Skip to content

fix(wopi): stable guest UserId and correct IsAnonymousUser for named guests#5601

Open
Arildm-no wants to merge 2 commits intonextcloud:mainfrom
Arildm-no:fix/guest-wopi-userid-and-anonymous-flag
Open

fix(wopi): stable guest UserId and correct IsAnonymousUser for named guests#5601
Arildm-no wants to merge 2 commits intonextcloud:mainfrom
Arildm-no:fix/guest-wopi-userid-and-anonymous-flag

Conversation

@Arildm-no
Copy link
Copy Markdown

@Arildm-no Arildm-no commented Apr 28, 2026

Problem

Two bugs in WopiController::checkFileInfo() prevent cursor presence from working when a named guest edits a document via a public link alongside a logged-in user.

Bug 1 — Guest UserId is randomly generated on every WOPI call

// Before (broken)
$guestUserId = 'Guest-' . \OCP\Server::get(\OCP\Security\ISecureRandom::class)->generate(8);

The WOPI protocol requires UserId to be stable for the duration of a session. Collabora calls CheckFileInfo multiple times (e.g. on token refresh), and each call returned a different random ID for the same guest. Collabora treats each new ID as a new user, breaking cursor tracking and view presence entirely.

Bug 2 — IsAnonymousUser is unconditionally true for all public link users

// Before (broken)
if ($isPublic) {
    $response['IsAnonymousUser'] = true; // set even when guest has a display name
}

Collabora interprets IsAnonymousUser = true as a privacy signal and hides that user's cursor from other editors. This is correct for a truly anonymous viewer (no name entered), but wrong for a guest who has explicitly entered a display name in the Nextcloud sharing prompt.

Fix

  1. Derive UserId deterministically from the WOPI token using SHA-256, so the same guest token always maps to the same identity within a session.
  2. Only set IsAnonymousUser = true when the guest has no display name. Named guests get false, enabling cursor visibility.
// After
$guestUserId = 'Guest-' . substr(hash('sha256', $wopi->getToken()), 0, 8);

$response['IsAnonymousUser'] = empty($wopi->getGuestDisplayname());

Steps to reproduce

  1. Share a document with a public edit link
  2. Open the document as a logged-in admin
  3. Open the public link in another browser / incognito window, enter a name when prompted
  4. Both users type — the logged-in user cannot see the guest's cursor or writing indicator

Expected behaviour

Named guests have a visible, coloured cursor indicator, just like any other named collaborator.

Tested on

  • Nextcloud 33
  • richdocuments 10.1.2
  • Collabora Online CODE 25.04.9.4

@joshtrichards joshtrichards added bug Something isn't working 3. to review Ready to be reviewed feature: wopi host feature: share link labels May 6, 2026
joshtrichards
joshtrichards requested changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@joshtrichards joshtrichards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Makes sense.

I'm surprised I can't find any open bug reports on this topic.

Anyhow, from my end, as noted, I'd just like to see the output bumped up from the hash.

P.S. #2170 impacts this too (I assume). But that's not guest specific - and, more importantly, this is still a good improvement. And, presumably guests will likely also benefit from whatever eventually targets #2170 anyhow (by virtue of this change).

Comment thread lib/Controller/WopiController.php Outdated
Comment thread lib/Controller/WopiController.php Outdated
Arildm-no and others added 2 commits May 6, 2026 10:20
@Arildm-no
fix(wopi): stable guest UserId and correct IsAnonymousUser for named …
0c4e9cf 
…guests

Two issues prevented cursor presence from working for named public link guests:

1. Guest UserId was randomly generated on every CheckFileInfo call. The WOPI
   spec requires UserId to be stable per user session. Use a deterministic
   hash of the WOPI token instead so the same guest retains the same identity
   for the duration of the session.

2. IsAnonymousUser was unconditionally set to true for all public link users,
   even when the guest had explicitly entered a display name. Collabora treats
   IsAnonymousUser=true as a privacy signal and hides the cursor from other
   editors. Only set the flag when the guest has no display name (truly
   anonymous), so named guests have visible cursors in collaborative sessions.
@Arildm-no @claude
fix(wopi): increase guest UserId hash length to 16 chars
e93e9c8 
Addresses review feedback: bumps substr length from 8 to 16 hex chars
(64-bit) for Birthday Paradox mitigation on guest UserId generation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Arildm-no Arildm-no force-pushed the fix/guest-wopi-userid-and-anonymous-flag branch from 4f553df to e93e9c8 Compare May 6, 2026 08:21
@Arildm-no
Copy link
Copy Markdown
Author

Arildm-no commented May 6, 2026
edited
Loading

Thanks for the thorough review, @joshtrichards! Both requested changes have been applied:

  • Hash length bumped to 16 chars in both checkFileInfo() and getSettings() — good call on the Birthday Paradox mitigation, 64-bit is clearly the right default here.
  • Rebased onto current main — resolved the conflict with the $isVersion public-link guard that was added upstream; both changes coexist cleanly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshtrichards joshtrichards joshtrichards requested changes

@elzody elzody Awaiting requested review from elzody elzody is a code owner

@juliusknorr juliusknorr Awaiting requested review from juliusknorr juliusknorr is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

3. to review Ready to be reviewed bug Something isn't working feature: share link feature: wopi host

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Arildm-no @joshtrichards