From 05d55c871122e6c500ac6e84520e0ff767c2f22c Mon Sep 17 00:00:00 2001
From: Amitai Burstein <amitai@gizra.com>
Date: Thu, 6 Apr 2017 11:58:24 +0300
Subject: [PATCH] Prevent access token for anonymous users

Safe guard against calling the handler programmatically with an anonymous user
---
 .../1.0/RestfulAccessTokenAuthentication.class.php         | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/restful_token_auth/plugins/restful/restful_token_auth/token_auth/access_token/1.0/RestfulAccessTokenAuthentication.class.php b/modules/restful_token_auth/plugins/restful/restful_token_auth/token_auth/access_token/1.0/RestfulAccessTokenAuthentication.class.php
index cbe50119..bb3690a6 100644
--- a/modules/restful_token_auth/plugins/restful/restful_token_auth/token_auth/access_token/1.0/RestfulAccessTokenAuthentication.class.php
+++ b/modules/restful_token_auth/plugins/restful/restful_token_auth/token_auth/access_token/1.0/RestfulAccessTokenAuthentication.class.php
@@ -25,6 +25,13 @@ public static function controllersInfo() {
   public function getOrCreateToken() {
     $entity_type = $this->getEntityType();
     $account = $this->getAccount();
+    
+    if (!$account->uid) {
+      // If this handler was called programmatically we want to make sure the
+      // account is of an authenticated user.
+      throw new RestfulBadRequestException('Only authenticated users can have an access token.');
+    }    
+    
     // Check if there is a token that did not expire yet.
     $query = new EntityFieldQuery();
     $result = $query