From 02f6fa9b0aac5c0c1757fdf6b85b11c8e5d13729 Mon Sep 17 00:00:00 2001
From: Jared Tabor <jtabor@redhat.com>
Date: Wed, 11 Jul 2018 17:32:56 -0700
Subject: [PATCH] Prevents the user from adding a token for a user other than
 themselves

It's possible to maninpulate the URL to get to the add-token screen
for a different user, which gives the user the idea that they could
possibly add a token for that user, which is not allowed.
---
 .../users/tokens/users-tokens-add.route.js     | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/awx/ui/client/features/users/tokens/users-tokens-add.route.js b/awx/ui/client/features/users/tokens/users-tokens-add.route.js
index e8619b892c..fe9548b79a 100644
--- a/awx/ui/client/features/users/tokens/users-tokens-add.route.js
+++ b/awx/ui/client/features/users/tokens/users-tokens-add.route.js
@@ -16,6 +16,21 @@ TokensDetailResolve.$inject = [
     'ApplicationModel'
 ];
 
+function isMeResolve ($rootScope, $stateParams, $state) {
+    // The user should not be able to add tokens for users other than
+    // themselves. Adding this redirect so that a user is not able to
+    // visit the add-token URL directly for a different user.
+    if (_.has($stateParams, 'user_id') && Number($stateParams.user_id) !== $rootScope.current_user.id) {
+        $state.go('users');
+    }
+}
+
+isMeResolve.$inject = [
+    '$rootScope',
+    '$stateParams',
+    '$state'
+];
+
 export default {
     url: '/add-token',
     name: 'users.edit.tokens.add',
@@ -37,6 +52,7 @@ export default {
         }
     },
     resolve: {
-        resolvedModels: TokensDetailResolve
+        resolvedModels: TokensDetailResolve,
+        isMe: isMeResolve
     }
 };