withParsedBody(['id' => $this->otherSession->id]); + $this->request = $this->request->withParsedBody(['id' => Str::substr($this->otherSession->id, 0, 15)]); $this->controller->sessionsDelete($this->request); $this->assertCount(4, SessionModel::all()); // None got deleted