diff options
| author | Julius Härtl <jus@bitgrid.net> | 2022-11-23 13:37:07 +0100 |
|---|---|---|
| committer | Julius Härtl <jus@bitgrid.net> | 2023-02-17 10:18:18 +0100 |
| commit | 47bc0248858a0a448f938688b0fea5b506e4dd77 (patch) | |
| tree | 51ff8c8ab1aa9726979ac0eedaba5826a4e9d4cf | |
| parent | 90d2cb09b1a8f4c5a82955641a0afedddb0a590d (diff) | |
| download | nextcloud-server-47bc0248858a0a448f938688b0fea5b506e4dd77.tar.gz nextcloud-server-47bc0248858a0a448f938688b0fea5b506e4dd77.zip | |
Revert the token scope to not end up with storing the user used in the session
Signed-off-by: Julius Härtl <jus@bitgrid.net>
| -rw-r--r-- | apps/files/lib/Controller/DirectEditingViewController.php | 1 | ||||
| -rw-r--r-- | lib/private/DirectEditing/Manager.php | 16 | ||||
| -rw-r--r-- | tests/lib/DirectEditing/ManagerTest.php | 9 |
3 files changed, 25 insertions, 1 deletions
diff --git a/apps/files/lib/Controller/DirectEditingViewController.php b/apps/files/lib/Controller/DirectEditingViewController.php index 06bde8d63d7..30d54d5ceb3 100644 --- a/apps/files/lib/Controller/DirectEditingViewController.php +++ b/apps/files/lib/Controller/DirectEditingViewController.php @@ -54,6 +54,7 @@ class DirectEditingViewController extends Controller { /** * @PublicPage * @NoCSRFRequired + * @UseSession * * @param string $token * @return Response diff --git a/lib/private/DirectEditing/Manager.php b/lib/private/DirectEditing/Manager.php index e6efc6d28aa..039944e2491 100644 --- a/lib/private/DirectEditing/Manager.php +++ b/lib/private/DirectEditing/Manager.php @@ -59,6 +59,8 @@ class Manager implements IManager { private $editors = []; /** @var IDBConnection */ private $connection; + /** @var IUserSession */ + private $userSession; /** @var ISecureRandom */ private $random; /** @var string|null */ @@ -80,6 +82,7 @@ class Manager implements IManager { ) { $this->random = $random; $this->connection = $connection; + $this->userSession = $userSession; $this->userId = $userSession->getUser() ? $userSession->getUser()->getUID() : null; $this->rootFolder = $rootFolder; $this->l10n = $l10nFactory->get('lib'); @@ -185,7 +188,13 @@ class Manager implements IManager { $this->invalidateToken($token); return new NotFoundResponse(); } - return $editor->open($tokenObject); + + try { + $this->invokeTokenScope($tokenObject->getUser()); + return $editor->open($tokenObject); + } finally { + $this->revertTokenScope(); + } } public function editSecure(File $file, string $editorId): TemplateResponse { @@ -250,6 +259,11 @@ class Manager implements IManager { \OC_User::setUserId($userId); } + public function revertTokenScope(): void { + $this->userSession->setUser(null); + \OC_User::setIncognitoMode(false); + } + public function createToken($editorId, File $file, string $filePath, IShare $share = null): string { $token = $this->random->generate(64, ISecureRandom::CHAR_HUMAN_READABLE); $query = $this->connection->getQueryBuilder(); diff --git a/tests/lib/DirectEditing/ManagerTest.php b/tests/lib/DirectEditing/ManagerTest.php index e19c44b1a06..7a2f2e3d772 100644 --- a/tests/lib/DirectEditing/ManagerTest.php +++ b/tests/lib/DirectEditing/ManagerTest.php @@ -15,6 +15,7 @@ use OCP\Files\Folder; use OCP\Files\IRootFolder; use OCP\IDBConnection; use OCP\IL10N; +use OCP\IUser; use OCP\IUserSession; use OCP\L10N\IFactory; use OCP\Security\ISecureRandom; @@ -137,6 +138,14 @@ class ManagerTest extends TestCase { ->method('getUserFolder') ->willReturn($this->userFolder); + $user = $this->createMock(IUser::class); + $user->expects(self::any()) + ->method('getUID') + ->willReturn('admin'); + $this->userSession->expects(self::any()) + ->method('getUser') + ->willReturn($user); + $this->manager = new Manager( $this->random, $this->connection, $this->userSession, $this->rootFolder, $l10nFactory, $this->encryptionManager ); |