Destroy user's sessions when (Bug 1328705)

- users change his/her password
- admins delete the user's account

Change-Id: Id88207309770dae3eb803abe1f23f97a6b8eb3c8
Signed-off-by: Son Nguyen <son.nguyen@catalyst.net.nz>

htdocs/account/index.php

@@ -181,12 +181,14 @@ function accountprefs_submit(Pieform $form, $values) {
     $authobj = AuthFactory::create($USER->authinstance);
 
     db_begin();
+    $ispasswordchanged = false;
     if (isset($values['password1']) && $values['password1'] !== '') {
         global $authclass;
         $password = $authobj->change_password($USER, $values['password1']);
         $USER->password = $password;
         $USER->passwordchange = 0;
         $USER->commit();
+        $ispasswordchanged = true;
     }
 
     // use this as looping through values is not safe.
@@ -234,6 +236,12 @@ function accountprefs_submit(Pieform $form, $values) {
         $reload = true;
     }
 
+    if ($ispasswordchanged) {
+        // Destroy other sessions of the user
+        require_once(get_config('docroot') . 'auth/session.php');
+        remove_user_sessions($USER->get('id'));
+    }
+
     db_commit();
 
     $returndata['message'] = get_string('prefssaved', 'account');

htdocs/lib/user.php

@@ -1382,6 +1382,10 @@ function delete_user($userid) {
 
     handle_event('deleteuser', $userid);
 
+    // Destroy all active sessions of the deleted user
+    require_once(get_config('docroot') . 'auth/session.php');
+    remove_user_sessions($userid);
+
     db_commit();
 }