nextcloud · max-nextcloud · Feb 5, 2025 · Jan 28, 2025
@@ -123,12 +123,14 @@ private function assertDocumentSession(ISessionAwareController $controller): voi
 	private function assertUserOrShareToken(ISessionAwareController $controller): void {
 		$documentId = (int)$this->request->getParam('documentId');
 		if (null !== $userId = $this->userSession->getUser()?->getUID()) {
-			// Check if user has access to document
-			if ($this->rootFolder->getUserFolder($userId)->getFirstNodeById($documentId) === null) {
-				throw new InvalidSessionException();
+			if ($this->rootFolder->getUserFolder($userId)->getFirstNodeById($documentId) !== null) {
+				$controller->setUserId($userId);
+				$controller->setDocumentId($documentId);
+				return;
 			}
-			$controller->setUserId($userId);
-		} elseif ('' !== $shareToken = (string)$this->request->getParam('shareToken')) {
+		}
+
+		if ('' !== $shareToken = (string)$this->request->getParam('shareToken')) {
 			try {
 				$share = $this->shareManager->getShareByToken($shareToken);
 			} catch (ShareNotFound) {
@@ -155,11 +157,12 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
 			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
 				throw new InvalidSessionException();
 			}
-		} else {
-			throw new InvalidSessionException();
+
+			$controller->setDocumentId($documentId);
+			return;
 		}
 
-		$controller->setDocumentId($documentId);
+		throw new InvalidSessionException();
 	}
 
 	public function afterException($controller, $methodName, \Exception $exception): JSONResponse|Response {