From ca883f119614bf636802320e60822e1ed4992f2e Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 3 Feb 2015 14:42:42 +0100 Subject: [PATCH 1/4] [ticket/13564] Allow to specify user id for retrieving auth link data PHPBB3-13564 --- phpBB/phpbb/auth/provider/base.php | 2 +- phpBB/phpbb/auth/provider/oauth/oauth.php | 4 ++-- phpBB/phpbb/auth/provider/provider_interface.php | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/phpBB/phpbb/auth/provider/base.php b/phpBB/phpbb/auth/provider/base.php index 4c49070eaf..dea27ccc25 100644 --- a/phpBB/phpbb/auth/provider/base.php +++ b/phpBB/phpbb/auth/provider/base.php @@ -61,7 +61,7 @@ abstract class base implements \phpbb\auth\provider\provider_interface /** * {@inheritdoc} */ - public function get_auth_link_data() + public function get_auth_link_data($user_id = 0) { return; } diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php index c0ce3f1fba..9fc3a107e6 100644 --- a/phpBB/phpbb/auth/provider/oauth/oauth.php +++ b/phpBB/phpbb/auth/provider/oauth/oauth.php @@ -553,13 +553,13 @@ class oauth extends \phpbb\auth\provider\base /** * {@inheritdoc} */ - public function get_auth_link_data() + public function get_auth_link_data($user_id = 0) { $block_vars = array(); // Get all external accounts tied to the current user $data = array( - 'user_id' => (int) $this->user->data['user_id'], + 'user_id' => ($user_id <= 0) ? (int) $this->user->data['user_id'] : (int) $user_id, ); $sql = 'SELECT oauth_provider_id, provider FROM ' . $this->auth_provider_oauth_token_account_assoc . ' WHERE ' . $this->db->sql_build_array('SELECT', $data); diff --git a/phpBB/phpbb/auth/provider/provider_interface.php b/phpBB/phpbb/auth/provider/provider_interface.php index 613297cefc..35e0f559a1 100644 --- a/phpBB/phpbb/auth/provider/provider_interface.php +++ b/phpBB/phpbb/auth/provider/provider_interface.php @@ -166,6 +166,10 @@ interface provider_interface /** * Returns an array of data necessary to build the ucp_auth_link page * + * @param int $user_id User ID for whom the data should be retrieved. + * defaults to 0, which is not a valid ID. The method + * should fall back to the current user's ID in this + * case. * @return array|null If this function is not implemented on an auth * provider then it returns null. If it is implemented * it will return an array of up to four elements of @@ -181,7 +185,7 @@ interface provider_interface * 'VARS' => array(...), * ) */ - public function get_auth_link_data(); + public function get_auth_link_data($user_id = 0); /** * Unlinks an external account from a phpBB account. From 4d7cb7ca737195f42141c3939b9515cb3edd8b9b Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 3 Feb 2015 14:44:01 +0100 Subject: [PATCH 2/4] [ticket/13564] Use user_id from link_data for unlinking account in oauth PHPBB3-13564 --- phpBB/phpbb/auth/provider/oauth/oauth.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php index 9fc3a107e6..be0fbf5831 100644 --- a/phpBB/phpbb/auth/provider/oauth/oauth.php +++ b/phpBB/phpbb/auth/provider/oauth/oauth.php @@ -616,10 +616,13 @@ class oauth extends \phpbb\auth\provider\base return 'LOGIN_LINK_MISSING_DATA'; } + // Remove user specified in $link_data if possible + $user_id = isset($link_data['user_id']) ? $link_data['user_id'] : $this->user->data['user_id']; + // Remove the link $sql = 'DELETE FROM ' . $this->auth_provider_oauth_token_account_assoc . " WHERE provider = '" . $this->db->sql_escape($link_data['oauth_service']) . "' - AND user_id = " . (int) $this->user->data['user_id']; + AND user_id = " . (int) $user_id; $this->db->sql_query($sql); // Clear all tokens belonging to the user on this servce From 2e7a60d98638beb7d1f54273e7d3a95ac9754fff Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 3 Feb 2015 14:46:19 +0100 Subject: [PATCH 3/4] [ticket/13564] Try to unlink user account for every auth provider PHPBB3-13564 --- phpBB/includes/functions_user.php | 35 +++++++++++++++++++++++ tests/functions_user/delete_user_test.php | 10 +++++++ 2 files changed, 45 insertions(+) diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 9cd662027e..815f07d2e4 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -500,6 +500,9 @@ function user_delete($mode, $user_ids, $retain_username = true) $num_users_delta = 0; + // Get auth provider collection in case accounts might need to be unlinked + $provider_collection = $phpbb_container->get('auth.provider_collection'); + // Some things need to be done in the loop (if the query changes based // on which user is currently being deleted) $added_guest_posts = 0; @@ -510,6 +513,38 @@ function user_delete($mode, $user_ids, $retain_username = true) avatar_delete('user', $user_row); } + // Unlink accounts + foreach ($provider_collection as $provider_name => $auth_provider) + { + $provider_data = $auth_provider->get_auth_link_data($user_id); + + if ($provider_data !== null) + { + $link_data = array( + 'user_id' => $user_id, + 'link_method' => 'user_delete', + ); + + // BLOCK_VARS might contain hidden fields necessary for unlinking accounts + if (isset($provider_data['BLOCK_VARS']) && is_array($provider_data['BLOCK_VARS'])) + { + foreach ($provider_data['BLOCK_VARS'] as $provider_service) + { + if (!array_key_exists('HIDDEN_FIELDS', $provider_service)) + { + $provider_service['HIDDEN_FIELDS'] = array(); + } + + $auth_provider->unlink_account(array_merge($link_data, $provider_service['HIDDEN_FIELDS'])); + } + } + else + { + $auth_provider->unlink_account($link_data); + } + } + } + // Decrement number of users if this user is active if ($user_row['user_type'] != USER_INACTIVE && $user_row['user_type'] != USER_IGNORE) { diff --git a/tests/functions_user/delete_user_test.php b/tests/functions_user/delete_user_test.php index d5c78c64ad..7db69e332c 100644 --- a/tests/functions_user/delete_user_test.php +++ b/tests/functions_user/delete_user_test.php @@ -38,6 +38,16 @@ class phpbb_functions_user_delete_user_test extends phpbb_database_test_case $phpbb_dispatcher = new phpbb_mock_event_dispatcher(); $phpbb_container = new phpbb_mock_container_builder(); $phpbb_container->set('notification_manager', new phpbb_mock_notification_manager()); + $phpbb_container->set( + 'auth.provider.db', + new phpbb_mock_auth_provider() + ); + $provider_collection = new \phpbb\auth\provider_collection($phpbb_container, $config); + $provider_collection->add('auth.provider.db'); + $phpbb_container->set( + 'auth.provider_collection', + $provider_collection + ); } public function first_last_post_data() From c5178a19b244c15ff0ca5445972c7efc93c54ac4 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 25 Apr 2015 15:48:24 +0200 Subject: [PATCH 4/4] [ticket/13564] Add tests for unlinking account upon deleting user PHPBB3-13564 --- tests/functions/fixtures/user_delete.xml | 46 ++++++++++ tests/functions/user_delete_test.php | 112 +++++++++++++++++++++++ 2 files changed, 158 insertions(+) create mode 100644 tests/functions/fixtures/user_delete.xml create mode 100644 tests/functions/user_delete_test.php diff --git a/tests/functions/fixtures/user_delete.xml b/tests/functions/fixtures/user_delete.xml new file mode 100644 index 0000000000..4c4479d29b --- /dev/null +++ b/tests/functions/fixtures/user_delete.xml @@ -0,0 +1,46 @@ + + + + user_id + username_clean + username + user_permissions + user_sig + + 1 + anonymous + anonymous + + + + + 2 + 2 + 2 + + + +
+ + user_id + provider + oauth_provider_id + + 2 + google + 1234567890123456789 + +
+ + user_id + session_id + provider + oauth_token + + 2 + 897a897b797c8789997d7979879 + auth.provider.oauth.service.google + {"accessToken":"ya29.YPHwCWVkrvwu1kgbYKiDNYaQ451ZuHy9OEQAGVME8if-WBzR-v7a9ftxbx41kaL)5VLEXB-6qJEvri","endOfLife":1429959670,"extraParams":{"token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsImupZCI6IjE0YuRjNzc2MDQwYjUyNDZmNTI5OWFkZDVlMmQ1NWNOPTdjMDdlZTAifQ.eyJpc3MiOiJhY2NvdW90cy5nb78nbGUuY29tIiwic3ViIjoiMTExMDMwNwerNjM4MTM5NTQwMTM1IiwiYXpwIjoiOTk3MzUwMTY0NzE0LWhwOXJrYjZpcjM4MW80YjV1NjRpaGtmM29zMnRvbWxhLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJtYXJjLmFsZXhhbmRlci4zN0BnbWFpbC5jb20iLCJhdF9oYXNoIjoiWHk2b1JabnVZUWRfRTZDeDV0RkItdyIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdWQiOiI5OTczNTAxNjQ3MTQtaHA5cmtiNmlyMzgxbzRiNXU2NGloa2Yzb3MydG9tbGEuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJpYXQiOjE0Mjk5NTYwNzEsImV4cCI6MTQyOTk1OTY3MX0.C5gfSzjqwlRRvVMuTP6jfWIuEHMXn55oYHsSA3eh97n2BZL0TZHhUm4K206Fgucd6ufAphan4l0J7y6tMAHLZPr-kk6KDINxWnPG-up99reblGutay0lRYjMCcrhJAOql8EI1bi84GyliZFYHL67pE0ZtSf-CMb1CeH18TFe-Fk"},"refreshToken":null,"token_class":"OAuth\\\\OAuth2\\\\Token\\\\StdOAuth2Token"} + +
+
diff --git a/tests/functions/user_delete_test.php b/tests/functions/user_delete_test.php new file mode 100644 index 0000000000..db52dcded7 --- /dev/null +++ b/tests/functions/user_delete_test.php @@ -0,0 +1,112 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; +require_once dirname(__FILE__) . '/../../phpBB/includes/functions_user.php'; + +class phpbb_functions_user_delete_test extends phpbb_database_test_case +{ + /** @var \phpbb\db\driver\driver_interface */ + protected $db; + + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__) . '/fixtures/user_delete.xml'); + } + + protected function setUp() + { + parent::setUp(); + + global $cache, $config, $db, $phpbb_container, $phpbb_dispatcher, $user; + + $this->db = $db = $this->new_dbal(); + $user = new \phpbb\user('\phpbb\datetime'); + $phpbb_dispatcher = new phpbb_mock_event_dispatcher(); + $phpbb_container = new phpbb_mock_container_builder(); + $config = new \phpbb\config\config(array( + 'auth_method' => 'oauth', + 'auth_oauth_google_key' => 'foo', + 'auth_oauth_google_secret' => 'bar', + )); + set_config_count('foobar', 0, false, $config); + $cache = new \phpbb\cache\driver\null(); + $request = new phpbb_mock_request(); + $notification_manager = new phpbb_mock_notification_manager(); + $provider_collection = new \phpbb\auth\provider_collection($phpbb_container, $config); + $oauth_provider_google = new \phpbb\auth\provider\oauth\service\google($config, $request); + $oauth_provider_collection = new \phpbb\di\service_collection($phpbb_container); + $oauth_provider_collection->offsetSet('auth.provider.oauth.service.google', $oauth_provider_google); + + $driver_helper = new \phpbb\passwords\driver\helper($config); + $passwords_drivers = array( + 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper), + 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper), + 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper), + 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper), + ); + + $passwords_helper = new \phpbb\passwords\helper; + // Set up passwords manager + $passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers)); + + $oauth_provider = new \phpbb\auth\provider\oauth\oauth( + $db, + $config, + $passwords_manager, + $request, + $user, + 'phpbb_oauth_tokens', + 'phpbb_oauth_accounts', + $oauth_provider_collection, + 'phpbb_users', + $phpbb_container, + $this->phpbb_root_path, + $this->php_ext + ); + $provider_collection->offsetSet('auth.provider.oauth', $oauth_provider); + + $phpbb_container->set('auth.provider.oauth', $oauth_provider); + $phpbb_container->set('auth.provider.oauth.service.google', $oauth_provider_google); + $phpbb_container->set('auth.provider_collection', $provider_collection); + $phpbb_container->set('notification_manager', $notification_manager); + } + + public function test_user_delete() + { + // Check that user is linked + $sql = 'SELECT ot.user_id AS user_id + FROM phpbb_oauth_accounts oa, phpbb_oauth_tokens ot + WHERE oa.user_id = 2 + AND ot.user_id = oa.user_id'; + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); + + $this->assertEquals(array('user_id' => '2'), $row); + + // user_delete() should return false + $this->assertFalse(user_delete('remove', array(2))); + + // Make sure user link was removed + $sql = 'SELECT ot.user_id AS user_id + FROM phpbb_oauth_accounts oa, phpbb_oauth_tokens ot + WHERE oa.user_id = 2 + AND ot.user_id = oa.user_id'; + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); + + $this->assertEmpty($row); + } +}