From 9cadb38cbf46ae13fd5a2cbfdebe833f97e5b6fb Mon Sep 17 00:00:00 2001
From: Julius Knorr <jus@bitgrid.net>
Date: Wed, 26 Nov 2025 14:30:40 +0100
Subject: [PATCH] fix: Properly handle authenticated links being an array

Signed-off-by: Julius Knorr <jus@bitgrid.net>
---
 lib/Controller/DocumentAPIController.php |  8 +++++---
 lib/Controller/DocumentController.php    | 17 +++++++++++------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/lib/Controller/DocumentAPIController.php b/lib/Controller/DocumentAPIController.php
index e26253d63..f8e69cfeb 100644
--- a/lib/Controller/DocumentAPIController.php
+++ b/lib/Controller/DocumentAPIController.php
@@ -65,9 +65,11 @@ class DocumentAPIController extends \OCP\AppFramework\OCSController {
 				$share = $this->shareManager->getShareByToken($shareToken);
 
 				if ($share->getPassword()) {
-					if (!$this->session->exists('public_link_authenticated')
-						|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
-					) {
+					$authenticatedLinks = $this->session->get('public_link_authenticated');
+
+					$isAuthenticated = (is_array($authenticatedLinks) && in_array($share->getId(), $authenticatedLinks));
+					$isAuthenticated = $isAuthenticated || ($authenticatedLinks === (string)$share->getId());
+					if (!$isAuthenticated) {
 						throw new Exception('Invalid password');
 					}
 				}
diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php
index e4742bf4a..89c9e08d7 100644
--- a/lib/Controller/DocumentController.php
+++ b/lib/Controller/DocumentController.php
@@ -242,9 +242,11 @@ class DocumentController extends Controller {
 			$share = $this->shareManager->getShareByToken($shareToken);
 			// not authenticated ?
 			if ($share->getPassword()) {
-				if (!$this->session->exists('public_link_authenticated')
-					|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
-				) {
+				$authenticatedLinks = $this->session->get('public_link_authenticated');
+
+				$isAuthenticated = (is_array($authenticatedLinks) && in_array($share->getId(), $authenticatedLinks));
+				$isAuthenticated = $isAuthenticated || ($authenticatedLinks === (string)$share->getId());
+				if (!$isAuthenticated) {
 					throw new Exception('Invalid password');
 				}
 			}
@@ -459,9 +461,12 @@ class DocumentController extends Controller {
 	private function getFileForShare(IShare $share, ?int $fileId, ?string $path = null): File {
 		// not authenticated ?
 		if ($share->getPassword()) {
-			if (!$this->session->exists('public_link_authenticated')
-				|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
-			) {
+			$authenticatedLinks = $this->session->get('public_link_authenticated');
+
+			$isAuthenticated = (is_array($authenticatedLinks) && in_array($share->getId(), $authenticatedLinks));
+			$isAuthenticated = $isAuthenticated || ($authenticatedLinks === (string)$share->getId());
+
+			if (!$isAuthenticated) {
 				throw new NotPermittedException('Invalid password');
 			}
 		}