Invalidate sessions and Fever passwords when renaming users

3 years ago · 405f3af257
2 changed files with 27 additions and 8 deletions
--- a/lib/User.php
+++ b/lib/User.php
@ -106,12 +106,17 @@ class User {
    public function rename(string $user, string $newName): bool {
        if ($this->u->userRename($user, $newName)) {
            $tr = Arsse::$db->begin();
            if (!Arsse::$db->userExists($user)) {
                Arsse::$db->userAdd($newName, null);
                return true;
            } else {
-                return Arsse::$db->userRename($user, $newName);
+                Arsse::$db->userRename($user, $newName);
                // invalidate any sessions and Fever passwords
                Arsse::$db->sessionDestroy($newName);
                Arsse::$db->tokenRevoke($newName, "fever.login");
            }
            $tr->commit();
            return true;
        }
        return false;
    }
--- a/tests/cases/User/TestUser.php
+++ b/tests/cases/User/TestUser.php
@ -183,6 +183,8 @@ class TestUser extends \JKingWeb\Arsse\Test\AbstractTest {
    }
    public function testRenameAUser(): void {
        $tr = \Phake::mock(Transaction::class);
        \Phake::when(Arsse::$db)->begin->thenReturn($tr);
        \Phake::when(Arsse::$db)->userExists->thenReturn(true);
        \Phake::when(Arsse::$db)->userAdd->thenReturn(true);
        \Phake::when(Arsse::$db)->userRename->thenReturn(true);
@ -191,12 +193,20 @@ class TestUser extends \JKingWeb\Arsse\Test\AbstractTest {
        $old = "john.doe@example.com";
        $new  = "jane.doe@example.com";
        $this->assertTrue($u->rename($old, $new));
-        \Phake::verify($this->drv)->userRename($old, $new);
+        \Phake::inOrder(
-        \Phake::verify(Arsse::$db)->userExists($old);
+            \Phake::verify($this->drv)->userRename($old, $new),
-        \Phake::verify(Arsse::$db)->userRename($old, $new);
+            \Phake::verify(Arsse::$db)->begin(),
            \Phake::verify(Arsse::$db)->userExists($old),
            \Phake::verify(Arsse::$db)->userRename($old, $new),
            \Phake::verify(Arsse::$db)->sessionDestroy($new),
            \Phake::verify(Arsse::$db)->tokenRevoke($new, "fever.login"),
            \Phake::verify($tr)->commit()
        );
    }
    public function testRenameAUserWeDoNotKnow(): void {
        $tr = \Phake::mock(Transaction::class);
        \Phake::when(Arsse::$db)->begin->thenReturn($tr);
        \Phake::when(Arsse::$db)->userExists->thenReturn(false);
        \Phake::when(Arsse::$db)->userAdd->thenReturn(true);
        \Phake::when(Arsse::$db)->userRename->thenReturn(true);
@ -205,9 +215,13 @@ class TestUser extends \JKingWeb\Arsse\Test\AbstractTest {
        $old = "john.doe@example.com";
        $new  = "jane.doe@example.com";
        $this->assertTrue($u->rename($old, $new));
-        \Phake::verify($this->drv)->userRename($old, $new);
+        \Phake::inOrder(
-        \Phake::verify(Arsse::$db)->userExists($old);
+            \Phake::verify($this->drv)->userRename($old, $new),
-        \Phake::verify(Arsse::$db)->userAdd($new, null);
+            \Phake::verify(Arsse::$db)->begin(),
            \Phake::verify(Arsse::$db)->userExists($old),
            \Phake::verify(Arsse::$db)->userAdd($new, null),
            \Phake::verify($tr)->commit()
        );
    }
    public function testRenameAUserWithoutEffect(): void {