DAV authentication: use Owncloud's internal user instead of HTTP-supplied one

Fixes: #14048, #14104, calendar#712

diff --git a/lib/private/connector/sabre/auth.php b/lib/private/connector/sabre/auth.php
index 533d250d68e2354c4d998fd89530d5c5962d6f72..6f7c429fd38efdc5ed0c9a6e708f0423b7c77b3d 100644 (file)
--- a/lib/private/connector/sabre/auth.php
+++ b/lib/private/connector/sabre/auth.php
@@ -60,8 +60,11 @@ class OC_Connector_Sabre_Auth extends \Sabre\DAV\Auth\Backend\AbstractBasic {
                } else {
                        OC_Util::setUpFS(); //login hooks may need early access to the filesystem
                        if(OC_User::login($username, $password)) {
-                               OC_Util::setUpFS(OC_User::getUser());
-                               \OC::$server->getSession()->set(self::DAV_AUTHENTICATED, $username);
+                               // make sure we use owncloud's internal username here
+                               // and not the HTTP auth supplied one, see issue #14048
+                               $ocUser = OC_User::getUser();
+                               OC_Util::setUpFS($ocUser);
+                               \OC::$server->getSession()->set(self::DAV_AUTHENTICATED, $ocUser);
                                \OC::$server->getSession()->close();
                                return true;
                        } else {