From 1f6f186b9890a03a05792d621e6427090eb5a1fa Mon Sep 17 00:00:00 2001 From: Kaartic Sivaraam Date: Sun, 12 May 2024 23:09:07 +0530 Subject: [PATCH] Ensure to clear the cookies when logging out It turns out that we failed to clear the cookies from the cookie JAR when logging the user out. As a consequence, the cookie were retained and it was possible to edit depictions as the previous user even without logging in to the app (using the retained cookies). Make sure we properly clear the cookies when we log the user out. As an aside, the fact that the edit button shouldn't have been shown is a different issue being tracked in #5726 --- .../main/java/fr/free/nrw/commons/CommonsApplication.java | 1 + .../main/java/fr/free/nrw/commons/auth/SessionManager.java | 4 +--- .../java/fr/free/nrw/commons/auth/csrf/CsrfTokenClient.kt | 1 - .../fr/free/nrw/commons/wikidata/cookies/CommonsCookieJar.kt | 5 +++++ 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/app/src/main/java/fr/free/nrw/commons/CommonsApplication.java b/app/src/main/java/fr/free/nrw/commons/CommonsApplication.java index 93413213d..09e34100c 100644 --- a/app/src/main/java/fr/free/nrw/commons/CommonsApplication.java +++ b/app/src/main/java/fr/free/nrw/commons/CommonsApplication.java @@ -294,6 +294,7 @@ public class CommonsApplication extends MultiDexApplication { } sessionManager.logout() + .andThen(Completable.fromAction(() -> cookieJar.clear())) .andThen(Completable.fromAction(() -> { Timber.d("All accounts have been removed"); clearImageCache(); diff --git a/app/src/main/java/fr/free/nrw/commons/auth/SessionManager.java b/app/src/main/java/fr/free/nrw/commons/auth/SessionManager.java index f5395ceda..d0ccf87ef 100644 --- a/app/src/main/java/fr/free/nrw/commons/auth/SessionManager.java +++ b/app/src/main/java/fr/free/nrw/commons/auth/SessionManager.java @@ -122,9 +122,7 @@ public class SessionManager { } /** - * 1. Clears existing accounts from account manager - * 2. Calls MediaWikiApi's logout function to clear cookies - * @return + * Returns a Completable that clears existing accounts from account manager */ public Completable logout() { AccountManager accountManager = AccountManager.get(context); diff --git a/app/src/main/java/fr/free/nrw/commons/auth/csrf/CsrfTokenClient.kt b/app/src/main/java/fr/free/nrw/commons/auth/csrf/CsrfTokenClient.kt index 9e3136237..88cc6b953 100644 --- a/app/src/main/java/fr/free/nrw/commons/auth/csrf/CsrfTokenClient.kt +++ b/app/src/main/java/fr/free/nrw/commons/auth/csrf/CsrfTokenClient.kt @@ -10,7 +10,6 @@ import fr.free.nrw.commons.auth.login.LoginResult import retrofit2.Call import retrofit2.Response import timber.log.Timber -import java.io.IOException import java.util.concurrent.Callable import java.util.concurrent.Executors.newSingleThreadExecutor diff --git a/app/src/main/java/fr/free/nrw/commons/wikidata/cookies/CommonsCookieJar.kt b/app/src/main/java/fr/free/nrw/commons/wikidata/cookies/CommonsCookieJar.kt index 34b38ab80..fbc88f55a 100644 --- a/app/src/main/java/fr/free/nrw/commons/wikidata/cookies/CommonsCookieJar.kt +++ b/app/src/main/java/fr/free/nrw/commons/wikidata/cookies/CommonsCookieJar.kt @@ -95,4 +95,9 @@ class CommonsCookieJar(private val cookieStorage: CommonsCookieStorage) : Cookie private fun Cookie.domainSpec(url: HttpUrl): String = domain.ifEmpty { url.toUri().getAuthority() } + + fun clear() { + cookieStorage.clear() + } + }