From 02ea53c5e9564bd99ca43d75088105ca95e49928 Mon Sep 17 00:00:00 2001
From: Joe Cheng <joe@rstudio.com>
Date: Thu, 12 Jan 2023 16:50:00 -0800
Subject: [PATCH 1/3] Ensure logged-in user matches when handling
 session-specific routes

---
 R/shiny.R | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/R/shiny.R b/R/shiny.R
index ef9f255c77..45b56fd132 100644
--- a/R/shiny.R
+++ b/R/shiny.R
@@ -1876,6 +1876,22 @@ ShinySession <- R6Class(
     # Provides a mechanism for handling direct HTTP requests that are posted
     # to the session (rather than going through the websocket)
     handleRequest = function(req) {
+      if (!is.null(self$user)) {
+        if (is.null(req$HTTP_SHINY_SERVER_CREDENTIALS)) {
+          # Session owner is logged in, but this requester is not
+          return(NULL)
+        }
+
+        creds <- NULL
+        try({creds <- safeFromJSON(req$HTTP_SHINY_SERVER_CREDENTIALS)},
+          silent = TRUE
+        )
+        if (!identical(self$user, creds$user)) {
+          # This requester is not the same user as session owner
+          return(NULL)
+        }
+      }
+
       # TODO: Turn off caching for the response
       subpath <- req$PATH_INFO
 

From 70114125badd7b16bf99a128e8899f4699dae416 Mon Sep 17 00:00:00 2001
From: Joe Cheng <joe@rstudio.com>
Date: Mon, 13 Feb 2023 09:16:05 -0800
Subject: [PATCH 2/3] Code review feedback

---
 R/shiny.R | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/R/shiny.R b/R/shiny.R
index 45b56fd132..92cecd19bd 100644
--- a/R/shiny.R
+++ b/R/shiny.R
@@ -1882,11 +1882,15 @@ ShinySession <- R6Class(
           return(NULL)
         }
 
-        creds <- NULL
-        try({creds <- safeFromJSON(req$HTTP_SHINY_SERVER_CREDENTIALS)},
+        requestUser <- NULL
+        try(
+          {
+            creds <- safeFromJSON(req$HTTP_SHINY_SERVER_CREDENTIALS)
+            requestUser <- creds$user
+          },
           silent = TRUE
         )
-        if (!identical(self$user, creds$user)) {
+        if (!identical(self$user, requestUser)) {
           # This requester is not the same user as session owner
           return(NULL)
         }

From 9444bf82ee087f70ba8e17051dfabf6ec9c1f651 Mon Sep 17 00:00:00 2001
From: Joe Cheng <joe@rstudio.com>
Date: Mon, 13 Feb 2023 12:31:56 -0800
Subject: [PATCH 3/3] Try fixing GHA failure by busting the cache

---
 .github/workflows/R-CMD-check.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml
index cd9ed5e759..dca16ab3ee 100644
--- a/.github/workflows/R-CMD-check.yaml
+++ b/.github/workflows/R-CMD-check.yaml
@@ -21,3 +21,5 @@ jobs:
       node-version: "14.x"
   R-CMD-check:
     uses: rstudio/shiny-workflows/.github/workflows/R-CMD-check.yaml@v1
+    with:
+      cache-version: "2.1"