Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/server.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoeland Jago Douma <rullzer@users.noreply.github.com>2021-05-18 10:28:48 +0300
committerGitHub <noreply@github.com>2021-05-18 10:28:48 +0300
commite008b7915e83c07cdc9c4ad89b1498d4857786a3 (patch)
treed33870a1912f6d66cf637c640b00235a287968bf
parent83330b8c4ca27b094b4a262dde261a0b767b3f9c (diff)
parent4a2775a442571dec304b1bb2cb53df681c5dde0b (diff)
Merge pull request #27000 from nextcloud/enh/apptoken/check_apptoken
Harden apptoken check
Diffstat
-rw-r--r--apps/settings/lib/Controller/AuthSettingsController.php20
1 files changed, 20 insertions, 0 deletions
diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php
index 9535b3bec67..11e1be7fd47 100644
--- a/apps/settings/lib/Controller/AuthSettingsController.php
+++ b/apps/settings/lib/Controller/AuthSettingsController.php
@@ -121,6 +121,10 @@ class AuthSettingsController extends Controller {
* @return JSONResponse
*/
public function create($name) {
+ if ($this->checkAppToken()) {
+ return $this->getServiceNotAvailableResponse();
+ }
+
try {
$sessionId = $this->session->getId();
} catch (SessionNotAvailableException $ex) {
@@ -181,6 +185,10 @@ class AuthSettingsController extends Controller {
return implode('-', $groups);
}
+ private function checkAppToken(): bool {
+ return $this->session->exists('app_password');
+ }
+
/**
* @NoAdminRequired
* @NoSubAdminRequired
@@ -189,6 +197,10 @@ class AuthSettingsController extends Controller {
* @return array|JSONResponse
*/
public function destroy($id) {
+ if ($this->checkAppToken()) {
+ return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+ }
+
try {
$token = $this->findTokenByIdAndUser($id);
} catch (WipeTokenException $e) {
@@ -213,6 +225,10 @@ class AuthSettingsController extends Controller {
* @return array|JSONResponse
*/
public function update($id, array $scope, string $name) {
+ if ($this->checkAppToken()) {
+ return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+ }
+
try {
$token = $this->findTokenByIdAndUser($id);
} catch (InvalidTokenException $e) {
@@ -286,6 +302,10 @@ class AuthSettingsController extends Controller {
* @throws \OC\Authentication\Exceptions\ExpiredTokenException
*/
public function wipe(int $id): JSONResponse {
+ if ($this->checkAppToken()) {
+ return new JSONResponse([], Http::STATUS_BAD_REQUEST);
+ }
+
try {
$token = $this->findTokenByIdAndUser($id);
} catch (InvalidTokenException $e) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-26 06:23:00 +0300