From d19e79ecc956e5ba7ed6b6fd37e80ec6a737b048 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Tue, 24 Mar 2015 15:33:48 +0000
Subject: [PATCH] Make deleting other access tokens when you change your
 password actually work

---
 synapse/rest/client/v2_alpha/password.py |  5 ++++-
 synapse/storage/registration.py          | 16 +++++++++++-----
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/synapse/rest/client/v2_alpha/password.py b/synapse/rest/client/v2_alpha/password.py
index 1277532110..85954c71cd 100644
--- a/synapse/rest/client/v2_alpha/password.py
+++ b/synapse/rest/client/v2_alpha/password.py
@@ -65,12 +65,15 @@ class PasswordRestServlet(RestServlet):
             raise SynapseError(400, "", Codes.MISSING_PARAM)
         new_password = body['new_password']
 
-        self.login_handler.set_password(
+        yield self.login_handler.set_password(
             user_id, new_password, client.token_id
         )
 
         defer.returnValue((200, {}))
 
+    def on_OPTIONS(self, _):
+        return 200, {}
+
 
 def register_servlets(hs, http_server):
     PasswordRestServlet(hs).register(http_server)
diff --git a/synapse/storage/registration.py b/synapse/storage/registration.py
index 7e60dc3951..0364d10858 100644
--- a/synapse/storage/registration.py
+++ b/synapse/storage/registration.py
@@ -89,35 +89,41 @@ class RegistrationStore(SQLBaseStore):
                     "VALUES (?,?)", [txn.lastrowid, token])
 
     def get_user_by_id(self, user_id):
-        query = ("SELECT users.name, users.password_hash FROM users"
+        query = ("SELECT users.id, users.name, users.password_hash FROM users"
                  " WHERE users.name = ?")
         return self._execute(
             "get_user_by_id", self.cursor_to_dict, query, user_id
         )
 
+    @defer.inlineCallbacks
     def user_set_password_hash(self, user_id, password_hash):
         """
         NB. This does *not* evict any cache because the one use for this
             removes most of the entries subsequently anyway so it would be
             pointless. Use flush_user separately.
         """
-        return self._simple_update_one('users', {
+        yield self._simple_update_one('users', {
             'name': user_id
         }, {
             'password_hash': password_hash
         })
 
+    @defer.inlineCallbacks
     def user_delete_access_tokens_apart_from(self, user_id, token_id):
-        return self._execute(
+        rows = yield self.get_user_by_id(user_id)
+        if len(rows) == 0:
+            raise Exception("No such user!")
+
+        yield self._execute(
             "delete_access_tokens_apart_from", None,
             "DELETE FROM access_tokens WHERE user_id = ? AND id != ?",
-            user_id, token_id
+            rows[0]['id'], token_id
         )
 
     @defer.inlineCallbacks
     def flush_user(self, user_id):
         rows = yield self._execute(
-            'user_delete_access_tokens_apart_from', None,
+            'flush_user', None,
             "SELECT token FROM access_tokens WHERE user_id = ?",
             user_id
         )