Disable app token creation for impersonated people, ref #15539

Signed-off-by: Greta Doci <gretadoci@gmail.com>

apps/files_external/lib/Migration/DummyUserSession.php

@@ -50,4 +50,24 @@ class DummyUserSession implements IUserSession {
 	public function isLoggedIn() {
 		return !is_null($this->user);
 	}
+
+	/**
+	 * get getImpersonatingUserID
+	 *
+	 * @return string|null
+	 * @since 17.0.0
+	 */
+	public function getImpersonatingUserID() : ?string {
+		return null;
+	}
+
+	/**
+	 * set setImpersonatingUserID
+	 *
+	 * @since 17.0.0
+	 */
+	public function setImpersonatingUserID(bool $useCurrentUser = true): void {
+		//no OP
+	}
+
 }

lib/private/User/Session.php

@@ -314,6 +314,29 @@ class Session implements IUserSession, Emitter {
 		return null;
 	}
 
+	/**
+	 * @return mixed
+	 */
+	public function getImpersonatingUserID(): ?string {
+
+		return $this->session->get('oldUserId');
+
+	}
+
+	public function setImpersonatingUserID(bool $useCurrentUser = true): void {
+		if ($useCurrentUser === false) {
+			$this->session->remove('oldUserId');
+			return;
+		}
+
+		$currentUser = $this->getUser();
+
+		if ($currentUser === null) {
+			throw new \OC\User\NoUserException();
+		}
+		$this->session->set('oldUserId', $currentUser->getUID());
+
+	}
 	/**
 	 * set the token id
 	 *

lib/public/IUserSession.php

@@ -42,6 +42,7 @@ namespace OCP;
 interface IUserSession {
 	/**
 	 * Do a user login
+	 *
 	 * @param string $user the username
 	 * @param string $password the password
 	 * @return bool true if successful
@@ -52,6 +53,7 @@ interface IUserSession {
 	/**
 	 * Logs the user out including all the session data
 	 * Logout, destroys session
+	 *
 	 * @return void
 	 * @since 6.0.0
 	 */
@@ -80,4 +82,19 @@ interface IUserSession {
 	 * @since 8.0.0
 	 */
 	public function isLoggedIn();
+
+	/**
+	 * get getImpersonatingUserID
+	 *
+	 * @return string|null
+	 * @since 18.0.0
+	 */
+	public function getImpersonatingUserID(): ?string;
+
+	/**
+	 * set setImpersonatingUserID
+	 *
+	 * @since 18.0.0
+	 */
+	public function setImpersonatingUserID(bool $useCurrentUser = true): void;
 }

settings/Controller/AuthSettingsController.php

@@ -44,6 +44,7 @@ use OCP\AppFramework\Http\JSONResponse;
 use OCP\ILogger;
 use OCP\IRequest;
 use OCP\ISession;
+use OCP\IUserSession;
 use OCP\Security\ISecureRandom;
 use OCP\Session\Exceptions\SessionNotAvailableException;
 
@@ -55,6 +56,9 @@ class AuthSettingsController extends Controller {
 	/** @var ISession */
 	private $session;
 
+	/** IUserSession */
+	private  $userSession;
+
 	/** @var string */
 	private $uid;
 
@@ -77,6 +81,7 @@ class AuthSettingsController extends Controller {
 	 * @param ISession $session
 	 * @param ISecureRandom $random
 	 * @param string|null $userId
+	 * @param IUserSession $userSession
 	 * @param IManager $activityManager
 	 * @param RemoteWipe $remoteWipe
 	 * @param ILogger $logger
@@ -87,12 +92,14 @@ class AuthSettingsController extends Controller {
 								ISession $session,
 								ISecureRandom $random,
 								?string $userId,
+								IUserSession $userSession,
 								IManager $activityManager,
 								RemoteWipe $remoteWipe,
 								ILogger $logger) {
 		parent::__construct($appName, $request);
 		$this->tokenProvider = $tokenProvider;
 		$this->uid = $userId;
+		$this->userSession = $userSession;
 		$this->session = $session;
 		$this->random = $random;
 		$this->activityManager = $activityManager;
@@ -114,6 +121,10 @@ class AuthSettingsController extends Controller {
 		} catch (SessionNotAvailableException $ex) {
 			return $this->getServiceNotAvailableResponse();
 		}
+		if ($this->userSession->getImpersonatingUserID() !== null)
+		{
+			return $this->getServiceNotAvailableResponse();
+		}
 
 		try {
 			$sessionToken = $this->tokenProvider->getToken($sessionId);

settings/Settings/Personal/Security.php

@@ -80,11 +80,18 @@ class Security implements ISettings {
 			$passwordChangeSupported = $user->canChangePassword();
 		}
 
+		$this->initialStateService->provideInitialState(
+			'settings',
+			'can_create_app_token',
+			$this->userSession->getImpersonatingUserID() !== null
+		);
+
 		return new TemplateResponse('settings', 'settings/personal/security', [
 			'passwordChangeSupported' => $passwordChangeSupported,
 			'twoFactorProviderData' => $this->getTwoFactorProviderData(),
 			'themedark' => $this->config->getUserValue($this->uid, 'accessibility', 'theme', false)
 		]);
+
 	}
 
 	public function getSection(): string {

settings/src/components/AuthTokenSection.vue

@@ -28,7 +28,7 @@
 					   @rename="rename"
 					   @delete="deleteToken"
 					   @wipe="wipeToken" />
-		<AuthTokenSetupDialogue :add="addNewToken" />
+		<AuthTokenSetupDialogue v-if="canCreateToken" :add="addNewToken" />
 	</div>
 </template>
 
@@ -63,7 +63,7 @@
 		props: {
 			tokens: {
 				type: Array,
-				requried: true,
+				required: true,
 			},
 		},
 		components: {

settings/src/main-personal-security.js

@@ -35,5 +35,6 @@ const View = Vue.extend(AuthTokenSection);
 new View({
 	propsData: {
 		tokens: OCP.InitialState.loadState('settings', 'app_tokens'),
+		canCreateToken: OCP.InitialState.loadState('settings', 'can_create_app_token'),
 	}
 }).$mount('#security-authtokens');