云策 WordPress 开发者社区

函数文档

wp_ajax_destroy_sessions()

查看官方原文 ↗
💡 云策文档标注

概述

wp_ajax_destroy_sessions() 是一个 WordPress AJAX 处理函数,用于销毁用户的多个开放会话。它通过验证用户权限和非ce,调用 WP_Session_Tokens 类来管理会话销毁,并返回 JSON 响应。

关键要点

  • 函数通过 AJAX 处理用户会话销毁,支持销毁当前用户的其他会话或指定用户的所有会话。
  • 使用 get_userdata() 获取用户数据,并通过 current_user_can() 和 wp_verify_nonce() 进行权限和安全验证。
  • 根据当前用户与目标用户是否相同,调用 WP_Session_Tokens::destroy_others() 或 destroy_all() 方法。
  • 返回 JSON 响应,使用 wp_send_json_success() 或 wp_send_json_error() 指示操作结果。

代码示例

function wp_ajax_destroy_sessions() {
    $user = get_userdata( (int) $_POST['user_id'] );

    if ( $user ) {
        if ( ! current_user_can( 'edit_user', $user->ID ) ) {
            $user = false;
        } elseif ( ! wp_verify_nonce( $_POST['nonce'], 'update-user_' . $user->ID ) ) {
            $user = false;
        }
    }

    if ( ! $user ) {
        wp_send_json_error(
            array(
                'message' => __( 'Could not log out user sessions. Please try again.' ),
            )
        );
    }

    $sessions = WP_Session_Tokens::get_instance( $user->ID );

    if ( get_current_user_id() === $user->ID ) {
        $sessions->destroy_others( wp_get_session_token() );
        $message = __( 'You are now logged out everywhere else.' );
    } else {
        $sessions->destroy_all();
        /* translators: %s: User's display name. */
        $message = sprintf( __( '%s has been logged out.' ), $user->display_name );
    }

    wp_send_json_success( array( 'message' => $message ) );
}

注意事项

  • 函数依赖于 POST 参数 user_id 和 nonce,需确保前端正确传递这些数据。
  • 权限检查使用 'edit_user' 能力,确保当前用户有编辑目标用户的权限。
  • 非ce验证基于用户 ID,防止 CSRF 攻击。
  • 销毁会话时区分当前用户和其他用户,避免意外注销当前会话。
📄 原文内容

Handles destroying multiple open sessions for a user via AJAX.

Source

function wp_ajax_destroy_sessions() {
	$user = get_userdata( (int) $_POST['user_id'] );

	if ( $user ) {
		if ( ! current_user_can( 'edit_user', $user->ID ) ) {
			$user = false;
		} elseif ( ! wp_verify_nonce( $_POST['nonce'], 'update-user_' . $user->ID ) ) {
			$user = false;
		}
	}

	if ( ! $user ) {
		wp_send_json_error(
			array(
				'message' => __( 'Could not log out user sessions. Please try again.' ),
			)
		);
	}

	$sessions = WP_Session_Tokens::get_instance( $user->ID );

	if ( get_current_user_id() === $user->ID ) {
		$sessions->destroy_others( wp_get_session_token() );
		$message = __( 'You are now logged out everywhere else.' );
	} else {
		$sessions->destroy_all();
		/* translators: %s: User's display name. */
		$message = sprintf( __( '%s has been logged out.' ), $user->display_name );
	}

	wp_send_json_success( array( 'message' => $message ) );
}

View all references View on Trac View on GitHub

Uses Description
WP_Session_Tokens::get_instance()wp-includes/class-wp-session-tokens.php

Retrieves a session manager instance for a user.
wp_get_session_token()wp-includes/user.php

Retrieves the current session token from the logged_in cookie.
wp_verify_nonce()wp-includes/pluggable.php

Verifies that a correct security nonce was used with time limit.
current_user_can()wp-includes/capabilities.php

Returns whether the current user has the specified capability.
__()wp-includes/l10n.php

Retrieves the translation of $text.
get_userdata()wp-includes/pluggable.php

Retrieves user info by user ID.
wp_send_json_error()wp-includes/functions.php

Sends a JSON response back to an Ajax request, indicating failure.
wp_send_json_success()wp-includes/functions.php

Sends a JSON response back to an Ajax request, indicating success.
get_current_user_id()wp-includes/user.php

Gets the current user’s ID.

Show 6 moreShow less

Changelog

Version Description
4.1.0 Introduced.