diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2021-05-17 13:04:21 +0300 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2021-05-17 17:05:45 +0300 |
| commit | 4a2775a442571dec304b1bb2cb53df681c5dde0b (patch) | |
| tree | bcde27407fbd8b630eb454cb3ae9b95be5e5d150 | |
| parent | 3854e7f8f00f18f8227c4b14a32eb0ca0ea000d4 (diff) | |
Harden apptoken check
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
| -rw-r--r-- | apps/settings/lib/Controller/AuthSettingsController.php | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php index 9535b3bec67..11e1be7fd47 100644 --- a/apps/settings/lib/Controller/AuthSettingsController.php +++ b/apps/settings/lib/Controller/AuthSettingsController.php @@ -121,6 +121,10 @@ class AuthSettingsController extends Controller { * @return JSONResponse */ public function create($name) { + if ($this->checkAppToken()) { + return $this->getServiceNotAvailableResponse(); + } + try { $sessionId = $this->session->getId(); } catch (SessionNotAvailableException $ex) { @@ -181,6 +185,10 @@ class AuthSettingsController extends Controller { return implode('-', $groups); } + private function checkAppToken(): bool { + return $this->session->exists('app_password'); + } + /** * @NoAdminRequired * @NoSubAdminRequired @@ -189,6 +197,10 @@ class AuthSettingsController extends Controller { * @return array|JSONResponse */ public function destroy($id) { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (WipeTokenException $e) { @@ -213,6 +225,10 @@ class AuthSettingsController extends Controller { * @return array|JSONResponse */ public function update($id, array $scope, string $name) { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (InvalidTokenException $e) { @@ -286,6 +302,10 @@ class AuthSettingsController extends Controller { * @throws \OC\Authentication\Exceptions\ExpiredTokenException */ public function wipe(int $id): JSONResponse { + if ($this->checkAppToken()) { + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + try { $token = $this->findTokenByIdAndUser($id); } catch (InvalidTokenException $e) { |