diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2021-05-17 12:04:21 +0200 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2021-05-18 12:39:43 +0000 |
| commit | e3090136b832498042778f81593c6b95fa79305c (patch) | |
| tree | 2c90a576fe95ef6268faa22fea34d1c3bb44a879 /apps/settings | |
| parent | c6af693dac0d5804901c969a6a8e821dcd2efac6 (diff) | |
| download | nextcloud-server-e3090136b832498042778f81593c6b95fa79305c.tar.gz nextcloud-server-e3090136b832498042778f81593c6b95fa79305c.zip | |
Harden apptoken check
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'apps/settings')
| -rw-r--r-- | apps/settings/lib/Controller/AuthSettingsController.php | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php index 13815f95c50..566c03536ab 100644 --- a/apps/settings/lib/Controller/AuthSettingsController.php +++ b/apps/settings/lib/Controller/AuthSettingsController.php @@ -121,6 +121,10 @@ class AuthSettingsController extends Controller { * @return JSONResponse */ public function create($name) { + if ($this->checkAppToken()) { + return $this->getServiceNotAvailableResponse(); + } + try { $sessionId = $this->session->getId(); } catch (SessionNotAvailableException $ex) { @@ -181,6 +185,10 @@ class AuthSettingsController extends Controller { return implode('-', $groups); } + private function checkAppToken(): bool { + return $this->session->exists('app_password'); + } + /** * @NoAdminRequired * @NoSubAdminRequired @@ -189,6 +197,10 @@ class AuthSettingsController extends Controller { * @return array|JSONResponse */ public function destroy($id) { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (WipeTokenException $e) { @@ -213,6 +225,10 @@ class AuthSettingsController extends Controller { * @return array|JSONResponse */ public function update($id, array $scope, string $name) { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (InvalidTokenException $e) { @@ -287,6 +303,10 @@ class AuthSettingsController extends Controller { * @throws \OC\Authentication\Exceptions\ExpiredTokenException */ public function wipe(int $id): JSONResponse { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (InvalidTokenException $e) { |