Merge pull request #25225 from nextcloud/backport/24600/stable20

[stable20] Update handling of user credentials
2021-01-20 14:57:48 +01:00 · 2021-01-20 14:57:48 +01:00 · 1dcfab0d76
parent ae48e26d37 fcdbd4eca3
commit 1dcfab0d76
4 changed files with 24 additions and 4 deletions
--- a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
+++ b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
@ -79,6 +79,11 @@ class LoginCredentials extends AuthMechanism {
 			try {
 				$sessionCredentials = $this->credentialsStore->getLoginCredentials();

+				if ($sessionCredentials->getUID() !== $user->getUID()) {
+					// Can't take the credentials from the session as they are not the same user
+					throw new CredentialsUnavailableException();
+				}
+
 				$credentials = [
 					'user' => $sessionCredentials->getLoginName(),
 					'password' => $sessionCredentials->getPassword()
--- a/apps/files_external/lib/Listener/StorePasswordListener.php
+++ b/apps/files_external/lib/Listener/StorePasswordListener.php
@ -51,10 +51,14 @@ class StorePasswordListener implements IEventListener {
 		}

 		$stored = $this->credentialsManager->retrieve($event->getUser()->getUID(), LoginCredentials::CREDENTIALS_IDENTIFIER);
+		$update = isset($stored['password']) && $stored['password'] !== $event->getPassword();
+		if (!$update && $event instanceof UserLoggedInEvent) {
+			$update = isset($stored['user']) && $stored['user'] !== $event->getLoginName();
+		}

-		if ($stored && $stored['password'] !== $event->getPassword()) {
+		if ($stored && $update) {
 			$credentials = [
-				'user' => $stored['user'],
+				'user' => $event->getLoginName(),
 				'password' => $event->getPassword()
 			];

--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@ -569,7 +569,7 @@ class Server extends ServerContainer implements IServerContainer {

 				/** @var IEventDispatcher $dispatcher */
 				$dispatcher = $this->query(IEventDispatcher::class);
-				$dispatcher->dispatchTyped(new UserLoggedInEvent($user, $password, $isTokenLogin));
+				$dispatcher->dispatchTyped(new UserLoggedInEvent($user, $loginName, $password, $isTokenLogin));
 			});
 			$userSession->listen('\OC\User', 'preRememberedLogin', function ($uid) {
 				/** @var IEventDispatcher $dispatcher */
--- a/lib/public/User/Events/UserLoggedInEvent.php
+++ b/lib/public/User/Events/UserLoggedInEvent.php
@ -43,14 +43,18 @@ class UserLoggedInEvent extends Event {
 	/** @var bool */
 	private $isTokenLogin;

+	/** @var string */
+	private $loginName;
+
 	/**
 	 * @since 18.0.0
 	 */
-	public function __construct(IUser $user, string $password, bool $isTokenLogin) {
+	public function __construct(IUser $user, string $loginName, string $password, bool $isTokenLogin) {
 		parent::__construct();
 		$this->user = $user;
 		$this->password = $password;
 		$this->isTokenLogin = $isTokenLogin;
+		$this->loginName = $loginName;
 	}

 	/**
@ -60,6 +64,13 @@ class UserLoggedInEvent extends Event {
 		return $this->user;
 	}

+	/**
+	 * @since 21.0.0
+	 */
+	public function getLoginName(): string {
+		return $this->loginName;
+	}
+
 	/**
 	 * @since 18.0.0
 	 */