use correct way to access oauth2 client id, fixes #5953

Closes #5953 Merge request studip/studip!4547
author: Jan-Hendrik Willms <tleilax+studip@gmail.com> 2025-10-16 11:14:09 +0200
committer: Jan-Hendrik Willms <tleilax+studip@gmail.com> 2025-10-16 11:14:09 +0200
commit: 6a3a77d11d605d57c6bdefbad4e96d474c74f458 (patch)
tree: 12af4b1685439cbdf3dd7925475b305be23ba365 /app
parent: 3aed9159d6601aa4db9822ec7d7bc8efe877b99f (diff)
2 files changed, 15 insertions, 6 deletions
diff --git a/app/controllers/api/oauth2/authorize.php b/app/controllers/api/oauth2/authorize.php
index 2643c19..adf6d1a 100644
--- a/app/controllers/api/oauth2/authorize.php
+++ b/app/controllers/api/oauth2/authorize.php
@@ -24,7 +24,7 @@ class Api_Oauth2_AuthorizeController extends OAuth2Controller
         $method = $this->getMethod();
 
         if (Request::submitted('auth_token')) {
-            if ('nobody' === $GLOBALS['user']->id) {
+            if (!User::findCurrent()) {
                 throw new LoginException();
             }
             CSRFProtection::verifyUnsafeRequest();
diff --git a/app/views/api/oauth2/authorize.php b/app/views/api/oauth2/authorize.php
index f1bf2b0..2166938 100644
--- a/app/views/api/oauth2/authorize.php
+++ b/app/views/api/oauth2/authorize.php
@@ -1,3 +1,12 @@
+<?php
+/**
+ * @var \League\OAuth2\Server\Entities\ClientEntityInterface $client
+ * @var array $scopes
+ * @var string $state
+ * @var string $authToken
+ * @var StudipController $controller
+ */
+?>
 <section class="oauth authorize">
     <header>
         <h1><?= _('Autorisierungsanfrage') ?></h1>
@@ -26,7 +35,7 @@
             <?= \CSRFProtection::tokenTag() ?>
             <input type="hidden" name="_method" value="delete">
             <input type="hidden" name="state" value="<?= htmlReady($state) ?>">
-            <input type="hidden" name="client_id" value="<?= htmlReady($client->id) ?>">
+            <input type="hidden" name="client_id" value="<?= htmlReady($client->getIdentifier()) ?>">
             <input type="hidden" name="auth_token" value="<?= htmlReady($authToken) ?>">
             <?= Studip\Button::create(_('Verweigern'), 'deny') ?>
         </form>
@@ -34,7 +43,7 @@
         <form action="<?= $controller->url_for('api/oauth2/authorize') ?>" method="post">
             <?= \CSRFProtection::tokenTag() ?>
             <input type="hidden" name="state" value="<?= htmlReady($state) ?>">
-            <input type="hidden" name="client_id" value="<?= htmlReady($client->id) ?>">
+            <input type="hidden" name="client_id" value="<?= htmlReady($client->getIdentifier()) ?>">
             <input type="hidden" name="auth_token" value="<?= htmlReady($authToken) ?>">
             <?= Studip\Button::create(_('Erlauben'), 'allow') ?>
         </form>
@@ -45,8 +54,8 @@
 
         <?= sprintf(
             _('Angemeldet als <strong>%s</strong> (%s)'),
-            htmlReady($GLOBALS['user']->getFullName()),
-            htmlReady($GLOBALS['user']->username)
+            htmlReady(User::findCurrent()->getFullName()),
+            htmlReady(User::findCurrent()->username)
             ) ?><br>
     </p>
 
@@ -55,7 +64,7 @@
             <small>
                 <?= sprintf(
                     _('Sind sie nicht <strong>%s</strong>, so melden Sie sich bitte ab und versuchen es erneut.'),
-                    htmlReady($GLOBALS['user']->getFullName())
+                    htmlReady(User::findCurrent()->getFullName())
                 ) ?>
             </small>
         </button>
author	Jan-Hendrik Willms <tleilax+studip@gmail.com>	2025-10-16 11:14:09 +0200
committer	Jan-Hendrik Willms <tleilax+studip@gmail.com>	2025-10-16 11:14:09 +0200
commit	6a3a77d11d605d57c6bdefbad4e96d474c74f458 (patch)
tree	12af4b1685439cbdf3dd7925475b305be23ba365 /app
parent	3aed9159d6601aa4db9822ec7d7bc8efe877b99f (diff)