From fb06894e75a5fbac5265abf6657493054c95b148 Mon Sep 17 00:00:00 2001
From: Paul Holden <paulh@moodle.com>
Date: Wed, 3 Jul 2024 17:26:28 +0100
Subject: [PATCH] MDL-76962 auth_oauth2: users can only delete their own linked
 logins.

---
 auth/oauth2/classes/api.php    | 13 +++++++++----
 auth/oauth2/tests/api_test.php | 25 +++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/auth/oauth2/classes/api.php b/auth/oauth2/classes/api.php
index 50bc4f16756..3c40415b272 100644
--- a/auth/oauth2/classes/api.php
+++ b/auth/oauth2/classes/api.php
@@ -345,7 +345,7 @@ class api {
     }
 
     /**
-     * Delete linked login
+     * Delete a users own linked login
      *
      * Requires auth/oauth2:managelinkedlogins capability at the user context.
      *
@@ -353,14 +353,19 @@ class api {
      * @return boolean
      */
     public static function delete_linked_login($linkedloginid) {
-        $login = new linked_login($linkedloginid);
-        $userid = $login->get('userid');
+        global $USER;
 
         if (\core\session\manager::is_loggedinas()) {
             throw new moodle_exception('notwhileloggedinas', 'auth_oauth2');
         }
 
-        $context = context_user::instance($userid);
+        $login = linked_login::get_record([
+            'id' => $linkedloginid,
+            'userid' => $USER->id,
+            'confirmtoken' => '',
+        ], MUST_EXIST);
+
+        $context = context_user::instance($login->get('userid'));
         require_capability('auth/oauth2:managelinkedlogins', $context);
 
         $login->delete();
diff --git a/auth/oauth2/tests/api_test.php b/auth/oauth2/tests/api_test.php
index f41ebecf340..627d4fd2f8e 100644
--- a/auth/oauth2/tests/api_test.php
+++ b/auth/oauth2/tests/api_test.php
@@ -137,6 +137,7 @@ class api_test extends \advanced_testcase {
         $issuer = \core\oauth2\api::create_standard_issuer('google');
 
         $user = $this->getDataGenerator()->create_user();
+        $this->setUser($user);
 
         $info = [];
         $info['username'] = 'banana';
@@ -169,6 +170,30 @@ class api_test extends \advanced_testcase {
         $this->assertEquals($newuser->id, $match->get('userid'));
     }
 
+    /**
+     * Test that we cannot deleted a linked login for another user
+     */
+    public function test_delete_linked_login_other_user(): void {
+        $this->resetAfterTest();
+
+        $this->setAdminUser();
+        $issuer = \core\oauth2\api::create_standard_issuer('google');
+
+        $user = $this->getDataGenerator()->create_user();
+
+        api::link_login([
+            'username' => 'banana',
+            'email' => 'banana@example.com',
+        ], $issuer, $user->id);
+
+        /** @var linked_login $linkedlogin */
+        $linkedlogin = api::get_linked_logins($user->id)[0];
+
+        // We are logged in as a different user, so cannot delete this.
+        $this->expectException(\dml_missing_record_exception::class);
+        api::delete_linked_login($linkedlogin->get('id'));
+    }
+
     /**
      * Test that is_enabled correctly identifies when the plugin is enabled.
      */