From 6f5707a0fc8b596c49c8e407163665ce74b4ea4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <gina@octoprint.org>
Date: Mon, 17 Jul 2017 13:14:45 +0200
Subject: [PATCH] Attach identity reset to logout signals

Safer than doing it manually
---
 src/octoprint/server/__init__.py     | 29 +++++++++++++++++++++++++---
 src/octoprint/server/api/__init__.py | 11 +++++------
 2 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/src/octoprint/server/__init__.py b/src/octoprint/server/__init__.py
index 0d986c86..d7c85d84 100644
--- a/src/octoprint/server/__init__.py
+++ b/src/octoprint/server/__init__.py
@@ -7,9 +7,9 @@ __copyright__ = "Copyright (C) 2014 The OctoPrint Project - Released under terms
 
 import uuid
 from sockjs.tornado import SockJSRouter
-from flask import Flask, g, request, session, Blueprint, Request, Response
-from flask.ext.login import LoginManager, current_user
-from flask.ext.principal import Principal, Permission, RoleNeed, identity_loaded, UserNeed
+from flask import Flask, g, request, session, Blueprint, Request, Response, current_app
+from flask.ext.login import LoginManager, current_user, session_protected, user_logged_out
+from flask.ext.principal import Principal, Permission, RoleNeed, identity_loaded, identity_changed, UserNeed, AnonymousIdentity
 from flask.ext.babel import Babel, gettext, ngettext
 from flask.ext.assets import Environment, Bundle
 from babel import Locale
@@ -96,6 +96,29 @@ def on_identity_loaded(sender, identity):
 	if user.is_admin():
 		identity.provides.add(RoleNeed("admin"))
 
+
+def _clear_identity(sender):
+	# Remove session keys set by Flask-Principal
+	for key in ('identity.id', 'identity.name', 'identity.auth_type'):
+		if key in session:
+			del session[key]
+
+	# switch to anonymous identity
+	identity_changed.send(sender, identity=AnonymousIdentity())
+
+
+@session_protected.connect_via(app)
+def on_session_protected(sender):
+	# session was protected, that means the user is no more and we need to clear our identity
+	_clear_identity(sender)
+
+
+@user_logged_out.connect_via(app)
+def on_user_logged_out(sender, user=None):
+	# user was logged out, clear identity
+	_clear_identity(sender)
+
+
 def load_user(id):
 	if id == "_api":
 		return users.ApiUser()
diff --git a/src/octoprint/server/api/__init__.py b/src/octoprint/server/api/__init__.py
index 809d50b5..b74ff63b 100644
--- a/src/octoprint/server/api/__init__.py
+++ b/src/octoprint/server/api/__init__.py
@@ -222,22 +222,21 @@ def login():
 @api.route("/logout", methods=["POST"])
 @restricted_access
 def logout():
-	# Remove session keys set by Flask-Principal
-	for key in ('identity.id', 'identity.name', 'identity.auth_type'):
-		if key in session:
-			del session[key]
-	identity_changed.send(current_app._get_current_object(), identity=AnonymousIdentity())
-
+	# logout from user manager...
 	_logout(current_user)
+
+	# ... and from flask login (and principal)
 	logout_user()
 
 	return NO_CONTENT
 
+
 def _logout(user):
 	if "usersession.id" in session:
 		del session["usersession.id"]
 	octoprint.server.userManager.logout_user(user)
 
+
 @api.route("/util/test", methods=["POST"])
 @restricted_access
 @admin_permission.require(403)