From 289c7b493c52e16d943376d48e14543191f53384 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Tue, 26 Aug 2025 14:26:05 +0200 Subject: [PATCH] fix: Avoid internal error when logging in with the wrong account to verify email address MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../lib/Controller/VerificationController.php | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/apps/provisioning_api/lib/Controller/VerificationController.php b/apps/provisioning_api/lib/Controller/VerificationController.php index 70535c4906c..38f355e0589 100644 --- a/apps/provisioning_api/lib/Controller/VerificationController.php +++ b/apps/provisioning_api/lib/Controller/VerificationController.php @@ -51,11 +51,18 @@ class VerificationController extends Controller { #[NoAdminRequired] #[NoCSRFRequired] public function showVerifyMail(string $token, string $userId, string $key): TemplateResponse { - if ($this->userSession->getUser()->getUID() !== $userId) { - // not a public page, hence getUser() must return an IUser - throw new InvalidArgumentException('Logged in account is not mail address owner'); + try { + if ($this->userSession->getUser()?->getUID() !== $userId) { + // not a public page, hence getUser() must return an IUser + throw new InvalidArgumentException($this->l10n->t('Logged in account is not mail address owner')); + } + $email = $this->crypto->decrypt($key); + } catch (\Exception $e) { + return new TemplateResponse( + 'core', 'error', [ + 'errors' => [['error' => $e->getMessage()]] + ], TemplateResponse::RENDER_AS_GUEST); } - $email = $this->crypto->decrypt($key); return new TemplateResponse( 'core', 'confirmation', [ @@ -73,8 +80,8 @@ class VerificationController extends Controller { public function verifyMail(string $token, string $userId, string $key): TemplateResponse { $throttle = false; try { - if ($this->userSession->getUser()->getUID() !== $userId) { - throw new InvalidArgumentException('Logged in account is not mail address owner'); + if ($this->userSession->getUser()?->getUID() !== $userId) { + throw new InvalidArgumentException($this->l10n->t('Logged in account is not mail address owner')); } $email = $this->crypto->decrypt($key); $ref = \substr(hash('sha256', $email), 0, 8);