mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-27 12:18:54 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Allow to delete API tokens

Browse source
This commit is contained in:
Jan Böhmer 2023-08-26 23:19:35 +02:00
parent 8fe3f4cf5c
commit 3e693642b6
3 changed files with 108 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

41
src/Controller/UserSettingsController.php
View file

@ -407,6 +407,8 @@ class UserSettingsController extends AbstractController
public function addApiToken(Request $request, EntityManagerInterface $entityManager): Response
{
$this->denyAccessUnlessGranted('@api.manage_tokens');
//When user change its settings, he should be logged in fully.
$this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
$token = new ApiToken();
$token->setUser($this->getUser());
@ -450,4 +452,43 @@ class UserSettingsController extends AbstractController
'secret' => $secret,
]);
}
#[Route(path: '/api_token/delete', name: 'user_api_tokens_delete', methods: ['DELETE'])]
public function apiTokenRemove(Request $request, EntityManagerInterface $entityManager): Response
{
$this->denyAccessUnlessGranted('@api.manage_tokens');
//When user change its settings, he should be logged in fully.
$this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
$user = $this->getUser();
if (!$user instanceof User) {
throw new RuntimeException('This controller only works only for Part-DB User objects!');
}
if (!$this->isCsrfTokenValid('delete'.$user->getID(), $request->request->get('_token'))) {
$this->addFlash('error', 'csfr_invalid');
return $this->redirectToRoute('user_settings');
}
//Extract the token id from the request
$token_id = $request->request->getInt('token_id');
$token = $entityManager->find(ApiToken::class, $token_id);
if ($token === null) {
$this->addFlash('error', 'tfa_u2f.u2f_delete.not_existing');
return $this->redirectToRoute('user_settings');
}
//User can only delete its own API tokens
if ($token->getUser() !== $user) {
$this->addFlash('error', 'tfa_u2f.u2f_delete.access_denied');
return $this->redirectToRoute('user_settings');
}
//Do the actual deletion
$entityManager->remove($token);
$entityManager->flush();
$this->addFlash('success', 'api_tokens.deleted');
return $this->redirectToRoute('user_settings');
}
}