mod_collabora: use session handler to check an existing session

Andreas Grabs · Andreas Grabs · commit edcce43ceaa6 · 2025-01-21T10:22:35.000+01:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -3,6 +3,10 @@ moodle-mod_collabora
 
 Changes
 -------
+### v4.5.2
+* 2025-01-21 -  Since Moodle 4.5, you have to check an existing session by using the session handler (#45).
+* 2025-01-21 -  Fix wrong type param in repair.php
+* 2025-01-21 -  Adjust github workflow to be more restrictive
 
 ### v4.5.1
 * 2024-11-04 -  Fix wrong sort param int get_area_files while loading the current group file.
diff --git a/classes/api/base_filesystem.php b/classes/api/base_filesystem.php
@@ -218,6 +218,19 @@ public static function get_accepted_types() {
         ];
     }
 
+    /**
+     * Does the PHP session with given id exist?
+     *
+     * The session must exist in actual session backend and the session must not be timed out.
+     * With this check, we ensure that the callback calls belong to a user who is actually logged in.
+     *
+     * @param string $sid
+     * @return bool
+     */
+    public static function session_exists($sid) {
+        return \mod_collabora\session::session_exists($sid);
+    }
+
     /**
      * Constructor.
      *
diff --git a/classes/api/collabora_fs.php b/classes/api/collabora_fs.php
@@ -48,8 +48,7 @@ class collabora_fs extends base_filesystem {
      */
     public static function get_userid_from_token($token) {
         global $DB;
-        $sql = 'SELECT ct.id, ct.userid from {collabora_token} ct
-                JOIN {sessions} s ON s.userid = ct.userid AND s.sid = ct.sid
+        $sql = 'SELECT * from {collabora_token} ct
                 WHERE ct.token = :token
         ';
 
@@ -59,6 +58,11 @@ public static function get_userid_from_token($token) {
             return false;
         }
 
+        // Check the user has a valid session in moodle.
+        if (!static::session_exists($tokenrec->sid)) {
+            return false;
+        }
+
         return $tokenrec->userid;
     }
 
@@ -72,10 +76,9 @@ public static function remove_unused_tokens() {
 
         $recordset = $DB->get_recordset('collabora_token');
 
-        $select = 'sid = :sid AND userid > 0';
         foreach ($recordset as $tokenrec) {
-            $params = ['sid' => $tokenrec->sid];
-            if (!$DB->record_exists_select('sessions', $select, $params)) {
+            // Check the user has a valid session in moodle.
+            if (!static::session_exists($tokenrec->sid)) {
                 $DB->delete_records('collabora_token', ['id' => $tokenrec->id]);
             }
         }
@@ -495,15 +498,17 @@ public function get_user_token() {
             'userid' => $this->user->id,
             'sid'    => session_id(),
         ];
-        $sql = 'SELECT ct.id, ct.token from {collabora_token} ct
-                JOIN {sessions} s ON s.userid = ct.userid AND s.sid = ct.sid
+        $sql = 'SELECT * from {collabora_token} ct
                 WHERE ct.userid = :userid AND ct.sid = :sid
         ';
 
         $tokenrec = $DB->get_record_sql($sql, $params);
 
+        // Check the user has a valid session in moodle.
         if (!empty($tokenrec->token)) {
-            return $tokenrec->token;
+            if (static::session_exists($tokenrec->sid)) {
+                return $tokenrec->token;
+            }
         }
         // Create a new token record.
         $tokenrec         = new \stdClass();
diff --git a/classes/session.php b/classes/session.php
@@ -0,0 +1,55 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+namespace mod_collabora;
+
+use mod_collabora\api\collabora_fs;
+
+/**
+ * Helper class for sessions.
+ *
+ * Currently it is only used to find out whether or not a user has a valid session.
+ *
+ * @package    mod_collabora
+ *
+ * @author     Andreas Grabs <moodle@grabs-edv.de>
+ * @copyright  2025 Humboldt-Universität zu Berlin <moodle-support@cms.hu-berlin.de>
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+class session {
+
+    /**
+     * Does the PHP session with given id exist?
+     *
+     * The session must exist in actual session backend and the session must not be timed out.
+     * With this check, we ensure that the callback calls belong to a user who is actually logged in.
+     *
+     * @param string $sid
+     * @return bool
+     */
+    public static function session_exists($sid) {
+        $handlerclass = \core\session\manager::get_handler_class();
+        /** @var \core\session\handler $handler */
+        $handler = new $handlerclass();
+        try {
+            $handler->init();
+        } catch (\Exception $e) {
+            debugging($e->getMessage());
+            return false;
+        }
+        return $handler->session_exists($sid);
+    }
+}
diff --git a/version.php b/version.php
@@ -23,8 +23,8 @@
  */
 defined('MOODLE_INTERNAL') || die;
 
-$plugin->version   = 2024103001;
-$plugin->release   = 'v4.5.1 (2024110400)';
+$plugin->version   = 2024103002;
+$plugin->release   = 'v4.5.2 (2025012100)';
 $plugin->requires  = 2022111800; // Moodle 4.1.
 $plugin->component = 'mod_collabora';
 $plugin->maturity  = MATURITY_BETA;
