From da9e310691a3addddd1b4b673f86e8fee5d221bc Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Thu, 11 May 2023 17:45:16 +0200
Subject: [PATCH] check the username when doing external storage session auth

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 .../lib/Lib/Auth/Password/SessionCredentials.php             | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/files_external/lib/Lib/Auth/Password/SessionCredentials.php b/apps/files_external/lib/Lib/Auth/Password/SessionCredentials.php
index dbe5a2fdc20..228366db204 100644
--- a/apps/files_external/lib/Lib/Auth/Password/SessionCredentials.php
+++ b/apps/files_external/lib/Lib/Auth/Password/SessionCredentials.php
@@ -30,6 +30,7 @@ use OCA\Files_External\Lib\StorageConfig;
 use OCP\Authentication\Exceptions\CredentialsUnavailableException;
 use OCP\Authentication\LoginCredentials\IStore as CredentialsStore;
 use OCP\Files\Storage;
+use OCP\Files\StorageAuthException;
 use OCP\IL10N;
 use OCP\IUser;
 
@@ -57,6 +58,10 @@ class SessionCredentials extends AuthMechanism {
 			throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
 		}
 
+		if ($credentials->getUID() !== $user->getUID()) {
+			throw new StorageAuthException('Session credentials for storage owner not available');
+		}
+
 		$storage->setBackendOption('user', $credentials->getLoginName());
 		$storage->setBackendOption('password', $credentials->getPassword());
 	}
-- 
2.39.5