diff --git a/server/AyaNova/Controllers/AuthController.cs b/server/AyaNova/Controllers/AuthController.cs
index afbeed0b..b43626a6 100644
--- a/server/AyaNova/Controllers/AuthController.cs
+++ b/server/AyaNova/Controllers/AuthController.cs
@@ -645,11 +645,11 @@ namespace AyaNova.Api.Controllers
/// Disable (turn off) 2fa for user account
/// (For other user id requires full privileges)
///
- /// Optional User id otherwise current user account
+ /// User id
/// From route path
/// OK on success
[HttpPost("totp-disable/{id}")]
- public async Task DisableTOTP([FromRoute] long? id, ApiVersion apiVersion)
+ public async Task DisableTOTP([FromRoute] long id, ApiVersion apiVersion)
{
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
@@ -657,15 +657,14 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
- if (id != null)
+ var UserId = UserIdFromContext.Id(HttpContext.Items);
+ if (id != UserId) //doing it on behalf of someone else
{
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.User))
return StatusCode(403, new ApiNotAuthorizedResponse());
}
- //get user
- var UserId = id ?? UserIdFromContext.Id(HttpContext.Items);
-
+
var u = await ct.User.FirstOrDefaultAsync(z => z.Id == UserId);
if (u == null)//should never happen but ?
return StatusCode(403, new ApiNotAuthorizedResponse());
@@ -674,7 +673,7 @@ namespace AyaNova.Api.Controllers
u.TempToken = null;
u.TwoFactorEnabled = false;
await ct.SaveChangesAsync();
- return NoContent();
+ return NoContent();
}
//------------------------------------------------------