fix: Ensure to not persist user put into the session for direct editing

Signed-off-by: Julius Härtl <jus@bitgrid.net>
nextcloud · Apr 5, 2023 · f80764a · f80764a
1 parent 8d6853f
commit f80764a
Showing 1 changed file with 25 additions and 5 deletions.
diff --git a/lib/Controller/SessionController.php b/lib/Controller/SessionController.php
@@ -32,6 +32,7 @@
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\IRequest;
+use OCP\IUser;
 use OCP\IUserManager;
 use OCP\IUserSession;
 
@@ -42,6 +43,9 @@ class SessionController extends Controller {
 	private IUserManager $userManager;
 	private IUserSession $userSession;
 
+	private bool $restoreUser = false;
+	private ?IUser $userToRestore = null;
+
 	public function __construct(string $appName, IRequest $request, ApiService $apiService, SessionService $sessionService, NotificationService $notificationService, IUserManager $userManager, IUserSession $userSession) {
 		parent::__construct($appName, $request);
 		$this->apiService = $apiService;
@@ -79,17 +83,25 @@ public function close(int $documentId, int $sessionId, string $sessionToken): Da
 	 * @PublicPage
 	 */
 	public function push(int $documentId, int $sessionId, string $sessionToken, int $version, array $steps): DataResponse {
-		$this->loginSessionUser($documentId, $sessionId, $sessionToken);
-		return $this->apiService->push($documentId, $sessionId, $sessionToken, $version, $steps);
+		try {
+			$this->loginSessionUser($documentId, $sessionId, $sessionToken);
+			return $this->apiService->push($documentId, $sessionId, $sessionToken, $version, $steps);
+		} finally {
+			$this->restoreSessionUser();
+		}
 	}
 
 	/**
 	 * @NoAdminRequired
 	 * @PublicPage
 	 */
 	public function sync(int $documentId, int $sessionId, string $sessionToken, int $version = 0, string $autosaveContent = null, bool $force = false, bool $manualSave = false): DataResponse {
-		$this->loginSessionUser($documentId, $sessionId, $sessionToken);
-		return $this->apiService->sync($documentId, $sessionId, $sessionToken, $version, $autosaveContent, $force, $manualSave);
+		try {
+			$this->loginSessionUser($documentId, $sessionId, $sessionToken);
+			return $this->apiService->sync($documentId, $sessionId, $sessionToken, $version, $autosaveContent, $force, $manualSave);
+		} finally {
+			$this->restoreSessionUser();
+		}
 	}
 
 	/**
@@ -113,11 +125,19 @@ public function mention(int $documentId, int $sessionId, string $sessionToken, s
 
 	private function loginSessionUser(int $documentId, int $sessionId, string $sessionToken) {
 		$currentSession = $this->sessionService->getSession($documentId, $sessionId, $sessionToken);
-		if ($currentSession !== false) {
+		if ($currentSession !== false && !$this->userSession->isLoggedIn()) {
 			$user = $this->userManager->get($currentSession->getUserId());
 			if ($user !== null) {
+				$this->restoreUser = true;
+				$this->userToRestore = $this->userSession->getUser();
 				$this->userSession->setUser($user);
 			}
 		}
 	}
+
+	private function restoreSessionUser(): void {
+		if ($this->restoreUser) {
+			$this->userSession->setUser($this->userToRestore);
+		}
+	}
 }