From 02f1490cb622e30f92050c63b83079a31f47eb31 Mon Sep 17 00:00:00 2001
From: Logan Hanks <logan@reddit.com>
Date: Mon, 27 Aug 2012 15:44:40 -0700
Subject: [PATCH] Revoke oauth2 access tokens when a user clears sessions.

---
 r2/r2/controllers/api.py | 4 ++++
 r2/r2/models/token.py    | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index ad6810ee9..8ceedd352 100755
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -668,6 +668,10 @@ class ApiController(RedditController, OAuth2ResourceController):
         form.set_html('.status',
                       _('all other sessions have been logged out'))
         form.set_inputs(curpass = "")
+
+        # deauthorize all access tokens
+        OAuth2AccessToken.revoke_all_by_user(c.user)
+
         # run the change password command to get a new salt
         change_password(c.user, password)
         # the password salt has changed, so the user's cookie has been
diff --git a/r2/r2/models/token.py b/r2/r2/models/token.py
index e22be7051..0b98bd66d 100644
--- a/r2/r2/models/token.py
+++ b/r2/r2/models/token.py
@@ -326,6 +326,13 @@ class OAuth2AccessToken(Token):
         else:
             tba._commit()
 
+    @classmethod
+    def revoke_all_by_user(cls, account):
+        """Revokes all access tokens for a given user Account."""
+        tokens = cls._by_user(account)
+        for token in tokens:
+            token.revoke()
+
     @classmethod
     def _by_user(cls, account):
         """Returns a (possibly empty) list of valid access tokens for a given user Account."""