nextcloud
fix: Fix theming for disabled accounts
The Theming app injects the stylesheets for the different themes in the <header> element of the page, and those stylesheets are then loaded by the browser from a Controller (a plain Controller, not an OCSController). The stylesheets, in turn, may also get some images (like the background) also from the Controller.
When handling a request to index.php it is checked whether the user is logged in and, if not, a login is tried. A disabled user is explicitly seen as not logged in, so a login is always tried in that case, but disabled users are also explicitly prevented to log in, so the login also fails. Due to that trying to get any of the themed stylesheets or images with a disabled account (to be able to show the "Account disabled" error page) fails with an HTTP status 401. Note that all this happens even before the route is matched and the Middleware does its magic, so the requests fail even if the controller endpoint is marked as a public page.
To solve the issue, and to avoid touching this basic logic as much as possible, the login exception is now ignored for some specific requests to the Theming app (unfortunately it does not seem to be possible to ignore it only when the user is also disabled). There are probably better, cleaner and/or more elegant fixes, and I am not even sure if this one could be somehow problematic... so improvements are welcome :-)
Note that disabled accounts keep their own custom theme. However, getBackground is not a public page so even if the login exception is ignored for it requests by disabled accounts would still fail, so the custom background image can not be got. Independently of that, it could be argued that the global theme, be it custom or not, should be used instead for disabled accounts. It would be necessary to adjust the calls to getUserValue throught the Theming app (for example, when getting the background) to use the global value instead if the account is disabled, as the default IConfig implementation always returns the user value, no matter if the account is disabled or not. However, as keeping the account theme might be fine too nothing was changed in that regard (neither to allow getting the custom background nor to use the global theme).
How to test (scenario 1)
- Log in as an admin
- Open the Theming section in the Administration settings
- Upload a custom background
- In a private window, log in with another account
- In the original window, open the Accounts settings
- Disable the other account
- In the private window, reload the page
Result with this pull request
The custom background and matching colour scheme is used
Result without this pull request
The default background and matching colour scheme is used
How to test (scenario 2)
- Log in as an admin
- Open the Theming section in the Administration settings
- Upload a custom background
- In a private window, log in with another account
- Open the Theming section in the Personal setting
- Upload another custom background
- In the original window, open the Accounts settings
- Disable the other account
- In the private window, reload the page
Result with this pull request
The custom (account specific, not global) colour scheme is used, although there is no background image
Result without this pull request
The default background and matching colour scheme theme is used
I have reordered the commits and adjusted their descriptions accordingly, and then rebased to (what was) latest master (but is no longer latest master :sweat_smile: ).
Edit: And pushed again to adjust to the new code style conventions.