Merge pull request #25276 from owncloud/delete-own-session-token
prevent users from deleting their own session token
This commit is contained in:
commit
6f92aef265
|
@ -81,7 +81,28 @@ class AuthSettingsController extends Controller {
|
|||
if (is_null($user)) {
|
||||
return [];
|
||||
}
|
||||
return $this->tokenProvider->getTokenByUser($user);
|
||||
$tokens = $this->tokenProvider->getTokenByUser($user);
|
||||
|
||||
try {
|
||||
$sessionId = $this->session->getId();
|
||||
} catch (SessionNotAvailableException $ex) {
|
||||
return $this->getServiceNotAvailableResponse();
|
||||
}
|
||||
try {
|
||||
$sessionToken = $this->tokenProvider->getToken($sessionId);
|
||||
} catch (InvalidTokenException $ex) {
|
||||
return $this->getServiceNotAvailableResponse();
|
||||
}
|
||||
|
||||
return array_map(function(IToken $token) use ($sessionToken) {
|
||||
$data = $token->jsonSerialize();
|
||||
if ($sessionToken->getId() === $token->getId()) {
|
||||
$data['canDelete'] = false;
|
||||
} else {
|
||||
$data['canDelete'] = true;
|
||||
}
|
||||
return $data;
|
||||
}, $tokens);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -94,9 +115,7 @@ class AuthSettingsController extends Controller {
|
|||
try {
|
||||
$sessionId = $this->session->getId();
|
||||
} catch (SessionNotAvailableException $ex) {
|
||||
$resp = new JSONResponse();
|
||||
$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
|
||||
return $resp;
|
||||
return $this->getServiceNotAvailableResponse();
|
||||
}
|
||||
|
||||
try {
|
||||
|
@ -108,9 +127,7 @@ class AuthSettingsController extends Controller {
|
|||
$password = null;
|
||||
}
|
||||
} catch (InvalidTokenException $ex) {
|
||||
$resp = new JSONResponse();
|
||||
$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
|
||||
return $resp;
|
||||
return $this->getServiceNotAvailableResponse();
|
||||
}
|
||||
|
||||
$token = $this->generateRandomDeviceToken();
|
||||
|
@ -123,6 +140,12 @@ class AuthSettingsController extends Controller {
|
|||
];
|
||||
}
|
||||
|
||||
private function getServiceNotAvailableResponse() {
|
||||
$resp = new JSONResponse();
|
||||
$resp->setStatus(Http::STATUS_SERVICE_UNAVAILABLE);
|
||||
return $resp;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return a 20 digit device password
|
||||
*
|
||||
|
|
|
@ -29,7 +29,11 @@
|
|||
'<tr data-id="{{id}}">'
|
||||
+ '<td class="has-tooltip" title="{{name}}"><span class="token-name">{{name}}</span></td>'
|
||||
+ '<td><span class="last-activity has-tooltip" title="{{lastActivityTime}}">{{lastActivity}}</span></td>'
|
||||
+ '{{#if canDelete}}'
|
||||
+ '<td><a class="icon-delete has-tooltip" title="' + t('core', 'Disconnect') + '"></a></td>'
|
||||
+ '{{else}}'
|
||||
+ '<td></td>'
|
||||
+ '{{/if}}'
|
||||
+ '<tr>';
|
||||
|
||||
var SubView = OC.Backbone.View.extend({
|
||||
|
|
|
@ -24,6 +24,7 @@ namespace Test\Settings\Controller;
|
|||
|
||||
use OC\AppFramework\Http;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Token\DefaultToken;
|
||||
use OC\Authentication\Token\IToken;
|
||||
use OC\Settings\Controller\AuthSettingsController;
|
||||
use OCP\AppFramework\Http\JSONResponse;
|
||||
|
@ -56,10 +57,17 @@ class AuthSettingsControllerTest extends TestCase {
|
|||
}
|
||||
|
||||
public function testIndex() {
|
||||
$result = [
|
||||
'token1',
|
||||
'token2',
|
||||
$token1 = new DefaultToken();
|
||||
$token1->setId(100);
|
||||
$token2 = new DefaultToken();
|
||||
$token2->setId(200);
|
||||
$tokens = [
|
||||
$token1,
|
||||
$token2,
|
||||
];
|
||||
$sessionToken = new DefaultToken();
|
||||
$sessionToken->setId(100);
|
||||
|
||||
$this->userManager->expects($this->once())
|
||||
->method('get')
|
||||
->with($this->uid)
|
||||
|
@ -67,9 +75,31 @@ class AuthSettingsControllerTest extends TestCase {
|
|||
$this->tokenProvider->expects($this->once())
|
||||
->method('getTokenByUser')
|
||||
->with($this->user)
|
||||
->will($this->returnValue($result));
|
||||
->will($this->returnValue($tokens));
|
||||
$this->session->expects($this->once())
|
||||
->method('getId')
|
||||
->will($this->returnValue('session123'));
|
||||
$this->tokenProvider->expects($this->once())
|
||||
->method('getToken')
|
||||
->with('session123')
|
||||
->will($this->returnValue($sessionToken));
|
||||
|
||||
$this->assertEquals($result, $this->controller->index());
|
||||
$this->assertEquals([
|
||||
[
|
||||
'id' => 100,
|
||||
'name' => null,
|
||||
'lastActivity' => null,
|
||||
'type' => null,
|
||||
'canDelete' => false,
|
||||
],
|
||||
[
|
||||
'id' => 200,
|
||||
'name' => null,
|
||||
'lastActivity' => null,
|
||||
'type' => null,
|
||||
'canDelete' => true,
|
||||
]
|
||||
], $this->controller->index());
|
||||
}
|
||||
|
||||
public function testCreate() {
|
||||
|
@ -107,6 +137,7 @@ class AuthSettingsControllerTest extends TestCase {
|
|||
$expected = [
|
||||
'token' => $newToken,
|
||||
'deviceToken' => $deviceToken,
|
||||
'loginName' => 'User13',
|
||||
];
|
||||
$this->assertEquals($expected, $this->controller->create($name));
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue