Fix permission on delete token

htdocs/core/modules/oauth/generic_oauthcallback.php

@@ -156,7 +156,8 @@ if (!getDolGlobalString($keyforparamsecret)) {
  * Actions
  */
 
-if ($action == 'delete') {
+if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {
+	$storage->userid = GETPOSTINT('userid');
 	$storage->clearToken($genericstring);
 
 	setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');

htdocs/core/modules/oauth/github_oauthcallback.php

@@ -107,7 +107,8 @@ if (!getDolGlobalString($keyforparamsecret)) {
  * Actions
  */
 
-if ($action == 'delete') {
+if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {
+	$storage->userid = GETPOSTINT('userid');
 	$storage->clearToken('GitHub');
 
 	setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');

htdocs/core/modules/oauth/google_oauthcallback.php

@@ -144,7 +144,8 @@ if (!getDolGlobalString($keyforparamsecret)) {
  * Actions
  */
 
-if ($action == 'delete') {
+if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {
+	$storage->userid = GETPOSTINT('userid');
 	$storage->clearToken('Google');
 
 	setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');

htdocs/core/modules/oauth/microsoft2_oauthcallback.php

@@ -130,7 +130,8 @@ if (!getDolGlobalString($keyforparamsecret)) {
  * Actions
  */
 
-if ($action == 'delete') {
+if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {
+	$storage->userid = GETPOSTINT('userid');
 	$storage->clearToken($genericstring);
 
 	setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');

htdocs/core/modules/oauth/microsoft_oauthcallback.php

@@ -130,7 +130,8 @@ if (!getDolGlobalString($keyforparamsecret)) {
  * Actions
  */
 
-if ($action == 'delete') {
+if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {
+	$storage->userid = GETPOSTINT('userid');
 	$storage->clearToken($genericstring);
 
 	setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');

htdocs/core/modules/oauth/stripelive_oauthcallback.php

@@ -110,8 +110,8 @@ if (!getDolGlobalString($keyforparamsecret)) {
  * Actions
  */
 
-
-if ($action == 'delete') {
+if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {
+	$storage->userid = GETPOSTINT('userid');
 	$storage->clearToken('StripeLive');
 
 	setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');

htdocs/core/modules/oauth/stripetest_oauthcallback.php

@@ -110,8 +110,8 @@ if (!getDolGlobalString($keyforparamsecret)) {
  * Actions
  */
 
-
-if ($action == 'delete') {
+if ($action == 'delete' && (!empty($user->admin) || $user->id == GETPOSTINT('userid'))) {
+	$storage->userid = GETPOSTINT('userid');
 	$storage->clearToken('StripeTest');
 
 	setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');

htdocs/includes/OAuth/Common/Storage/DoliStorage.php

@@ -65,6 +65,8 @@ class DoliStorage implements TokenStorageInterface
 	public $date_creation;
 	public $date_modification;
 
+	public $userid;		// ID of user for user specific OAuth entries
+
 
 	/**
 	 * @param 	DoliDB 	$db					Database handler
@@ -226,6 +228,9 @@ class DoliStorage implements TokenStorageInterface
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token";
 		$sql .= " WHERE service = '".$this->db->escape($servicepluskeyforprovider)."'";
 		$sql .= " AND entity IN (".getEntity('oauth_token').")";
+		if (!empty($this->userid)) {
+			$sql .= " AND fk_user = ".((int) $this->userid);
+		}
 		$resql = $this->db->query($sql);
 		//}
 

test/phpunit/CodingPhpTest.php

@@ -653,6 +653,7 @@ class CodingPhpTest extends CommonClassTest
 					&& !preg_match('/\$permto/', $val[0])
 					&& !preg_match('/\$usercan/', $val[0])
 					&& !preg_match('/\$canedit/', $val[0])
+					&& !preg_match('/\$user->admin/', $val[0])
 					&& !preg_match('/already done/i', $val[0])
 					&& !preg_match('/not required/i', $val[0])) {
 						$ok = false;