]> source.dussan.org Git - nextcloud-server.git/commitdiff
check the username when doing external storage session auth 38265/head
authorRobin Appelman <robin@icewind.nl>
Thu, 11 May 2023 15:45:16 +0000 (17:45 +0200)
committerRobin Appelman <robin@icewind.nl>
Thu, 11 May 2023 15:47:56 +0000 (17:47 +0200)
Signed-off-by: Robin Appelman <robin@icewind.nl>
apps/files_external/lib/Lib/Auth/Password/SessionCredentials.php

index dbe5a2fdc20165d1c842686bbe40b1d095978c5c..228366db204385e8dfa5835d1e613d73ade91c86 100644 (file)
@@ -30,6 +30,7 @@ use OCA\Files_External\Lib\StorageConfig;
 use OCP\Authentication\Exceptions\CredentialsUnavailableException;
 use OCP\Authentication\LoginCredentials\IStore as CredentialsStore;
 use OCP\Files\Storage;
+use OCP\Files\StorageAuthException;
 use OCP\IL10N;
 use OCP\IUser;
 
@@ -57,6 +58,10 @@ class SessionCredentials extends AuthMechanism {
                        throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
                }
 
+               if ($credentials->getUID() !== $user->getUID()) {
+                       throw new StorageAuthException('Session credentials for storage owner not available');
+               }
+
                $storage->setBackendOption('user', $credentials->getLoginName());
                $storage->setBackendOption('password', $credentials->getPassword());
        }