Ensure to clear the cookies when logging out

It turns out that we failed to clear the cookies from the cookie JAR when logging the user out. As a consequence, the cookie were retained and it was possible to edit depictions as the previous user even without logging in to the app (using the retained cookies). Make sure we properly clear the cookies when we log the user out. As an aside, the fact that the edit button shouldn't have been shown is a different issue being tracked in #5726
2025-10-26 20:33:53 +01:00 · 2024-05-12 23:09:07 +05:30 · 2024-05-12 23:09:07 +05:30 · 1f6f186b98
commit 1f6f186b98
parent 7e84a447d4
4 changed files with 7 additions and 4 deletions
--- a/app/src/main/java/fr/free/nrw/commons/CommonsApplication.java
+++ b/app/src/main/java/fr/free/nrw/commons/CommonsApplication.java
@ -294,6 +294,7 @@ public class CommonsApplication extends MultiDexApplication {
        }

        sessionManager.logout()
+            .andThen(Completable.fromAction(() -> cookieJar.clear()))
            .andThen(Completable.fromAction(() -> {
                    Timber.d("All accounts have been removed");
                    clearImageCache();
--- a/app/src/main/java/fr/free/nrw/commons/auth/SessionManager.java
+++ b/app/src/main/java/fr/free/nrw/commons/auth/SessionManager.java
@ -122,9 +122,7 @@ public class SessionManager {
    }

    /**
-     * 1. Clears existing accounts from account manager
-     * 2. Calls MediaWikiApi's logout function to clear cookies
-     * @return
+     * Returns a Completable that clears existing accounts from account manager
     */
    public Completable logout() {
        AccountManager accountManager = AccountManager.get(context);
--- a/app/src/main/java/fr/free/nrw/commons/auth/csrf/CsrfTokenClient.kt
+++ b/app/src/main/java/fr/free/nrw/commons/auth/csrf/CsrfTokenClient.kt
@ -10,7 +10,6 @@ import fr.free.nrw.commons.auth.login.LoginResult
 import retrofit2.Call
 import retrofit2.Response
 import timber.log.Timber
-import java.io.IOException
 import java.util.concurrent.Callable
 import java.util.concurrent.Executors.newSingleThreadExecutor

--- a/app/src/main/java/fr/free/nrw/commons/wikidata/cookies/CommonsCookieJar.kt
+++ b/app/src/main/java/fr/free/nrw/commons/wikidata/cookies/CommonsCookieJar.kt
@ -95,4 +95,9 @@ class CommonsCookieJar(private val cookieStorage: CommonsCookieStorage) : Cookie

    private fun Cookie.domainSpec(url: HttpUrl): String =
        domain.ifEmpty { url.toUri().getAuthority() }
+
+    fun clear() {
+        cookieStorage.clear()
+    }
+
 }