From 1aa9c9164d73be7aabb5a2ff18e8999c55e33a48 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 9 Nov 2020 17:33:05 +0100
Subject: [PATCH] Fix comparing the empty string for global credentials

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/private/DB/Connection.php               | 16 +++++++++++-----
 lib/private/Security/CredentialsManager.php | 21 +++++++++++++++------
 2 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/lib/private/DB/Connection.php b/lib/private/DB/Connection.php
index 6835226357f..0ea71637943 100644
--- a/lib/private/DB/Connection.php
+++ b/lib/private/DB/Connection.php
@@ -332,11 +332,17 @@ class Connection extends ReconnectWrapper implements IDBConnection {
 			$where = $updateQb->expr()->andX();
 			$whereValues = array_merge($keys, $updatePreconditionValues);
 			foreach ($whereValues as $name => $value) {
-				$where->add($updateQb->expr()->eq(
-					$name,
-					$updateQb->createNamedParameter($value, $this->getType($value)),
-					$this->getType($value)
-				));
+				if ($value === '') {
+					$where->add($updateQb->expr()->emptyString(
+						$name
+					));
+				} else {
+					$where->add($updateQb->expr()->eq(
+						$name,
+						$updateQb->createNamedParameter($value, $this->getType($value)),
+						$this->getType($value)
+					));
+				}
 			}
 			$updateQb->where($where);
 			$affected = $updateQb->execute();
diff --git a/lib/private/Security/CredentialsManager.php b/lib/private/Security/CredentialsManager.php
index a40a7e1d88e..20af25ae10f 100644
--- a/lib/private/Security/CredentialsManager.php
+++ b/lib/private/Security/CredentialsManager.php
@@ -81,9 +81,13 @@ class CredentialsManager implements ICredentialsManager {
 		$qb = $this->dbConnection->getQueryBuilder();
 		$qb->select('credentials')
 			->from(self::DB_TABLE)
-			->where($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId)))
-			->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)))
-		;
+			->where($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)));
+
+		if ($userId === '') {
+			$qb->andWhere($qb->expr()->emptyString('user'));
+		} else {
+			$qb->andWhere($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId)));
+		}
 
 		$qResult = $qb->execute();
 		$result = $qResult->fetch();
@@ -107,9 +111,14 @@ class CredentialsManager implements ICredentialsManager {
 	public function delete($userId, $identifier) {
 		$qb = $this->dbConnection->getQueryBuilder();
 		$qb->delete(self::DB_TABLE)
-			->where($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId)))
-			->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)))
-		;
+			->where($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)));
+
+		if ($userId === '') {
+			$qb->andWhere($qb->expr()->emptyString('user'));
+		} else {
+			$qb->andWhere($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId)));
+		}
+
 		return $qb->execute();
 	}
 
-- 
GitLab