From 76367c5c38c59404a6a99ff4b5b489fa4c39373d Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 17 Dec 2020 11:46:57 +0100
Subject: [PATCH] Don't save credentials of another user

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../lib/Lib/Auth/Password/LoginCredentials.php               | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
index 6bf6b61f164..b8279f5ca61 100644
--- a/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
+++ b/apps/files_external/lib/Lib/Auth/Password/LoginCredentials.php
@@ -79,6 +79,11 @@ class LoginCredentials extends AuthMechanism {
 			try {
 				$sessionCredentials = $this->credentialsStore->getLoginCredentials();
 
+				if ($sessionCredentials->getUID() !== $user->getUID()) {
+					// Can't take the credentials from the session as they are not the same user
+					throw new CredentialsUnavailableException();
+				}
+
 				$credentials = [
 					'user' => $sessionCredentials->getLoginName(),
 					'password' => $sessionCredentials->getPassword()
-- 
GitLab