From e33179e41859a6813ca5c67b4d664d5812e6ecdf Mon Sep 17 00:00:00 2001 From: Arildm-no Date: Tue, 28 Apr 2026 22:55:53 +0200 Subject: [PATCH 1/2] fix(wopi): stable guest UserId and correct IsAnonymousUser for named guests Two issues prevented cursor presence from working for named public link guests: 1. Guest UserId was randomly generated on every CheckFileInfo call. The WOPI spec requires UserId to be stable per user session. Use a deterministic hash of the WOPI token instead so the same guest retains the same identity for the duration of the session. 2. IsAnonymousUser was unconditionally set to true for all public link users, even when the guest had explicitly entered a display name. Collabora treats IsAnonymousUser=true as a privacy signal and hides the cursor from other editors. Only set the flag when the guest has no display name (truly anonymous), so named guests have visible cursors in collaborative sessions. Signed-off-by: Arildm-no --- lib/Controller/WopiController.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/Controller/WopiController.php b/lib/Controller/WopiController.php index 60ee8d393f..fab6d4a6ad 100644 --- a/lib/Controller/WopiController.php +++ b/lib/Controller/WopiController.php @@ -161,7 +161,7 @@ public function checkFileInfo( return new JSONResponse([], Http::STATUS_FORBIDDEN); } - $guestUserId = 'Guest-' . \OCP\Server::get(\OCP\Security\ISecureRandom::class)->generate(8); + $guestUserId = 'Guest-' . substr(hash('sha256', $wopi->getToken()), 0, 16); $user = $this->userManager->get($wopi->getEditorUid()); $userDisplayName = $user !== null && !$isPublic ? $user->getDisplayName() : $wopi->getGuestDisplayname(); $isSmartPickerEnabled = (bool)$wopi->getCanwrite() && !$isPublic && !$wopi->getDirect(); @@ -293,7 +293,7 @@ public function checkFileInfo( if ($isPublic) { $response['UserExtraInfo']['is_guest'] = true; // DEPRECATED - $response['IsAnonymousUser'] = true; + $response['IsAnonymousUser'] = empty($wopi->getGuestDisplayname()); } else { $response['IsAnonymousUser'] = false; } @@ -485,7 +485,7 @@ public function getSettings( } $isPublic = empty($wopi->getEditorUid()); - $guestUserId = 'Guest-' . \OCP\Server::get(\OCP\Security\ISecureRandom::class)->generate(8); + $guestUserId = 'Guest-' . substr(hash('sha256', $wopi->getToken()), 0, 8); $userId = !$isPublic ? $wopi->getEditorUid() : $guestUserId; $userConfig = $this->settingsService->generateSettingsConfig($type, $userId); From e9033657c9bfedd822084c53eec779fd4ccc2d1a Mon Sep 17 00:00:00 2001 From: Arildm-no Date: Wed, 6 May 2026 10:20:24 +0200 Subject: [PATCH 2/2] fix(wopi): increase guest UserId hash length to 16 chars Addresses review feedback: bumps substr length from 8 to 16 hex chars (64-bit) for Birthday Paradox mitigation on guest UserId generation. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Arildm-no --- lib/Controller/WopiController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Controller/WopiController.php b/lib/Controller/WopiController.php index fab6d4a6ad..c0552d5c8e 100644 --- a/lib/Controller/WopiController.php +++ b/lib/Controller/WopiController.php @@ -485,7 +485,7 @@ public function getSettings( } $isPublic = empty($wopi->getEditorUid()); - $guestUserId = 'Guest-' . substr(hash('sha256', $wopi->getToken()), 0, 8); + $guestUserId = 'Guest-' . substr(hash('sha256', $wopi->getToken()), 0, 16); $userId = !$isPublic ? $wopi->getEditorUid() : $guestUserId; $userConfig = $this->settingsService->generateSettingsConfig($type, $userId);