prevent users from deleting their own session token

author: Christoph Wurst <christoph@owncloud.com> 2016-06-27 15:23:52 +0200
committer: Christoph Wurst <christoph@owncloud.com> 2016-06-28 16:17:37 +0200
commit: c9a2790893a160a5967a672051e15142fe5f779e (patch)
tree: 07a641342fccbcada0495a6a8f99ccfe8588abf9 /settings/Controller
parent: 894b7d93f6de7229802a5d42c5e56d0f0c6ab587 (diff)
download: nextcloud-server-c9a2790893a160a5967a672051e15142fe5f779e.tar.gz
nextcloud-server-c9a2790893a160a5967a672051e15142fe5f779e.zip
1 files changed, 30 insertions, 7 deletions
diff --git a/settings/Controller/AuthSettingsController.php b/settings/Controller/AuthSettingsController.php
index db2db6e5bfc..e7fc2d916bc 100644
--- a/settings/Controller/AuthSettingsController.php
+++ b/settings/Controller/AuthSettingsController.php
@@ -81,7 +81,28 @@ class AuthSettingsController extends Controller {
 		if (is_null($user)) {
 			return [];
 		}
-		return $this->tokenProvider->getTokenByUser($user);
+		$tokens = $this->tokenProvider->getTokenByUser($user);
+		
+		try {
+			$sessionId = $this->session->getId();
+		} catch (SessionNotAvailableException $ex) {
+			return $this->getServiceNotAvailableResponse();
+		}
+		try {
+			$sessionToken = $this->tokenProvider->getToken($sessionId);
+		} catch (InvalidTokenException $ex) {
+			return $this->getServiceNotAvailableResponse();
+		}
+
+		return array_map(function(IToken $token) use ($sessionToken) {
+			$data = $token->jsonSerialize();
+			if ($sessionToken->getId() === $token->getId()) {
+				$data['canDelete'] = false;
+			} else {
+				$data['canDelete'] = true;
+			}
+			return $data;
+		}, $tokens);
 	}
 
 	/**
@@ -94,9 +115,7 @@ class AuthSettingsController extends Controller {
 		try {
 			$sessionId = $this->session->getId();
 		} catch (SessionNotAvailableException $ex) {
-			$resp = new JSONResponse();
-			$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
-			return $resp;
+			return $this->getServiceNotAvailableResponse();
 		}
 
 		try {
@@ -108,9 +127,7 @@ class AuthSettingsController extends Controller {
 				$password = null;
 			}
 		} catch (InvalidTokenException $ex) {
-			$resp = new JSONResponse();
-			$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
-			return $resp;
+			return $this->getServiceNotAvailableResponse();
 		}
 
 		$token = $this->generateRandomDeviceToken();
@@ -123,6 +140,12 @@ class AuthSettingsController extends Controller {
 		];
 	}
 
+	private function getServiceNotAvailableResponse() {
+		$resp = new JSONResponse();
+		$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
+		return $resp;
+	}
+
 	/**
 	 * Return a 20 digit device password
 	 *
author	Christoph Wurst <christoph@owncloud.com>	2016-06-27 15:23:52 +0200
committer	Christoph Wurst <christoph@owncloud.com>	2016-06-28 16:17:37 +0200
commit	c9a2790893a160a5967a672051e15142fe5f779e (patch)
tree	07a641342fccbcada0495a6a8f99ccfe8588abf9 /settings/Controller
parent	894b7d93f6de7229802a5d42c5e56d0f0c6ab587 (diff)
download	nextcloud-server-c9a2790893a160a5967a672051e15142fe5f779e.tar.gz nextcloud-server-c9a2790893a160a5967a672051e15142fe5f779e.zip