diff options
| author | Greta Doci <gretadoci@gmail.com> | 2019-06-12 14:26:01 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-09-15 12:04:27 +0200 |
| commit | 0a874c51af8dd6652c694f0545489af23d53771a (patch) | |
| tree | 6781c94e2bb54cf4392ae826abf08086ff277321 | |
| parent | d231fc9843b117c3361ce0b4e030d55c59607005 (diff) | |
| download | nextcloud-server-0a874c51af8dd6652c694f0545489af23d53771a.tar.gz nextcloud-server-0a874c51af8dd6652c694f0545489af23d53771a.zip | |
Disable app token creation for impersonated people, ref #15539
Signed-off-by: Greta Doci <gretadoci@gmail.com>
| -rw-r--r-- | apps/files_external/lib/Migration/DummyUserSession.php | 20 | ||||
| -rw-r--r-- | lib/private/User/Session.php | 23 | ||||
| -rw-r--r-- | lib/public/IUserSession.php | 17 | ||||
| -rw-r--r-- | settings/Controller/AuthSettingsController.php | 11 | ||||
| -rw-r--r-- | settings/Settings/Personal/Security.php | 7 | ||||
| -rw-r--r-- | settings/src/components/AuthTokenSection.vue | 4 | ||||
| -rw-r--r-- | settings/src/main-personal-security.js | 1 |
7 files changed, 81 insertions, 2 deletions
diff --git a/apps/files_external/lib/Migration/DummyUserSession.php b/apps/files_external/lib/Migration/DummyUserSession.php index 004ca019eb0..0cc726d35b9 100644 --- a/apps/files_external/lib/Migration/DummyUserSession.php +++ b/apps/files_external/lib/Migration/DummyUserSession.php @@ -50,4 +50,24 @@ class DummyUserSession implements IUserSession { public function isLoggedIn() { return !is_null($this->user); } + + /** + * get getImpersonatingUserID + * + * @return string|null + * @since 17.0.0 + */ + public function getImpersonatingUserID() : ?string { + return null; + } + + /** + * set setImpersonatingUserID + * + * @since 17.0.0 + */ + public function setImpersonatingUserID(bool $useCurrentUser = true): void { + //no OP + } + } diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 13519d97ef4..ba909c81053 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -315,6 +315,29 @@ class Session implements IUserSession, Emitter { } /** + * @return mixed + */ + public function getImpersonatingUserID(): ?string { + + return $this->session->get('oldUserId'); + + } + + public function setImpersonatingUserID(bool $useCurrentUser = true): void { + if ($useCurrentUser === false) { + $this->session->remove('oldUserId'); + return; + } + + $currentUser = $this->getUser(); + + if ($currentUser === null) { + throw new \OC\User\NoUserException(); + } + $this->session->set('oldUserId', $currentUser->getUID()); + + } + /** * set the token id * * @param int|null $token that was used to log in diff --git a/lib/public/IUserSession.php b/lib/public/IUserSession.php index d7bf5f9a385..b3c470e5be5 100644 --- a/lib/public/IUserSession.php +++ b/lib/public/IUserSession.php @@ -42,6 +42,7 @@ namespace OCP; interface IUserSession { /** * Do a user login + * * @param string $user the username * @param string $password the password * @return bool true if successful @@ -52,6 +53,7 @@ interface IUserSession { /** * Logs the user out including all the session data * Logout, destroys session + * * @return void * @since 6.0.0 */ @@ -80,4 +82,19 @@ interface IUserSession { * @since 8.0.0 */ public function isLoggedIn(); + + /** + * get getImpersonatingUserID + * + * @return string|null + * @since 18.0.0 + */ + public function getImpersonatingUserID(): ?string; + + /** + * set setImpersonatingUserID + * + * @since 18.0.0 + */ + public function setImpersonatingUserID(bool $useCurrentUser = true): void; } diff --git a/settings/Controller/AuthSettingsController.php b/settings/Controller/AuthSettingsController.php index da9414dcb10..7582f1287b9 100644 --- a/settings/Controller/AuthSettingsController.php +++ b/settings/Controller/AuthSettingsController.php @@ -44,6 +44,7 @@ use OCP\AppFramework\Http\JSONResponse; use OCP\ILogger; use OCP\IRequest; use OCP\ISession; +use OCP\IUserSession; use OCP\Security\ISecureRandom; use OCP\Session\Exceptions\SessionNotAvailableException; @@ -55,6 +56,9 @@ class AuthSettingsController extends Controller { /** @var ISession */ private $session; + /** IUserSession */ + private $userSession; + /** @var string */ private $uid; @@ -77,6 +81,7 @@ class AuthSettingsController extends Controller { * @param ISession $session * @param ISecureRandom $random * @param string|null $userId + * @param IUserSession $userSession * @param IManager $activityManager * @param RemoteWipe $remoteWipe * @param ILogger $logger @@ -87,12 +92,14 @@ class AuthSettingsController extends Controller { ISession $session, ISecureRandom $random, ?string $userId, + IUserSession $userSession, IManager $activityManager, RemoteWipe $remoteWipe, ILogger $logger) { parent::__construct($appName, $request); $this->tokenProvider = $tokenProvider; $this->uid = $userId; + $this->userSession = $userSession; $this->session = $session; $this->random = $random; $this->activityManager = $activityManager; @@ -114,6 +121,10 @@ class AuthSettingsController extends Controller { } catch (SessionNotAvailableException $ex) { return $this->getServiceNotAvailableResponse(); } + if ($this->userSession->getImpersonatingUserID() !== null) + { + return $this->getServiceNotAvailableResponse(); + } try { $sessionToken = $this->tokenProvider->getToken($sessionId); diff --git a/settings/Settings/Personal/Security.php b/settings/Settings/Personal/Security.php index 29c161f9da7..1d40377f184 100644 --- a/settings/Settings/Personal/Security.php +++ b/settings/Settings/Personal/Security.php @@ -80,11 +80,18 @@ class Security implements ISettings { $passwordChangeSupported = $user->canChangePassword(); } + $this->initialStateService->provideInitialState( + 'settings', + 'can_create_app_token', + $this->userSession->getImpersonatingUserID() !== null + ); + return new TemplateResponse('settings', 'settings/personal/security', [ 'passwordChangeSupported' => $passwordChangeSupported, 'twoFactorProviderData' => $this->getTwoFactorProviderData(), 'themedark' => $this->config->getUserValue($this->uid, 'accessibility', 'theme', false) ]); + } public function getSection(): string { diff --git a/settings/src/components/AuthTokenSection.vue b/settings/src/components/AuthTokenSection.vue index c74348631db..7ddca568590 100644 --- a/settings/src/components/AuthTokenSection.vue +++ b/settings/src/components/AuthTokenSection.vue @@ -28,7 +28,7 @@ @rename="rename" @delete="deleteToken" @wipe="wipeToken" /> - <AuthTokenSetupDialogue :add="addNewToken" /> + <AuthTokenSetupDialogue v-if="canCreateToken" :add="addNewToken" /> </div> </template> @@ -63,7 +63,7 @@ props: { tokens: { type: Array, - requried: true, + required: true, }, }, components: { diff --git a/settings/src/main-personal-security.js b/settings/src/main-personal-security.js index 2284cebea7b..9f020efd5f4 100644 --- a/settings/src/main-personal-security.js +++ b/settings/src/main-personal-security.js @@ -35,5 +35,6 @@ const View = Vue.extend(AuthTokenSection); new View({ propsData: { tokens: OCP.InitialState.loadState('settings', 'app_tokens'), + canCreateToken: OCP.InitialState.loadState('settings', 'can_create_app_token'), } }).$mount('#security-authtokens'); |