owncloud · DeepDiver1975 · Aug 2, 2017 · Aug 2, 2017 · Aug 2, 2017 · Aug 2, 2017
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php
@@ -104,6 +104,7 @@ public function __construct($AppName, IRequest $request,
 	 * @return TemplateResponse The authorize view or the
 	 * authorize-error view with a redirection to the
 	 * default page URL.
+	 *
 	 * @NoAdminRequired
 	 * @NoCSRFRequired
 	 */
@@ -179,7 +180,6 @@ public function authorize($response_type, $client_id, $redirect_uri,
 	 * default page URL.
 	 *
 	 * @NoAdminRequired
-	 * @NoCSRFRequired
 	 */
 	public function generateAuthorizationCode($response_type, $client_id, $redirect_uri, $state = null) {
 		if (!is_string($response_type) || !is_string($client_id)

diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
@@ -90,8 +90,6 @@ public function __construct($AppName, IRequest $request,
 	 * Adds a client.
 	 *
 	 * @return RedirectResponse Redirection to the settings page.
-	 *
-	 * @NoCSRFRequired
 	 */
 	public function addClient() {
 		if (!isset($_POST['redirect_uri']) || !isset($_POST['name'])) {
@@ -139,8 +137,6 @@ public function addClient() {
 	 * @param int $id The client identifier.
 	 *
 	 * @return RedirectResponse Redirection to the settings page.
-	 *
-	 * @NoCSRFRequired
 	 */
 	public function deleteClient($id) {
 		if (!is_int($id)) {
@@ -173,25 +169,23 @@ public function deleteClient($id) {
 	 * Revokes the authorization for a client.
 	 *
 	 * @param int $id The client identifier.
-	 * @param string $user_id The ID of the user logged in.
 	 *
 	 * @return RedirectResponse Redirection to the settings page.
 	 *
 	 * @NoAdminRequired
-	 * @NoCSRFRequired
 	 */
-	public function revokeAuthorization($id, $user_id) {
-		if (!is_int($id) || !is_string($user_id)) {
+	public function revokeAuthorization($id) {
+		if (!is_int($id)) {
 			return new RedirectResponse(
 				$this->urlGenerator->linkToRouteAbsolute(
 					'settings.SettingsPage.getPersonal',
 					['sectionid' => 'security']
 				) . '#oauth2');
 		}
 
-		$this->authorizationCodeMapper->deleteByClientUser($id, $user_id);
-		$this->accessTokenMapper->deleteByClientUser($id, $user_id);
-		$this->refreshTokenMapper->deleteByClientUser($id, $user_id);
+		$this->authorizationCodeMapper->deleteByClientUser($id, $this->userId);
+		$this->accessTokenMapper->deleteByClientUser($id, $this->userId);
+		$this->refreshTokenMapper->deleteByClientUser($id, $this->userId);
 
 		return new RedirectResponse(
 			$this->urlGenerator->linkToRouteAbsolute(

diff --git a/templates/authorize.php b/templates/authorize.php
@@ -28,6 +28,7 @@
 		<br>
 		<p><?php p($l->t('The application will gain access to your username and will be allowed to manage files, folders and shares.')); ?></p>
 		<br>
+		<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 		<button type="submit"><?php p($l->t('Authorize')); ?></button>
 	</form>
 </span>
diff --git a/templates/settings-admin.php b/templates/settings-admin.php
@@ -52,6 +52,7 @@
 					<td id="td-allow-subdomains"><?php if ($client->getAllowSubdomains()) {?> <img alt="" src="/core/img/actions/checkmark.svg"> <?php } ?></td>
                     <td>
                         <form id="form-inline" class="delete" data-confirm="<?php p($l->t('Are you sure you want to delete this item?')); ?>" action="<?php p($_['urlGenerator']->linkToRoute('oauth2.settings.deleteClient', ['id' => $client->getId()])); ?>" method="post">
+							<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
                             <input type="submit" class="button icon-delete" value="">
                         </form>
                     </td>
@@ -67,6 +68,7 @@
         <input id="redirect_uri" name="redirect_uri" type="text" placeholder="<?php p($l->t('Redirection URI')); ?>">
 		<input type="checkbox" class="checkbox" name="allow_subdomains" id="allow_subdomains" value="1"/>
 		<label for="allow_subdomains"><?php p($l->t('Allow subdomains'));?></label>
+		<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
         <input type="submit" class="button" value="<?php p($l->t('Add')); ?>">
     </form>
 </div>
diff --git a/templates/settings-personal.php b/templates/settings-personal.php
@@ -42,7 +42,8 @@
 			<tr>
 				<td><?php p($client->getName()); ?></td>
 				<td>
-					<form id="form-inline" class="delete" data-confirm="<?php p($l->t('Are you sure you want to delete this item?')); ?>" action="<?php p($_['urlGenerator']->linkToRoute('oauth2.settings.revokeAuthorization', ['id' => $client->getId()])); ?>?user_id=<?php p($_['user_id']); ?>" method="post">
+					<form id="form-inline" class="delete" data-confirm="<?php p($l->t('Are you sure you want to delete this item?')); ?>" action="<?php p($_['urlGenerator']->linkToRoute('oauth2.settings.revokeAuthorization', ['id' => $client->getId()])); ?>" method="post">
+						<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']) ?>" />
 						<input type="submit" class="button icon-delete" value="">
 					</form>
 				</td>