Don't rely on

2019-11-17 00:42:44 +11:00 · 2019-11-17 00:42:44 +11:00 · acb3ffd66d
commit acb3ffd66d
parent 1f8860f189
2 changed files with 11 additions and 4 deletions
--- a/auth.php
+++ b/auth.php
@ -137,7 +137,7 @@ class auth_plugin_userkey extends auth_plugin_base {
     * @throws \moodle_exception If something went wrong.
     */
    public function user_login_userkey() {
-        global $SESSION, $CFG;
+        global $SESSION, $CFG, $USER;

        $keyvalue = required_param('key', PARAM_ALPHANUM);
        $wantsurl = optional_param('wantsurl', '', PARAM_URL);
@ -157,8 +157,13 @@ class auth_plugin_userkey extends auth_plugin_base {
            print_error($exception->errorcode);
        }

-        if (isloggedin() && $SESSION->userid != $key->userid) {
-            require_logout();
+        if (isloggedin()) {
+            if ($USER->id != $key->userid) {
+                require_logout();
+            } else {
+                $this->userkeymanager->delete_keys($key->userid);
+                $this->redirect($redirecturl);
+            }
        }

        $this->userkeymanager->delete_keys($key->userid);
--- a/tests/auth_plugin_test.php
+++ b/tests/auth_plugin_test.php
@ -1080,7 +1080,9 @@ class auth_plugin_userkey_testcase extends advanced_testcase {
        } catch (moodle_exception $e) {
            $this->assertEquals($this->user->id, $USER->id);
            $this->assertSame(sesskey(), $USER->sesskey);
-            $this->assertObjectHasAttribute('userkey', $SESSION);
+            $this->assertObjectNotHasAttribute('userkey', $SESSION);
+            $keyexists = $DB->record_exists('user_private_key', array('value' => 'UserLogin'));
+            $this->assertFalse($keyexists);
        }
    }