From 5c6cf1939b11e6677aa13fc6f7751b9eeadba865 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Fri, 12 Mar 2021 21:37:38 +0000 Subject: [PATCH] --- server/AyaNova/Controllers/AuthController.cs | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/server/AyaNova/Controllers/AuthController.cs b/server/AyaNova/Controllers/AuthController.cs index afbeed0b..b43626a6 100644 --- a/server/AyaNova/Controllers/AuthController.cs +++ b/server/AyaNova/Controllers/AuthController.cs @@ -645,11 +645,11 @@ namespace AyaNova.Api.Controllers /// Disable (turn off) 2fa for user account /// (For other user id requires full privileges) /// - /// Optional User id otherwise current user account + /// User id /// From route path /// OK on success [HttpPost("totp-disable/{id}")] - public async Task DisableTOTP([FromRoute] long? id, ApiVersion apiVersion) + public async Task DisableTOTP([FromRoute] long id, ApiVersion apiVersion) { if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); @@ -657,15 +657,14 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); - if (id != null) + var UserId = UserIdFromContext.Id(HttpContext.Items); + if (id != UserId) //doing it on behalf of someone else { if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.User)) return StatusCode(403, new ApiNotAuthorizedResponse()); } - //get user - var UserId = id ?? UserIdFromContext.Id(HttpContext.Items); - + var u = await ct.User.FirstOrDefaultAsync(z => z.Id == UserId); if (u == null)//should never happen but ? return StatusCode(403, new ApiNotAuthorizedResponse()); @@ -674,7 +673,7 @@ namespace AyaNova.Api.Controllers u.TempToken = null; u.TwoFactorEnabled = false; await ct.SaveChangesAsync(); - return NoContent(); + return NoContent(); } //------------------------------------------------------