MDL-76962 auth_oauth2: users can only delete their own linked logins.

2025-01-17 21:49:15 +01:00 · 2024-07-03 17:26:28 +01:00 · 2024-07-03 17:26:28 +01:00 · fb06894e75
commit fb06894e75
parent 9639feb9a3
2 changed files with 34 additions and 4 deletions
--- a/auth/oauth2/classes/api.php
+++ b/auth/oauth2/classes/api.php
@ -345,7 +345,7 @@ class api {
    }

    /**
-     * Delete linked login
+     * Delete a users own linked login
     *
     * Requires auth/oauth2:managelinkedlogins capability at the user context.
     *
@ -353,14 +353,19 @@ class api {
     * @return boolean
     */
    public static function delete_linked_login($linkedloginid) {
-        $login = new linked_login($linkedloginid);
-        $userid = $login->get('userid');
+        global $USER;

        if (\core\session\manager::is_loggedinas()) {
            throw new moodle_exception('notwhileloggedinas', 'auth_oauth2');
        }

-        $context = context_user::instance($userid);
+        $login = linked_login::get_record([
+            'id' => $linkedloginid,
+            'userid' => $USER->id,
+            'confirmtoken' => '',
+        ], MUST_EXIST);
+
+        $context = context_user::instance($login->get('userid'));
        require_capability('auth/oauth2:managelinkedlogins', $context);

        $login->delete();
--- a/auth/oauth2/tests/api_test.php
+++ b/auth/oauth2/tests/api_test.php
@ -137,6 +137,7 @@ class api_test extends \advanced_testcase {
        $issuer = \core\oauth2\api::create_standard_issuer('google');

        $user = $this->getDataGenerator()->create_user();
+        $this->setUser($user);

        $info = [];
        $info['username'] = 'banana';
@ -169,6 +170,30 @@ class api_test extends \advanced_testcase {
        $this->assertEquals($newuser->id, $match->get('userid'));
    }

+    /**
+     * Test that we cannot deleted a linked login for another user
+     */
+    public function test_delete_linked_login_other_user(): void {
+        $this->resetAfterTest();
+
+        $this->setAdminUser();
+        $issuer = \core\oauth2\api::create_standard_issuer('google');
+
+        $user = $this->getDataGenerator()->create_user();
+
+        api::link_login([
+            'username' => 'banana',
+            'email' => 'banana@example.com',
+        ], $issuer, $user->id);
+
+        /** @var linked_login $linkedlogin */
+        $linkedlogin = api::get_linked_logins($user->id)[0];
+
+        // We are logged in as a different user, so cannot delete this.
+        $this->expectException(\dml_missing_record_exception::class);
+        api::delete_linked_login($linkedlogin->get('id'));
+    }
+
    /**
     * Test that is_enabled correctly identifies when the plugin is enabled.
     */