Merge pull request #25276 from owncloud/delete-own-session-token

prevent users from deleting their own session token

2 files changed, 34 insertions, 7 deletions

diff --git a/settings/Controller/AuthSettingsController.php b/settings/Controller/AuthSettingsController.php
index db2db6e5bfc..e7fc2d916bc 100644
--- a/settings/Controller/AuthSettingsController.php
+++ b/settings/Controller/AuthSettingsController.php
@@ -81,7 +81,28 @@ class AuthSettingsController extends Controller {
 		if (is_null($user)) {
 			return [];
 		}
-		return $this->tokenProvider->getTokenByUser($user);
+		$tokens = $this->tokenProvider->getTokenByUser($user);
+		
+		try {
+			$sessionId = $this->session->getId();
+		} catch (SessionNotAvailableException $ex) {
+			return $this->getServiceNotAvailableResponse();
+		}
+		try {
+			$sessionToken = $this->tokenProvider->getToken($sessionId);
+		} catch (InvalidTokenException $ex) {
+			return $this->getServiceNotAvailableResponse();
+		}
+
+		return array_map(function(IToken $token) use ($sessionToken) {
+			$data = $token->jsonSerialize();
+			if ($sessionToken->getId() === $token->getId()) {
+				$data['canDelete'] = false;
+			} else {
+				$data['canDelete'] = true;
+			}
+			return $data;
+		}, $tokens);
 	}
 
 	/**
@@ -94,9 +115,7 @@ class AuthSettingsController extends Controller {
 		try {
 			$sessionId = $this->session->getId();
 		} catch (SessionNotAvailableException $ex) {
-			$resp = new JSONResponse();
-			$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
-			return $resp;
+			return $this->getServiceNotAvailableResponse();
 		}
 
 		try {
@@ -108,9 +127,7 @@ class AuthSettingsController extends Controller {
 				$password = null;
 			}
 		} catch (InvalidTokenException $ex) {
-			$resp = new JSONResponse();
-			$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
-			return $resp;
+			return $this->getServiceNotAvailableResponse();
 		}
 
 		$token = $this->generateRandomDeviceToken();
@@ -123,6 +140,12 @@ class AuthSettingsController extends Controller {
 		];
 	}
 
+	private function getServiceNotAvailableResponse() {
+		$resp = new JSONResponse();
+		$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
+		return $resp;
+	}
+
 	/**
 	 * Return a 20 digit device password
 	 *
diff --git a/settings/js/authtoken_view.js b/settings/js/authtoken_view.js
index 01fc1b2ea34..472b841c230 100644
--- a/settings/js/authtoken_view.js
+++ b/settings/js/authtoken_view.js
@@ -29,7 +29,11 @@
 		'<tr data-id="{{id}}">'
 		+ '<td class="has-tooltip" title="{{name}}"><span class="token-name">{{name}}</span></td>'
 		+ '<td><span class="last-activity has-tooltip" title="{{lastActivityTime}}">{{lastActivity}}</span></td>'
+		+ '{{#if canDelete}}'
 		+ '<td><a class="icon-delete has-tooltip" title="' + t('core', 'Disconnect') + '"></a></td>'
+		+ '{{else}}'
+		+ '<td></td>'
+		+ '{{/if}}'
 		+ '<tr>';
 
 	var SubView = OC.Backbone.View.extend({