use correct way to access oauth2 client id, fixes #5953

Closes #5953 Merge request studip/studip!4547
author: Jan-Hendrik Willms <tleilax+studip@gmail.com> 2025-10-16 11:14:09 +0200
committer: Jan-Hendrik Willms <tleilax+studip@gmail.com> 2025-10-16 14:36:02 +0200
commit: 6ead818c188331f6efbf7b38b95ace812dd02c7b (patch)
tree: 2074a02221d57db863ba4d608ff5fc6e8372a77d /app
parent: bca5ed25b508d78413078e24d0baf2dcbee3f826 (diff)
2 files changed, 15 insertions, 6 deletions
diff --git a/app/controllers/api/oauth2/authorize.php b/app/controllers/api/oauth2/authorize.php
index ac2556c..ac4a977 100644
--- a/app/controllers/api/oauth2/authorize.php
+++ b/app/controllers/api/oauth2/authorize.php
@@ -24,7 +24,7 @@ class Api_Oauth2_AuthorizeController extends OAuth2Controller
         $method = $this->getMethod();
 
         if (Request::submitted('auth_token')) {
-            $GLOBALS['auth']->login_if('nobody' === $GLOBALS['user']->id);
+            $GLOBALS['auth']->login_if(!User::findCurrent());
             CSRFProtection::verifyUnsafeRequest();
 
             switch ($method) {
diff --git a/app/views/api/oauth2/authorize.php b/app/views/api/oauth2/authorize.php
index 693968a..f187051 100644
--- a/app/views/api/oauth2/authorize.php
+++ b/app/views/api/oauth2/authorize.php
@@ -1,3 +1,12 @@
+<?php
+/**
+ * @var \League\OAuth2\Server\Entities\ClientEntityInterface $client
+ * @var array $scopes
+ * @var string $state
+ * @var string $authToken
+ * @var StudipController $controller
+ */
+?>
 <section class="oauth authorize">
     <header>
         <h1><?= _('Autorisierungsanfrage') ?></h1>
@@ -26,7 +35,7 @@
             <?= \CSRFProtection::tokenTag() ?>
             <input type="hidden" name="_method" value="delete">
             <input type="hidden" name="state" value="<?= htmlReady($state) ?>">
-            <input type="hidden" name="client_id" value="<?= htmlReady($client->id) ?>">
+            <input type="hidden" name="client_id" value="<?= htmlReady($client->getIdentifier()) ?>">
             <input type="hidden" name="auth_token" value="<?= htmlReady($authToken) ?>">
             <?= Studip\Button::create(_('Verweigern'), 'deny') ?>
         </form>
@@ -34,7 +43,7 @@
         <form action="<?= $controller->url_for('api/oauth2/authorize') ?>" method="post">
             <?= \CSRFProtection::tokenTag() ?>
             <input type="hidden" name="state" value="<?= htmlReady($state) ?>">
-            <input type="hidden" name="client_id" value="<?= htmlReady($client->id) ?>">
+            <input type="hidden" name="client_id" value="<?= htmlReady($client->getIdentifier()) ?>">
             <input type="hidden" name="auth_token" value="<?= htmlReady($authToken) ?>">
             <?= Studip\Button::create(_('Erlauben'), 'allow') ?>
         </form>
@@ -45,14 +54,14 @@
 
         <?= sprintf(
             _('Angemeldet als <strong>%s</strong> (%s)'),
-            htmlReady($GLOBALS['user']->getFullName()),
-            htmlReady($GLOBALS['user']->username)
+            htmlReady(User::findCurrent()->getFullName()),
+            htmlReady(User::findCurrent()->username)
             ) ?><br>
         <small>
             <a href="<?= URLHelper::getLink('logout.php') ?>">
                 <?= sprintf(
                     _('Sind sie nicht <strong>%s</strong>, so melden Sie sich bitte ab und versuchen es erneut.'),
-                    htmlReady($GLOBALS['user']->getFullName())
+                    htmlReady(User::findCurrent()->getFullName())
                 ) ?>
             </a>
         </small>
author	Jan-Hendrik Willms <tleilax+studip@gmail.com>	2025-10-16 11:14:09 +0200
committer	Jan-Hendrik Willms <tleilax+studip@gmail.com>	2025-10-16 14:36:02 +0200
commit	6ead818c188331f6efbf7b38b95ace812dd02c7b (patch)
tree	2074a02221d57db863ba4d608ff5fc6e8372a77d /app
parent	bca5ed25b508d78413078e24d0baf2dcbee3f826 (diff)