fix(xo-web): don't delete other user's auth tokens

Fixes zammad#17276
vatesfr · Sep 1, 2023 · 1046bbd · 1046bbd
1 parent b2a3014
commit 1046bbd
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
@@ -11,6 +11,8 @@
 
 > Users must be able to say: “I had this issue, happy to know it's fixed”
 
+- [User] _Forget all connection tokens_ button should not delete other users' tokens, even when current user is an administrator (PR [#7014](https://github.com/vatesfr/xen-orchestra/pull/7014))
+
 ### Packages to release
 
 > When modifying a package, add it here with its release type.
@@ -28,5 +30,6 @@
 <!--packages-start-->
 
 - xo-server minor
+- xo-web patch
 
 <!--packages-end-->
diff --git a/packages/xo-web/src/common/xo/index.js b/packages/xo-web/src/common/xo/index.js
@@ -2973,7 +2973,7 @@ export const removeUserAuthProvider = ({ userId, authProviderId }) => {
 }
 
 const _signOutFromEverywhereElse = () =>
-  _call('token.delete', {
+  _call('token.deleteOwn', {
     pattern: {
       id: {
         __not: cookies.get('token'),
@@ -3111,7 +3111,7 @@ export const deleteAuthToken = async ({ id }) => {
     icon: 'user',
     title: _('deleteAuthTokenConfirm'),
   })
-  return _call('token.delete', { tokens: [id] })::tap(subscribeUserAuthTokens.forceRefresh)
+  return _call('token.deleteOwn', { tokens: [id] })::tap(subscribeUserAuthTokens.forceRefresh)
 }
 
 export const deleteAuthTokens = async tokens => {
@@ -3122,7 +3122,7 @@ export const deleteAuthTokens = async tokens => {
     icon: 'user',
     title: _('deleteAuthTokensConfirm', { nTokens: tokens.length }),
   })
-  return _call('token.delete', { tokens: tokens.map(token => token.id) })::tap(subscribeUserAuthTokens.forceRefresh)
+  return _call('token.deleteOwn', { tokens: tokens.map(token => token.id) })::tap(subscribeUserAuthTokens.forceRefresh)
 }
 
 export const editAuthToken = ({ description, id }) =>