From 47bc0248858a0a448f938688b0fea5b506e4dd77 Mon Sep 17 00:00:00 2001
From: Julius Härtl <jus@bitgrid.net>
Date: Wed, 23 Nov 2022 13:37:07 +0100
Subject: Revert the token scope to not end up with storing the user used in
 the session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/private/DirectEditing/Manager.php | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'lib/private/DirectEditing')

diff --git a/lib/private/DirectEditing/Manager.php b/lib/private/DirectEditing/Manager.php
index e6efc6d28aa..039944e2491 100644
--- a/lib/private/DirectEditing/Manager.php
+++ b/lib/private/DirectEditing/Manager.php
@@ -59,6 +59,8 @@ class Manager implements IManager {
 	private $editors = [];
 	/** @var IDBConnection */
 	private $connection;
+	/** @var IUserSession */
+	private $userSession;
 	/** @var ISecureRandom */
 	private $random;
 	/** @var string|null */
@@ -80,6 +82,7 @@ class Manager implements IManager {
 	) {
 		$this->random = $random;
 		$this->connection = $connection;
+		$this->userSession = $userSession;
 		$this->userId = $userSession->getUser() ? $userSession->getUser()->getUID() : null;
 		$this->rootFolder = $rootFolder;
 		$this->l10n = $l10nFactory->get('lib');
@@ -185,7 +188,13 @@ class Manager implements IManager {
 			$this->invalidateToken($token);
 			return new NotFoundResponse();
 		}
-		return $editor->open($tokenObject);
+
+		try {
+			$this->invokeTokenScope($tokenObject->getUser());
+			return $editor->open($tokenObject);
+		} finally {
+			$this->revertTokenScope();
+		}
 	}
 
 	public function editSecure(File $file, string $editorId): TemplateResponse {
@@ -250,6 +259,11 @@ class Manager implements IManager {
 		\OC_User::setUserId($userId);
 	}
 
+	public function revertTokenScope(): void {
+		$this->userSession->setUser(null);
+		\OC_User::setIncognitoMode(false);
+	}
+
 	public function createToken($editorId, File $file, string $filePath, IShare $share = null): string {
 		$token = $this->random->generate(64, ISecureRandom::CHAR_HUMAN_READABLE);
 		$query = $this->connection->getQueryBuilder();
-- 
cgit v1.2.3