Filter active sessions belonging to an admin impersonating the user

44c4aad9 · Imre Farkas · 4bb06df7 · 44c4aad9 · 44c4aad9 · 44c4aad9
Commit 44c4aad9 authored Feb 23, 2019 by Imre Farkas
4 changed files
--- a/app/controllers/profiles/active_sessions_controller.rb
+++ b/app/controllers/profiles/active_sessions_controller.rb
@@ -2,7 +2,7 @@

 class Profiles::ActiveSessionsController < Profiles::ApplicationController
  def index
-    @sessions = ActiveSession.list(current_user)
+    @sessions = ActiveSession.list(current_user).reject(&:is_impersonated)
  end

  def destroy

--- a/app/models/active_session.rb
+++ b/app/models/active_session.rb
@@ -5,7 +5,8 @@ class ActiveSession

  attr_accessor :created_at, :updated_at,
    :session_id, :ip_address,
-    :browser, :os, :device_name, :device_type
+    :browser, :os, :device_name, :device_type,
+    :is_impersonated

  def current?(session)
    return false if session_id.nil? || session.id.nil?
@@ -31,7 +32,8 @@ class ActiveSession
        device_type: client.device_type,
        created_at: user.current_sign_in_at || timestamp,
        updated_at: timestamp,
-        session_id: session_id
+        session_id: session_id,
+        is_impersonated: request.session[:impersonator_id].present?
      )

      redis.pipelined do

--- a/spec/features/profiles/active_sessions_spec.rb
+++ b/spec/features/profiles/active_sessions_spec.rb
@@ -7,6 +7,8 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
    end
  end

+  let(:admin) { create(:admin) }
+
  around do |example|
    Timecop.freeze(Time.zone.parse('2018-03-12 09:06')) do
      example.run
@@ -16,6 +18,7 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
  it 'User sees their active sessions' do
    Capybara::Session.new(:session1)
    Capybara::Session.new(:session2)
+    Capybara::Session.new(:session3)

    # note: headers can only be set on the non-js (aka. rack-test) driver
    using_session :session1 do
@@ -37,9 +40,27 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
      gitlab_sign_in(user)
    end

+    # set an admin session impersonating the user
+    using_session :session3 do
+      Capybara.page.driver.header(
+        'User-Agent',
+        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36'
+      )
+
+      gitlab_sign_in(admin)
+
+      visit admin_user_path(user)
+
+      click_link 'Impersonate'
+    end
+
    using_session :session1 do
      visit profile_active_sessions_path

+      expect(page).to(
+        have_selector('ul.list-group li.list-group-item', { text: 'Signed in on',
+                                                            count: 2 }))
+
      expect(page).to have_content(
        '127.0.0.1 ' \
        'This is your current session ' \
@@ -57,6 +78,8 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
      )

      expect(page).to have_selector '[title="Smartphone"]', count: 1
+
+      expect(page).not_to have_content('Chrome on Windows')
    end
  end


--- a/spec/models/active_session_spec.rb
+++ b/spec/models/active_session_spec.rb
@@ -7,7 +7,10 @@ RSpec.describe ActiveSession, :clean_gitlab_redis_shared_state do
    end
  end

-  let(:session) { double(:session, id: '6919a6f1bb119dd7396fadc38fd18d0d') }
+  let(:session) do
+    double(:session, { id: '6919a6f1bb119dd7396fadc38fd18d0d',
+                       '[]': {} })
+  end

  let(:request) do
    double(:request, {