diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2021-05-18 09:28:48 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-18 09:28:48 +0200 |
| commit | e008b7915e83c07cdc9c4ad89b1498d4857786a3 (patch) | |
| tree | d33870a1912f6d66cf637c640b00235a287968bf /apps | |
| parent | 83330b8c4ca27b094b4a262dde261a0b767b3f9c (diff) | |
| parent | 4a2775a442571dec304b1bb2cb53df681c5dde0b (diff) | |
| download | nextcloud-server-e008b7915e83c07cdc9c4ad89b1498d4857786a3.tar.gz nextcloud-server-e008b7915e83c07cdc9c4ad89b1498d4857786a3.zip | |
Merge pull request #27000 from nextcloud/enh/apptoken/check_apptoken
Harden apptoken check
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/settings/lib/Controller/AuthSettingsController.php | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php index 9535b3bec67..11e1be7fd47 100644 --- a/apps/settings/lib/Controller/AuthSettingsController.php +++ b/apps/settings/lib/Controller/AuthSettingsController.php @@ -121,6 +121,10 @@ class AuthSettingsController extends Controller { * @return JSONResponse */ public function create($name) { + if ($this->checkAppToken()) { + return $this->getServiceNotAvailableResponse(); + } + try { $sessionId = $this->session->getId(); } catch (SessionNotAvailableException $ex) { @@ -181,6 +185,10 @@ class AuthSettingsController extends Controller { return implode('-', $groups); } + private function checkAppToken(): bool { + return $this->session->exists('app_password'); + } + /** * @NoAdminRequired * @NoSubAdminRequired @@ -189,6 +197,10 @@ class AuthSettingsController extends Controller { * @return array|JSONResponse */ public function destroy($id) { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (WipeTokenException $e) { @@ -213,6 +225,10 @@ class AuthSettingsController extends Controller { * @return array|JSONResponse */ public function update($id, array $scope, string $name) { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (InvalidTokenException $e) { @@ -286,6 +302,10 @@ class AuthSettingsController extends Controller { * @throws \OC\Authentication\Exceptions\ExpiredTokenException */ public function wipe(int $id): JSONResponse { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (InvalidTokenException $e) { |