fix(carddav): Don't show system address book cards to guests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
nextcloud · May 24, 2023 · e750762 · e750762
1 parent 568ddbb
commit e750762
Showing 1 changed file with 6 additions and 8 deletions.
diff --git a/apps/dav/lib/CardDAV/SystemAddressbook.php b/apps/dav/lib/CardDAV/SystemAddressbook.php
@@ -92,7 +92,7 @@ public function getChildren() {
 			// Should never happen because we don't allow anonymous access
 			return [];
 		}
-		if (!$shareEnumeration || !($shareEnumerationGroup && $shareEnumerationPhone)) {
+		if ($user->getBackendClassName() === 'Guests' || !$shareEnumeration || !($shareEnumerationGroup && $shareEnumerationPhone)) {
 			$name = SyncService::getCardUri($user);
 			try {
 				return [parent::getChild($name)];
@@ -135,8 +135,8 @@ public function getMultipleChildren($paths): array {
 		$shareEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
 		$shareEnumerationGroup = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'no') === 'yes';
 		$shareEnumerationPhone = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_phone', 'no') === 'yes';
-		if (!$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) {
-			$user = $this->userSession->getUser();
+		$user = $this->userSession->getUser();
+		if (($user !== null && $user->getBackendClassName() === 'Guests') || !$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) {
 			// No user or cards with no access
 			if ($user === null || !in_array(SyncService::getCardUri($user), $paths, true)) {
 				return [];
@@ -149,7 +149,6 @@ public function getMultipleChildren($paths): array {
 			}
 		}
 		if ($shareEnumerationGroup) {
-			$user = $this->userSession->getUser();
 			if ($this->groupManager === null || $user === null) {
 				// Group manager or user is not available, so we can't determine which data is safe
 				return [];
@@ -196,19 +195,18 @@ public function getMultipleChildren($paths): array {
 	 * @throws Forbidden
 	 */
 	public function getChild($name): Card {
+		$user = $this->userSession->getUser();
 		$shareEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
 		$shareEnumerationGroup = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'no') === 'yes';
 		$shareEnumerationPhone = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_phone', 'no') === 'yes';
-		if (!$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) {
-			$currentUser = $this->userSession->getUser();
-			$ownName = $currentUser !== null ? SyncService::getCardUri($currentUser) : null;
+		if (($user !== null && $user->getBackendClassName() === 'Guests') || !$shareEnumeration || (!$shareEnumerationGroup && $shareEnumerationPhone)) {
+			$ownName = $user !== null ? SyncService::getCardUri($user) : null;
 			if ($ownName === $name) {
 				return parent::getChild($name);
 			}
 			throw new Forbidden();
 		}
 		if ($shareEnumerationGroup) {
-			$user = $this->userSession->getUser();
 			if ($user === null || $this->groupManager === null) {
 				// Group manager is not available, so we can't determine which data is safe
 				throw new Forbidden();