From 1372ec9971526fbb3cf1dbbd35fcf54566bd2a08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Wed, 23 Nov 2022 13:37:07 +0100 Subject: [PATCH] Revert the token scope to not end up with storing the user used in the session MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl --- .../Controller/DirectEditingViewController.php | 1 + lib/private/DirectEditing/Manager.php | 16 +++++++++++++++- tests/lib/DirectEditing/ManagerTest.php | 9 +++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/apps/files/lib/Controller/DirectEditingViewController.php b/apps/files/lib/Controller/DirectEditingViewController.php index 06bde8d63d799..30d54d5ceb366 100644 --- a/apps/files/lib/Controller/DirectEditingViewController.php +++ b/apps/files/lib/Controller/DirectEditingViewController.php @@ -54,6 +54,7 @@ public function __construct($appName, IRequest $request, IEventDispatcher $event /** * @PublicPage * @NoCSRFRequired + * @UseSession * * @param string $token * @return Response diff --git a/lib/private/DirectEditing/Manager.php b/lib/private/DirectEditing/Manager.php index e6efc6d28aaee..039944e2491a0 100644 --- a/lib/private/DirectEditing/Manager.php +++ b/lib/private/DirectEditing/Manager.php @@ -59,6 +59,8 @@ class Manager implements IManager { private $editors = []; /** @var IDBConnection */ private $connection; + /** @var IUserSession */ + private $userSession; /** @var ISecureRandom */ private $random; /** @var string|null */ @@ -80,6 +82,7 @@ public function __construct( ) { $this->random = $random; $this->connection = $connection; + $this->userSession = $userSession; $this->userId = $userSession->getUser() ? $userSession->getUser()->getUID() : null; $this->rootFolder = $rootFolder; $this->l10n = $l10nFactory->get('lib'); @@ -185,7 +188,13 @@ public function edit(string $token): Response { $this->invalidateToken($token); return new NotFoundResponse(); } - return $editor->open($tokenObject); + + try { + $this->invokeTokenScope($tokenObject->getUser()); + return $editor->open($tokenObject); + } finally { + $this->revertTokenScope(); + } } public function editSecure(File $file, string $editorId): TemplateResponse { @@ -250,6 +259,11 @@ public function invokeTokenScope($userId): void { \OC_User::setUserId($userId); } + public function revertTokenScope(): void { + $this->userSession->setUser(null); + \OC_User::setIncognitoMode(false); + } + public function createToken($editorId, File $file, string $filePath, IShare $share = null): string { $token = $this->random->generate(64, ISecureRandom::CHAR_HUMAN_READABLE); $query = $this->connection->getQueryBuilder(); diff --git a/tests/lib/DirectEditing/ManagerTest.php b/tests/lib/DirectEditing/ManagerTest.php index e19c44b1a06cc..7a2f2e3d772f9 100644 --- a/tests/lib/DirectEditing/ManagerTest.php +++ b/tests/lib/DirectEditing/ManagerTest.php @@ -15,6 +15,7 @@ use OCP\Files\IRootFolder; use OCP\IDBConnection; use OCP\IL10N; +use OCP\IUser; use OCP\IUserSession; use OCP\L10N\IFactory; use OCP\Security\ISecureRandom; @@ -137,6 +138,14 @@ protected function setUp(): void { ->method('getUserFolder') ->willReturn($this->userFolder); + $user = $this->createMock(IUser::class); + $user->expects(self::any()) + ->method('getUID') + ->willReturn('admin'); + $this->userSession->expects(self::any()) + ->method('getUser') + ->willReturn($user); + $this->manager = new Manager( $this->random, $this->connection, $this->userSession, $this->rootFolder, $l10nFactory, $this->encryptionManager );