Properly catch InvalidTokenException for better error response

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

diff --git a/settings/Controller/AuthSettingsController.php b/settings/Controller/AuthSettingsController.php
index 7bb8a6654e646dd9b105ecaca8379bd21f501e01..8c0da77bcecf0db2cd32821020f9667e4f9b0076 100644 (file)
--- a/settings/Controller/AuthSettingsController.php
+++ b/settings/Controller/AuthSettingsController.php
@@ -190,9 +190,18 @@ class AuthSettingsController extends Controller {
         *
         * @param int $id
         * @param array $scope
+        * @return array|JSONResponse
         */
        public function update($id, array $scope) {
-               $token = $this->tokenProvider->getTokenById($id);
+               try {
+                       $token = $this->tokenProvider->getTokenById((string)$id);
+                       if ($token->getUID() !== $this->uid) {
+                               throw new InvalidTokenException('User mismatch');
+                       }
+               } catch (InvalidTokenException $e) {
+                       return new JSONResponse([], Http::STATUS_NOT_FOUND);
+               }
+
                $token->setScope([
                        'filesystem' => $scope['filesystem']
                ]);

diff --git a/tests/Settings/Controller/AuthSettingsControllerTest.php b/tests/Settings/Controller/AuthSettingsControllerTest.php
index 5c1280ff4b00a01b9bc9d6bf35f9142c88324f77..461b32b7a4864a255e807767ab2dc1d120c58c69 100644 (file)
--- a/tests/Settings/Controller/AuthSettingsControllerTest.php
+++ b/tests/Settings/Controller/AuthSettingsControllerTest.php
@@ -211,6 +211,10 @@ class AuthSettingsControllerTest extends TestCase {
                        ->with($this->equalTo(42))
                        ->willReturn($token);
 
+               $token->expects($this->once())
+                       ->method('getUID')
+                       ->willReturn('jane');
+
                $token->expects($this->once())
                        ->method('setScope')
                        ->with($this->equalTo([
@@ -224,4 +228,40 @@ class AuthSettingsControllerTest extends TestCase {
                $this->assertSame([], $this->controller->update(42, ['filesystem' => true]));
        }
 
+       public function testUpdateTokenWrongUser() {
+               $token = $this->createMock(DefaultToken::class);
+
+               $this->tokenProvider->expects($this->once())
+                       ->method('getTokenById')
+                       ->with($this->equalTo(42))
+                       ->willReturn($token);
+
+               $token->expects($this->once())
+                       ->method('getUID')
+                       ->willReturn('foobar');
+
+               $token->expects($this->never())
+                       ->method('setScope');
+               $this->tokenProvider->expects($this->never())
+                       ->method('updateToken');
+
+               $response = $this->controller->update(42, ['filesystem' => true]);
+               $this->assertSame([], $response->getData());
+               $this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus());
+       }
+
+       public function testUpdateTokenNonExisting() {
+               $this->tokenProvider->expects($this->once())
+                       ->method('getTokenById')
+                       ->with($this->equalTo(42))
+                       ->willThrowException(new InvalidTokenException('Token does not exist'));
+
+               $this->tokenProvider->expects($this->never())
+                       ->method('updateToken');
+
+               $response = $this->controller->update(42, ['filesystem' => true]);
+               $this->assertSame([], $response->getData());
+               $this->assertSame(\OCP\AppFramework\Http::STATUS_NOT_FOUND, $response->getStatus());
+       }
+
 }