fix(encryption): Do not register user key related event listeners

come-nc · backportbot[bot] · commit f0100f6db4d0 · 2025-06-16T15:55:28.000Z
when master key is enabled.
Also added a safeguard in PassphraseService.

Signed-off-by: Côme Chilliet &lt;come.chilliet@nextcloud.com&gt;
diff --git a/apps/encryption/lib/AppInfo/Application.php b/apps/encryption/lib/AppInfo/Application.php
@@ -72,7 +72,12 @@ public function setUp(IManager $encryptionManager) {
 		}
 	}
 
-	public function registerEventListeners(IConfig $config, IEventDispatcher $eventDispatcher, IManager $encryptionManager): void {
+	public function registerEventListeners(
+		IConfig $config,
+		IEventDispatcher $eventDispatcher,
+		IManager $encryptionManager,
+		Util $util,
+	): void {
 		if (!$encryptionManager->isEnabled()) {
 			return;
 		}
@@ -84,18 +89,23 @@ public function registerEventListeners(IConfig $config, IEventDispatcher $eventD
 		}
 
 		// No maintenance so register all events
-		$eventDispatcher->addServiceListener(UserCreatedEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(UserDeletedEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(BeforePasswordUpdatedEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(PasswordUpdatedEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(BeforePasswordResetEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(PasswordResetEvent::class, UserEventsListener::class);
 		$eventDispatcher->addServiceListener(UserLoggedInEvent::class, UserEventsListener::class);
 		$eventDispatcher->addServiceListener(UserLoggedInWithCookieEvent::class, UserEventsListener::class);
 		$eventDispatcher->addServiceListener(UserLoggedOutEvent::class, UserEventsListener::class);
+		if (!$util->isMasterKeyEnabled()) {
+			// Only make sense if no master key is used
+			$eventDispatcher->addServiceListener(UserCreatedEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(UserDeletedEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(BeforePasswordUpdatedEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(PasswordUpdatedEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(BeforePasswordResetEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(PasswordResetEvent::class, UserEventsListener::class);
+		}
 	}
 
-	public function registerEncryptionModule(IManager $encryptionManager) {
+	public function registerEncryptionModule(
+		IManager $encryptionManager,
+	) {
 		$container = $this->getContainer();
 
 		$encryptionManager->registerEncryptionModule(
diff --git a/apps/encryption/lib/Services/PassphraseService.php b/apps/encryption/lib/Services/PassphraseService.php
@@ -55,6 +55,11 @@ public function setPassphraseForUser(string $userId, string $password, ?string $
 			return true;
 		}
 
+		if ($this->util->isMasterKeyEnabled()) {
+			$this->logger->error('setPassphraseForUser should never be called when master key is enabled');
+			return true;
+		}
+
 		// Check user exists on backend
 		$user = $this->userManager->get($userId);
 		if ($user === null) {
