MDL-76962 auth_oauth2: users can only delete their own linked logins.

safatshahin · Aug 29, 2024 · 809629e · 809629e
1 parent 99dd18c
commit 809629e
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 4 deletions.
diff --git a/auth/oauth2/classes/api.php b/auth/oauth2/classes/api.php
@@ -351,22 +351,27 @@ public static function send_confirm_account_email($userinfo, $issuer) {
     }
 
     /**
-     * Delete linked login
+     * Delete a users own linked login
      *
      * Requires auth/oauth2:managelinkedlogins capability at the user context.
      *
      * @param int $linkedloginid
      * @return boolean
      */
     public static function delete_linked_login($linkedloginid) {
-        $login = new linked_login($linkedloginid);
-        $userid = $login->get('userid');
+        global $USER;
 
         if (\core\session\manager::is_loggedinas()) {
             throw new moodle_exception('notwhileloggedinas', 'auth_oauth2');
         }
 
-        $context = context_user::instance($userid);
+        $login = linked_login::get_record([
+            'id' => $linkedloginid,
+            'userid' => $USER->id,
+            'confirmtoken' => '',
+        ], MUST_EXIST);
+
+        $context = context_user::instance($login->get('userid'));
         require_capability('auth/oauth2:managelinkedlogins', $context);
 
         $login->delete();

diff --git a/auth/oauth2/tests/api_test.php b/auth/oauth2/tests/api_test.php
@@ -139,6 +139,7 @@ public function test_linked_logins(): void {
         $issuer = \core\oauth2\api::create_standard_issuer('google');
 
         $user = $this->getDataGenerator()->create_user();
+        $this->setUser($user);
 
         $info = [];
         $info['username'] = 'banana';
@@ -171,6 +172,30 @@ public function test_linked_logins(): void {
         $this->assertEquals($newuser->id, $match->get('userid'));
     }
 
+    /**
+     * Test that we cannot deleted a linked login for another user
+     */
+    public function test_delete_linked_login_other_user(): void {
+        $this->resetAfterTest();
+
+        $this->setAdminUser();
+        $issuer = \core\oauth2\api::create_standard_issuer('google');
+
+        $user = $this->getDataGenerator()->create_user();
+
+        api::link_login([
+            'username' => 'banana',
+            'email' => 'banana@example.com',
+        ], $issuer, $user->id);
+
+        /** @var linked_login $linkedlogin */
+        $linkedlogin = api::get_linked_logins($user->id)[0];
+
+        // We are logged in as a different user, so cannot delete this.
+        $this->expectException(\dml_missing_record_exception::class);
+        api::delete_linked_login($linkedlogin->get('id'));
+    }
+
     /**
      * Test that is_enabled correctly identifies when the plugin is enabled.
      */