diff options
author | Christoph Wurst <christoph@owncloud.com> | 2016-06-27 15:23:52 +0200 |
---|---|---|
committer | Christoph Wurst <christoph@owncloud.com> | 2016-06-28 16:17:37 +0200 |
commit | c9a2790893a160a5967a672051e15142fe5f779e (patch) | |
tree | 07a641342fccbcada0495a6a8f99ccfe8588abf9 /settings/Controller/AuthSettingsController.php | |
parent | 894b7d93f6de7229802a5d42c5e56d0f0c6ab587 (diff) | |
download | nextcloud-server-c9a2790893a160a5967a672051e15142fe5f779e.tar.gz nextcloud-server-c9a2790893a160a5967a672051e15142fe5f779e.zip |
prevent users from deleting their own session token
Diffstat (limited to 'settings/Controller/AuthSettingsController.php')
-rw-r--r-- | settings/Controller/AuthSettingsController.php | 37 |
1 files changed, 30 insertions, 7 deletions
diff --git a/settings/Controller/AuthSettingsController.php b/settings/Controller/AuthSettingsController.php index db2db6e5bfc..e7fc2d916bc 100644 --- a/settings/Controller/AuthSettingsController.php +++ b/settings/Controller/AuthSettingsController.php @@ -81,7 +81,28 @@ class AuthSettingsController extends Controller { if (is_null($user)) { return []; } - return $this->tokenProvider->getTokenByUser($user); + $tokens = $this->tokenProvider->getTokenByUser($user); + + try { + $sessionId = $this->session->getId(); + } catch (SessionNotAvailableException $ex) { + return $this->getServiceNotAvailableResponse(); + } + try { + $sessionToken = $this->tokenProvider->getToken($sessionId); + } catch (InvalidTokenException $ex) { + return $this->getServiceNotAvailableResponse(); + } + + return array_map(function(IToken $token) use ($sessionToken) { + $data = $token->jsonSerialize(); + if ($sessionToken->getId() === $token->getId()) { + $data['canDelete'] = false; + } else { + $data['canDelete'] = true; + } + return $data; + }, $tokens); } /** @@ -94,9 +115,7 @@ class AuthSettingsController extends Controller { try { $sessionId = $this->session->getId(); } catch (SessionNotAvailableException $ex) { - $resp = new JSONResponse(); - $resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE); - return $resp; + return $this->getServiceNotAvailableResponse(); } try { @@ -108,9 +127,7 @@ class AuthSettingsController extends Controller { $password = null; } } catch (InvalidTokenException $ex) { - $resp = new JSONResponse(); - $resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE); - return $resp; + return $this->getServiceNotAvailableResponse(); } $token = $this->generateRandomDeviceToken(); @@ -123,6 +140,12 @@ class AuthSettingsController extends Controller { ]; } + private function getServiceNotAvailableResponse() { + $resp = new JSONResponse(); + $resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE); + return $resp; + } + /** * Return a 20 digit device password * |