From 62f4b39dcf9c0aaec22cad3c0b6a515d5749a21e Mon Sep 17 00:00:00 2001
From: Marco <marco@delight.im>
Date: Sat, 24 Mar 2018 18:15:21 +0100
Subject: [PATCH] Perform logout for user whenever 'force_logout' has been
 incremented

---
 src/Auth.php | 31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/src/Auth.php b/src/Auth.php
index 331b00b..5f9d99e 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -156,7 +156,7 @@ final class Auth extends UserManager {
 				// fetch the authoritative data from the database again
 				try {
 					$authoritativeData = $this->db->selectRow(
-						'SELECT email, username, status, roles_mask FROM ' . $this->dbTablePrefix . 'users WHERE id = ?',
+						'SELECT email, username, status, roles_mask, force_logout FROM ' . $this->dbTablePrefix . 'users WHERE id = ?',
 						[ $this->getUserId() ]
 					);
 				}
@@ -166,20 +166,33 @@ final class Auth extends UserManager {
 
 				// if the user's data has been found
 				if (!empty($authoritativeData)) {
-					// update the session data
-					$_SESSION[self::SESSION_FIELD_EMAIL] = $authoritativeData['email'];
-					$_SESSION[self::SESSION_FIELD_USERNAME] = $authoritativeData['username'];
-					$_SESSION[self::SESSION_FIELD_STATUS] = (int) $authoritativeData['status'];
-					$_SESSION[self::SESSION_FIELD_ROLES] = (int) $authoritativeData['roles_mask'];
+					// the session field may not have been initialized for sessions that had already existed before the introduction of this feature
+					if (!isset($_SESSION[self::SESSION_FIELD_FORCE_LOGOUT])) {
+						$_SESSION[self::SESSION_FIELD_FORCE_LOGOUT] = 0;
+					}
+
+					// if the counter that keeps track of forced logouts has been incremented
+					if ($authoritativeData['force_logout'] > $_SESSION[self::SESSION_FIELD_FORCE_LOGOUT]) {
+						// the user must be signed out
+						$this->logOut();
+					}
+					// if the counter that keeps track of forced logouts has remained unchanged
+					else {
+						// the session data needs to be updated
+						$_SESSION[self::SESSION_FIELD_EMAIL] = $authoritativeData['email'];
+						$_SESSION[self::SESSION_FIELD_USERNAME] = $authoritativeData['username'];
+						$_SESSION[self::SESSION_FIELD_STATUS] = (int) $authoritativeData['status'];
+						$_SESSION[self::SESSION_FIELD_ROLES] = (int) $authoritativeData['roles_mask'];
+
+						// remember that we've just performed the required resynchronization
+						$_SESSION[self::SESSION_FIELD_LAST_RESYNC] = \time();
+					}
 				}
 				// if no data has been found for the user
 				else {
 					// their account may have been deleted so they should be signed out
 					$this->logOut();
 				}
-
-				// remember that we've just performed resynchronization
-				$_SESSION[self::SESSION_FIELD_LAST_RESYNC] = \time();
 			}
 		}
 	}