forked from MirrorHub/synapse
Device deletion: check UI auth matches access token
(otherwise there's no point in the UI auth)
This commit is contained in:
parent
92f680889d
commit
7a6546228b
1 changed files with 8 additions and 5 deletions
|
@ -117,6 +117,8 @@ class DeviceRestServlet(servlet.RestServlet):
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def on_DELETE(self, request, device_id):
|
def on_DELETE(self, request, device_id):
|
||||||
|
requester = yield self.auth.get_user_by_req(request)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
body = servlet.parse_json_object_from_request(request)
|
body = servlet.parse_json_object_from_request(request)
|
||||||
|
|
||||||
|
@ -135,11 +137,12 @@ class DeviceRestServlet(servlet.RestServlet):
|
||||||
if not authed:
|
if not authed:
|
||||||
defer.returnValue((401, result))
|
defer.returnValue((401, result))
|
||||||
|
|
||||||
requester = yield self.auth.get_user_by_req(request)
|
# check that the UI auth matched the access token
|
||||||
yield self.device_handler.delete_device(
|
user_id = result[constants.LoginType.PASSWORD]
|
||||||
requester.user.to_string(),
|
if user_id != requester.user.to_string():
|
||||||
device_id,
|
raise errors.AuthError(403, "Invalid auth")
|
||||||
)
|
|
||||||
|
yield self.device_handler.delete_device(user_id, device_id)
|
||||||
defer.returnValue((200, {}))
|
defer.returnValue((200, {}))
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
|
|
Loading…
Reference in a new issue