From f48c843bea10e77fd5704b47b85d4488f1b12b27 Mon Sep 17 00:00:00 2001 From: Steven Nguyen <1477010+stnguyen90@users.noreply.github.com> Date: Sat, 11 Jan 2025 17:56:36 +0000 Subject: [PATCH] fix(users): ensure user can delete session The session document created by users.createSession() was missing delete permissions for the user so when the user tried to delete it, they got a 401 error. This PR ensure the permissions are added just like if the document was created from the Account API so that the user has access to delete the document. --- app/controllers/api/users.php | 6 ++++++ tests/e2e/Services/Users/UsersBase.php | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php index bdb24572eb..9fe7f433c9 100644 --- a/app/controllers/api/users.php +++ b/app/controllers/api/users.php @@ -1814,6 +1814,12 @@ App::post('/v1/users/:userId/sessions') $detector->getDevice() )); + $session->setAttribute('$permissions', [ + Permission::read(Role::user($user->getId())), + Permission::update(Role::user($user->getId())), + Permission::delete(Role::user($user->getId())), + ]); + $countryName = $locale->getText('countries.' . strtolower($session->getAttribute('countryCode')), $locale->getText('locale.country.unknown')); $session = $dbForProject->createDocument('sessions', $session); diff --git a/tests/e2e/Services/Users/UsersBase.php b/tests/e2e/Services/Users/UsersBase.php index bbf9a5e2df..04e0eb5bc3 100644 --- a/tests/e2e/Services/Users/UsersBase.php +++ b/tests/e2e/Services/Users/UsersBase.php @@ -318,6 +318,14 @@ trait UsersBase ]); $this->assertEquals(200, $response['headers']['status-code']); + + $response = $this->client->call(Client::METHOD_DELETE, '/account/sessions/current', [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-session' => $session['secret'] + ]); + + $this->assertEquals(204, $response['headers']['status-code']); }