Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: logout other sessions on email change #33846

Merged
merged 10 commits into from
Jan 29, 2024
Merged

feat: logout other sessions on email change #33846

merged 10 commits into from
Jan 29, 2024

Conversation

syedsajjadkazmii
Copy link
Contributor

Logout of other sessions on email change.

@syedsajjadkazmii syedsajjadkazmii force-pushed the sajjad/VAN-1694 branch 8 times, most recently from 6248964 to 1d02808 Compare December 1, 2023 09:19
robrap
robrap reviewed Dec 4, 2023
View reviewed changes
Copy link
Contributor

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven’t done a detailed review yet, but wanted to pass on some higher level thoughts. Thank you.

openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
robrap
robrap reviewed Dec 5, 2023
View reviewed changes
Copy link
Contributor

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Some additional comments.

openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/user_authn/views/login.py Outdated Show resolved Hide resolved
common/djangoapps/student/signals/receivers.py Outdated Show resolved Hide resolved
@robrap robrap added the waiting on author PR author needs to resolve review requests, answer questions, fix tests, etc. label Dec 5, 2023
@syedsajjadkazmii syedsajjadkazmii force-pushed the sajjad/VAN-1694 branch 7 times, most recently from 3bb06de to a86486b Compare December 7, 2023 11:24
@syedsajjadkazmii
Copy link
Contributor Author

Related, you can see some of the exemptions of SafeSessions by searching for uses of mark_user_change_as_expected. Also see notes about some of the exemptions. Additionally, masquerading needed exemptions. This code for email check may not run into the same issues, but a little testing and a safety net toggle won't hurt.
Please confirm what types of manual testing you have also done, including if you test that masquerading is not affected. Thank you.

I manually tested the following scenarios

  • With the ENFORCE_SESSION_EMAIL_MATCH flag set to false, I logged into both Chrome and Safari using the same email. After changing the email in Safari, I observed that I remained logged in to both browsers.
  • With the ENFORCE_SESSION_EMAIL_MATCH flag set to true, I again logged into both Chrome and Safari with the same email. Following an email change in Safari, I observed that I remained logged in to Safari, but the session was invalidated in Chrome.

Regarding masquerading, I interpreted it as the ability to view the platform as other users in the dashboard. I tested it by masquerading as other users in the dashboard, and everything worked as expected. However, if there's a different interpretation or specific aspects related to masquerading that require testing, please provide clarification. I would be happy to test that too.

@robrap
Copy link
Contributor

robrap commented Dec 11, 2023

Regarding masquerading, I interpreted it as the ability to view the platform as other users in the dashboard. I tested it by masquerading as other users in the dashboard, and everything worked as expected. However, if there's a different interpretation or specific aspects related to masquerading that require testing, please provide clarification. I would be happy to test that too.

Yes. Just making sure masquerading still works appropriately when ENFORCE_SESSION_EMAIL_MATCH is enabled. I think masquerading messes with the session, but maybe it does so outside of the scope of your check, or maybe not in the way I think. So, as long as it isn't broken, that sounds good.

robrap
robrap reviewed Dec 20, 2023
View reviewed changes
Copy link
Contributor

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a variety of thoughts. Good luck. You are welcome to reach out to others if you want to make steady progress before January.

openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
cms/djangoapps/contentstore/tests/tests.py Outdated Show resolved Hide resolved
common/djangoapps/student/views/management.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/user_authn/cookies.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/user_authn/views/login.py Outdated Show resolved Hide resolved
@syedsajjadkazmii syedsajjadkazmii force-pushed the sajjad/VAN-1694 branch 5 times, most recently from fdecb1f to 8806707 Compare January 8, 2024 12:46
robrap
robrap reviewed Jan 8, 2024
View reviewed changes
Copy link
Contributor

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates. Looks good. Just minor requests and thoughts. Thanks.

openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/user_authn/views/login.py Outdated Show resolved Hide resolved
common/djangoapps/student/views/management.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
robrap
robrap reviewed Jan 18, 2024
View reviewed changes
Copy link
Contributor

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I'm going to see what you decide about some of my comments before trying to see if we have all the test cases covered.

lms/envs/common.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Outdated Show resolved Hide resolved
@syedsajjadkazmii syedsajjadkazmii force-pushed the sajjad/VAN-1694 branch 5 times, most recently from 1d32cec to 7f12636 Compare January 19, 2024 07:20
robrap
robrap reviewed Jan 19, 2024
View reviewed changes
Copy link
Contributor

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. A minor comment (I hope). This is just about ready.

Lastly, once you make any final updates, if you could do one more manual check of masquerading, that would be great.

openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/user_authn/views/tests/test_login.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py Outdated Show resolved Hide resolved
lms/envs/common.py Outdated Show resolved Hide resolved
openedx/core/djangoapps/safe_sessions/middleware.py Outdated Show resolved Hide resolved
@syedsajjadkazmii syedsajjadkazmii force-pushed the sajjad/VAN-1694 branch 5 times, most recently from da7804b to 2b22484 Compare January 25, 2024 14:50
robrap
robrap approved these changes Jan 25, 2024
View reviewed changes
Copy link
Contributor

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Thank you.

openedx/core/djangoapps/safe_sessions/middleware.py Outdated
if request.session.get('email', None) is None:
# .. custom_attribute_name: session_with_no_email_found
# .. custom_attribute_description: Indicates that user's email was not
# stored in the user's session.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Since we are updating the session.

Suggested change
# stored in the user's session.
# yet stored in the user's session.

github-actions bot and others added 2 commits January 29, 2024 14:17
@github-actions @syedsajjadkazmii
feat: Upgrade Python dependency edx-drf-extensions (#34135)
82dc03d 
Commit generated by workflow `openedx/edx-platform/.github/workflows/upgrade-one-python-dependency.yml@refs/heads/master`

Co-authored-by: syedsajjadkazmii <[email protected]>
@syedsajjadkazmii
Merge branch 'master' into sajjad/VAN-1694
f3c96e9
@syedsajjadkazmii syedsajjadkazmii merged commit cb2a34e into master Jan 29, 2024
64 checks passed
@syedsajjadkazmii syedsajjadkazmii deleted the sajjad/VAN-1694 branch January 29, 2024 09:43
@edx-pipeline-bot
Copy link
Contributor

2U Release Notice: This PR has been deployed to the edX staging environment in preparation for a release to production.

@edx-pipeline-bot
Copy link
Contributor

2U Release Notice: This PR has been deployed to the edX production environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robrap robrap robrap approved these changes

Assignees

@syedsajjadkazmii syedsajjadkazmii

Labels
waiting on author PR author needs to resolve review requests, answer questions, fix tests, etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@syedsajjadkazmii @robrap @edx-pipeline-bot