From 70fb590466b8980e56b316f23308ef48712acb27 Mon Sep 17 00:00:00 2001 From: Mateusz Mandera Date: Sun, 10 Nov 2024 00:23:57 +0100 Subject: [PATCH] change_realm_subdomain: Revoke user sessions. If we don't revoke sessions, this can lead to issues when we import a realm (e.g. from Slack) into the original subdomain for the same organization. Because then, users who already had sessions before the move end up stuck: - when they try to open Zulip on the original subdomain, which now has the imported instance, they get redirected to the moved subdomain due to their pre-existing session cookie. - they can't even log out to get rid of the bugged cookie, because the account they're logged into in that session is now on the moved subdomain. --- zerver/actions/create_realm.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/zerver/actions/create_realm.py b/zerver/actions/create_realm.py index 4d2d1c6f88..13383f9a1d 100644 --- a/zerver/actions/create_realm.py +++ b/zerver/actions/create_realm.py @@ -18,6 +18,7 @@ from zerver.lib.bulk_create import create_users from zerver.lib.push_notifications import sends_notifications_directly from zerver.lib.remote_server import maybe_enqueue_audit_log_upload from zerver.lib.server_initialization import create_internal_realm, server_initialized +from zerver.lib.sessions import delete_realm_user_sessions from zerver.lib.streams import ensure_stream from zerver.lib.user_groups import ( create_system_user_groups_for_realm, @@ -94,6 +95,9 @@ def do_change_realm_subdomain( ) do_add_deactivated_redirect(placeholder_realm, realm.url) + # Sessions can't be deleted inside a transaction. + delete_realm_user_sessions(realm) + def set_realm_permissions_based_on_org_type(realm: Realm) -> None: """This function implements overrides for the default configuration