Revert the token scope to not end up with storing the user used in th…

…e session Signed-off-by: Julius Härtl <jus@bitgrid.net>
summersab · Jun 26, 2023 · 1372ec9 · 1372ec9
1 parent 17336d8
commit 1372ec9
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/apps/files/lib/Controller/DirectEditingViewController.php b/apps/files/lib/Controller/DirectEditingViewController.php
@@ -54,6 +54,7 @@ public function __construct($appName, IRequest $request, IEventDispatcher $event
 	/**
 	 * @PublicPage
 	 * @NoCSRFRequired
+	 * @UseSession
 	 *
 	 * @param string $token
 	 * @return Response

diff --git a/lib/private/DirectEditing/Manager.php b/lib/private/DirectEditing/Manager.php
@@ -59,6 +59,8 @@ class Manager implements IManager {
 	private $editors = [];
 	/** @var IDBConnection */
 	private $connection;
+	/** @var IUserSession */
+	private $userSession;
 	/** @var ISecureRandom */
 	private $random;
 	/** @var string|null */
@@ -80,6 +82,7 @@ public function __construct(
 	) {
 		$this->random = $random;
 		$this->connection = $connection;
+		$this->userSession = $userSession;
 		$this->userId = $userSession->getUser() ? $userSession->getUser()->getUID() : null;
 		$this->rootFolder = $rootFolder;
 		$this->l10n = $l10nFactory->get('lib');
@@ -185,7 +188,13 @@ public function edit(string $token): Response {
 			$this->invalidateToken($token);
 			return new NotFoundResponse();
 		}
-		return $editor->open($tokenObject);
+
+		try {
+			$this->invokeTokenScope($tokenObject->getUser());
+			return $editor->open($tokenObject);
+		} finally {
+			$this->revertTokenScope();
+		}
 	}
 
 	public function editSecure(File $file, string $editorId): TemplateResponse {
@@ -250,6 +259,11 @@ public function invokeTokenScope($userId): void {
 		\OC_User::setUserId($userId);
 	}
 
+	public function revertTokenScope(): void {
+		$this->userSession->setUser(null);
+		\OC_User::setIncognitoMode(false);
+	}
+
 	public function createToken($editorId, File $file, string $filePath, IShare $share = null): string {
 		$token = $this->random->generate(64, ISecureRandom::CHAR_HUMAN_READABLE);
 		$query = $this->connection->getQueryBuilder();

diff --git a/tests/lib/DirectEditing/ManagerTest.php b/tests/lib/DirectEditing/ManagerTest.php
@@ -15,6 +15,7 @@
 use OCP\Files\IRootFolder;
 use OCP\IDBConnection;
 use OCP\IL10N;
+use OCP\IUser;
 use OCP\IUserSession;
 use OCP\L10N\IFactory;
 use OCP\Security\ISecureRandom;
@@ -137,6 +138,14 @@ protected function setUp(): void {
 			->method('getUserFolder')
 			->willReturn($this->userFolder);
 
+		$user = $this->createMock(IUser::class);
+		$user->expects(self::any())
+			->method('getUID')
+			->willReturn('admin');
+		$this->userSession->expects(self::any())
+			->method('getUser')
+			->willReturn($user);
+
 		$this->manager = new Manager(
 			$this->random, $this->connection, $this->userSession, $this->rootFolder, $l10nFactory, $this->encryptionManager
 		);