From 7384ef8abcd8794806ab4e1793accf955914246e Mon Sep 17 00:00:00 2001
From: provokateurin <kate@provokateurin.de>
Date: Fri, 7 Jun 2024 08:39:23 +0200
Subject: [PATCH] feat(SecurityMiddleware): Allow app_api to bypass user check

Signed-off-by: provokateurin <kate@provokateurin.de>
---
 .../AppFramework/Middleware/Security/SecurityMiddleware.php    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index a38ad610fc609..55053a7f3ea7f 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -16,6 +16,7 @@
 use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OC\Settings\AuthorizedGroupMapper;
+use OC\User\Session;
 use OCP\App\AppPathNotFoundException;
 use OCP\App\IAppManager;
 use OCP\AppFramework\Controller;
@@ -128,7 +129,7 @@ public function beforeController($controller, $methodName) {
 		// security checks
 		$isPublicPage = $this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class);
 		if (!$isPublicPage) {
-			if (!$this->isLoggedIn) {
+			if (!$this->isLoggedIn && (!$this->userSession instanceof Session || $this->userSession->getSession()->get('app_api') !== true)) {
 				throw new NotLoggedInException();
 			}
 			$authorized = false;