From c9a2790893a160a5967a672051e15142fe5f779e Mon Sep 17 00:00:00 2001 From: Christoph Wurst <christoph@owncloud.com> Date: Mon, 27 Jun 2016 15:23:52 +0200 Subject: prevent users from deleting their own session token --- settings/Controller/AuthSettingsController.php | 37 +++++++++++++++++++++----- settings/js/authtoken_view.js | 4 +++ 2 files changed, 34 insertions(+), 7 deletions(-) (limited to 'settings') diff --git a/settings/Controller/AuthSettingsController.php b/settings/Controller/AuthSettingsController.php index db2db6e5bfc..e7fc2d916bc 100644 --- a/settings/Controller/AuthSettingsController.php +++ b/settings/Controller/AuthSettingsController.php @@ -81,7 +81,28 @@ class AuthSettingsController extends Controller { if (is_null($user)) { return []; } - return $this->tokenProvider->getTokenByUser($user); + $tokens = $this->tokenProvider->getTokenByUser($user); + + try { + $sessionId = $this->session->getId(); + } catch (SessionNotAvailableException $ex) { + return $this->getServiceNotAvailableResponse(); + } + try { + $sessionToken = $this->tokenProvider->getToken($sessionId); + } catch (InvalidTokenException $ex) { + return $this->getServiceNotAvailableResponse(); + } + + return array_map(function(IToken $token) use ($sessionToken) { + $data = $token->jsonSerialize(); + if ($sessionToken->getId() === $token->getId()) { + $data['canDelete'] = false; + } else { + $data['canDelete'] = true; + } + return $data; + }, $tokens); } /** @@ -94,9 +115,7 @@ class AuthSettingsController extends Controller { try { $sessionId = $this->session->getId(); } catch (SessionNotAvailableException $ex) { - $resp = new JSONResponse(); - $resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE); - return $resp; + return $this->getServiceNotAvailableResponse(); } try { @@ -108,9 +127,7 @@ class AuthSettingsController extends Controller { $password = null; } } catch (InvalidTokenException $ex) { - $resp = new JSONResponse(); - $resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE); - return $resp; + return $this->getServiceNotAvailableResponse(); } $token = $this->generateRandomDeviceToken(); @@ -123,6 +140,12 @@ class AuthSettingsController extends Controller { ]; } + private function getServiceNotAvailableResponse() { + $resp = new JSONResponse(); + $resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE); + return $resp; + } + /** * Return a 20 digit device password * diff --git a/settings/js/authtoken_view.js b/settings/js/authtoken_view.js index 01fc1b2ea34..472b841c230 100644 --- a/settings/js/authtoken_view.js +++ b/settings/js/authtoken_view.js @@ -29,7 +29,11 @@ '<tr data-id="{{id}}">' + '<td class="has-tooltip" title="{{name}}"><span class="token-name">{{name}}</span></td>' + '<td><span class="last-activity has-tooltip" title="{{lastActivityTime}}">{{lastActivity}}</span></td>' + + '{{#if canDelete}}' + '<td><a class="icon-delete has-tooltip" title="' + t('core', 'Disconnect') + '"></a></td>' + + '{{else}}' + + '<td></td>' + + '{{/if}}' + '<tr>'; var SubView = OC.Backbone.View.extend({ -- cgit v1.2.3