From 76367c5c38c59404a6a99ff4b5b489fa4c39373d Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 17 Dec 2020 11:46:57 +0100 Subject: [PATCH] Don't save credentials of another user Signed-off-by: Joas Schilling --- .../lib/Lib/Auth/Password/LoginCredentials.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php index 6bf6b61f16..b8279f5ca6 100644 --- a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php +++ b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php @@ -79,6 +79,11 @@ class LoginCredentials extends AuthMechanism { try { $sessionCredentials = $this->credentialsStore->getLoginCredentials(); + if ($sessionCredentials->getUID() !== $user->getUID()) { + // Can't take the credentials from the session as they are not the same user + throw new CredentialsUnavailableException(); + } + $credentials = [ 'user' => $sessionCredentials->getLoginName(), 'password' => $sessionCredentials->getPassword()