fix: Fix caching routes by users with an active session

danxuliu · danxuliu · commit 4cbea7d8877a · 2025-12-08T16:27:58.000+01:00
When a user has an active session only the apps that are enabled for the
user are initially loaded. In order to cache the routes the routes for
all apps are loaded, but routes defined in routes.php are taken into
account only if the app was already loaded. Therefore, when the routes
were cached in a request by a user with an active session only the
routes for apps enabled for that user were cached, and those routes were
used by any other user, independently of which apps they had access to.
To solve that now all the enabled apps are explicitly loaded before
caching the routes.

Note that this did not affect routes defined using annotations on the
controller files; in that case the loaded routes do not depend on the
previously loaded apps, as it explicitly checks all the enabled apps.

Signed-off-by: Daniel Calviño Sánchez &lt;danxuliu@gmail.com&gt;
diff --git a/apps/testing/appinfo/routes.php b/apps/testing/appinfo/routes.php
@@ -63,5 +63,10 @@
 				'type' => null
 			]
 		],
+		[
+			'name' => 'Routes#getRoutesInRoutesPhp',
+			'url' => '/api/v1/routes/routesphp/{app}',
+			'verb' => 'GET',
+		],
 	],
 ];
diff --git a/apps/testing/composer/composer/autoload_classmap.php b/apps/testing/composer/composer/autoload_classmap.php
@@ -12,6 +12,7 @@
     'OCA\\Testing\\Controller\\ConfigController' => $baseDir . '/../lib/Controller/ConfigController.php',
     'OCA\\Testing\\Controller\\LockingController' => $baseDir . '/../lib/Controller/LockingController.php',
     'OCA\\Testing\\Controller\\RateLimitTestController' => $baseDir . '/../lib/Controller/RateLimitTestController.php',
+    'OCA\\Testing\\Controller\\RoutesController' => $baseDir . '/../lib/Controller/RoutesController.php',
     'OCA\\Testing\\Conversion\\ConversionProvider' => $baseDir . '/../lib/Conversion/ConversionProvider.php',
     'OCA\\Testing\\HiddenGroupBackend' => $baseDir . '/../lib/HiddenGroupBackend.php',
     'OCA\\Testing\\Listener\\GetDeclarativeSettingsValueListener' => $baseDir . '/../lib/Listener/GetDeclarativeSettingsValueListener.php',
diff --git a/apps/testing/composer/composer/autoload_static.php b/apps/testing/composer/composer/autoload_static.php
@@ -27,6 +27,7 @@ class ComposerStaticInitTesting
         'OCA\\Testing\\Controller\\ConfigController' => __DIR__ . '/..' . '/../lib/Controller/ConfigController.php',
         'OCA\\Testing\\Controller\\LockingController' => __DIR__ . '/..' . '/../lib/Controller/LockingController.php',
         'OCA\\Testing\\Controller\\RateLimitTestController' => __DIR__ . '/..' . '/../lib/Controller/RateLimitTestController.php',
+        'OCA\\Testing\\Controller\\RoutesController' => __DIR__ . '/..' . '/../lib/Controller/RoutesController.php',
         'OCA\\Testing\\Conversion\\ConversionProvider' => __DIR__ . '/..' . '/../lib/Conversion/ConversionProvider.php',
         'OCA\\Testing\\HiddenGroupBackend' => __DIR__ . '/..' . '/../lib/HiddenGroupBackend.php',
         'OCA\\Testing\\Listener\\GetDeclarativeSettingsValueListener' => __DIR__ . '/..' . '/../lib/Listener/GetDeclarativeSettingsValueListener.php',
diff --git a/apps/testing/lib/Controller/RoutesController.php b/apps/testing/lib/Controller/RoutesController.php
@@ -0,0 +1,50 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+namespace OCA\Testing\Controller;
+
+use OCP\App\IAppManager;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\OCSController;
+use OCP\IRequest;
+
+class RoutesController extends OCSController {
+
+	/**
+	 * @param string $appName
+	 * @param IRequest $request
+	 * @param IAppManager $appManager
+	 */
+	public function __construct(
+		$appName,
+		IRequest $request,
+		private IAppManager $appManager,
+	) {
+		parent::__construct($appName, $request);
+	}
+
+	/**
+	 * @param string $app
+	 * @return DataResponse
+	 */
+	public function getRoutesInRoutesPhp(string $app): DataResponse {
+		try {
+			$appPath = $this->appManager->getAppPath($app);
+		} catch (AppPathNotFoundException) {
+			return new DataResponse([], Http::STATUS_NOT_FOUND);
+		}
+
+		$file = $appPath . '/appinfo/routes.php';
+		if (!file_exists($file)) {
+			return new DataResponse();
+		}
+
+		$routes = include $file;
+
+		return new DataResponse($routes);
+	}
+}
diff --git a/build/integration/features/bootstrap/RoutingContext.php b/build/integration/features/bootstrap/RoutingContext.php
@@ -6,6 +6,7 @@
  */
 use Behat\Behat\Context\Context;
 use Behat\Behat\Context\SnippetAcceptingContext;
+use PHPUnit\Framework\Assert;
 
 require __DIR__ . '/../../vendor/autoload.php';
 
@@ -16,4 +17,26 @@ class RoutingContext implements Context, SnippetAcceptingContext {
 
 	protected function resetAppConfigs(): void {
 	}
+
+	/**
+	 * @AfterScenario
+	 */
+	public function deleteMemcacheSetting() {
+		$this->invokingTheCommand('config:system:delete memcache.local');
+	}
+
+	/**
+	 * @Given /^route "([^"]*)" of app "([^"]*)" is defined in routes.php$/
+	 */
+	public function routeOfAppIsDefinedInRoutesPhP($route, $app) {
+		$previousUser = $this->currentUser;
+		$this->currentUser = 'admin';
+
+		$this->sendingTo('GET', "/apps/testing/api/v1/routes/routesphp/{$app}");
+		$this->theHTTPStatusCodeShouldBe('200');
+
+		Assert::assertStringContainsString($route, $this->response->getBody()->getContents());
+
+		$this->currentUser = $previousUser;
+   }
 }
diff --git a/build/integration/routing_features/apps-and-routes.feature b/build/integration/routing_features/apps-and-routes.feature
@@ -50,3 +50,22 @@ Feature: appmanagement
     Given As an "admin"
     And sending "DELETE" to "/cloud/apps/weather_status"
     And app "weather_status" is disabled
+
+  Scenario: Cache routes from routes.php with a user in a group without some apps enabled
+    Given invoking occ with "config:system:set memcache.local --value \OC\Memcache\APCu"
+    And the command was successful
+    And route "api/v1/location" of app "weather_status" is defined in routes.php
+    And app "weather_status" enabled state will be restored once the scenario finishes
+    And invoking occ with "app:enable weather_status --groups group1"
+    And the command was successful
+    When Logging in using web as "user2"
+    And sending "GET" with exact url to "/apps/testing/clean_apcu_cache.php"
+    And Sending a "GET" to "/index.php/apps/files" with requesttoken
+    And the HTTP status code should be "200"
+    Then As an "user2"
+    And sending "GET" to "/apps/weather_status/api/v1/location"
+    And the HTTP status code should be "412"
+    And As an "user1"
+    And sending "GET" to "/apps/weather_status/api/v1/location"
+    And the OCS status code should be "200"
+    And the HTTP status code should be "200"
