Merge pull request #27014 from nextcloud/backport/27000/stable20

[stable20] Harden apptoken check
This commit is contained in:
Roeland Jago Douma 2021-05-19 08:40:37 +02:00 committed by GitHub
commit a8d144a35b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 0 deletions

View File

@ -121,6 +121,10 @@ class AuthSettingsController extends Controller {
* @return JSONResponse
*/
public function create($name) {
if ($this->checkAppToken()) {
return $this->getServiceNotAvailableResponse();
}
try {
$sessionId = $this->session->getId();
} catch (SessionNotAvailableException $ex) {
@ -181,6 +185,10 @@ class AuthSettingsController extends Controller {
return implode('-', $groups);
}
private function checkAppToken(): bool {
return $this->session->exists('app_password');
}
/**
* @NoAdminRequired
* @NoSubAdminRequired
@ -189,6 +197,10 @@ class AuthSettingsController extends Controller {
* @return array|JSONResponse
*/
public function destroy($id) {
if ($this->checkAppToken()) {
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
}
try {
$token = $this->findTokenByIdAndUser($id);
} catch (WipeTokenException $e) {
@ -213,6 +225,10 @@ class AuthSettingsController extends Controller {
* @return array|JSONResponse
*/
public function update($id, array $scope, string $name) {
if ($this->checkAppToken()) {
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
}
try {
$token = $this->findTokenByIdAndUser($id);
} catch (InvalidTokenException $e) {
@ -287,6 +303,10 @@ class AuthSettingsController extends Controller {
* @throws \OC\Authentication\Exceptions\ExpiredTokenException
*/
public function wipe(int $id): JSONResponse {
if ($this->checkAppToken()) {
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
}
try {
$token = $this->findTokenByIdAndUser($id);
} catch (InvalidTokenException $e) {