CVE-2023-46743: The same file cannot be opened with different rights

Impact

As part of the application use cases, depending on the rights that a user has over a document, he should be able to open the office attachments files in view or edit mode. Right now, if a user opens an atachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right.

Steps to reproduce:

1. Login with user1 that has edit access on Sandbox.TestPage1 and access the page
2. Got to the Attachments tab
3. Click on New office file and create the test.odt file
4. Remain with the editor opened for editing this file
5. From an incognito browser window, login with user2 that has view access on Sandbox.TestPage1 and access the page
6. Go to the Attachments tab
7. Click on the Collabora button next to the newly created test.odt file

Expected result:
The file is opened in view mode

Actual result:
The file is opened in edit mode. So, the first person that opens a file will mark the edit action for all future editors as long as the window is still opened. Because of this, if a user with view right will be the first to open a file, user with edit rights won’t be able to edit it as long as the editor is opened.

Investigation
The problem comes from here. Collabora server is the one issuing this request and it seems that the userCanWrite query parameter is cached, even if, for example, token is not. But probably because it expects the token but no other parameters.

Patches

The issue has been fixed as part of Application Collabora 1.3 by 60c6e40

Workarounds

There are no known workarounds besides upgrading.

References

No references.