Fixes #38138 - As a user, I want to invalidate JWTs for all users.

theforeman · Jan 17, 2025 · 6967f38 · 6967f38
1 parent 0ea2685
commit 6967f38
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 2 deletions.
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -93,6 +93,14 @@ def impersonate
     end
   end
 
+  def invalidate_jwt_for_all_users
+    user_ids = User.authorized(:edit_users).except_hidden.ids.uniq
+    JwtSecret.where(user_id: user_ids).destroy_all
+    process_success(
+      :success_msg => _('Successfully invalidated registration tokens for all users.')
+    )
+  end
+
   def invalidate_jwt
     @user = find_resource(:edit_users)
     @user.jwt_secret&.destroy

diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb
@@ -1,6 +1,9 @@
 <% title _("Users") %>
 
-<% title_actions new_link(_("Create User")) %>
+<% title_actions new_link(_("Create User")), new_link(_("Invalidate JWTs for all users"),
+    hash_for_invalidate_jwt_for_all_users_users_path.merge(:auth_object => User.current, :permission => "edit_users"),
+    :method => :delete,
+    :data => { :confirm => _("Invalidate all JSON Web Tokens for all users?") }) %>
 
 <table class="<%= table_css_classes 'table-fixed' %>">
   <thead>

diff --git a/config/initializers/f_foreman_permissions.rb b/config/initializers/f_foreman_permissions.rb
@@ -562,7 +562,7 @@
       :users => [:new, :create],
       :"api/v2/users" => [:create]
     map.permission :edit_users,
-      :users => [:edit, :update, :invalidate_jwt],
+      :users => [:edit, :update, :invalidate_jwt, :invalidate_jwt_for_all_users],
       :"api/v2/users" => [:update],
       :"api/v2/registration_tokens" => [:invalidate_jwt_tokens, :invalidate_jwt]
     map.permission :destroy_users,

diff --git a/config/routes.rb b/config/routes.rb
@@ -253,6 +253,7 @@
       get 'extlogout'
       get 'auto_complete_search'
       delete 'stop_impersonation'
+      delete 'invalidate_jwt_for_all_users'
     end
     member do
       post 'impersonate'