From f6365e76a1b72ff3f23db1e0e3927532609eb588 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@nextcloud.com>
Date: Mon, 16 Jun 2025 15:44:05 +0200
Subject: [PATCH] fix(encryption): Do not register user key related event
 listeners
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

 when master key is enabled.
Also added a safeguard in PassphraseService.

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
---
 apps/encryption/lib/AppInfo/Application.php   | 26 +++++++++++++------
 .../lib/Services/PassphraseService.php        |  5 ++++
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/apps/encryption/lib/AppInfo/Application.php b/apps/encryption/lib/AppInfo/Application.php
index a4e9426c3e5..b1bf93b9dea 100644
--- a/apps/encryption/lib/AppInfo/Application.php
+++ b/apps/encryption/lib/AppInfo/Application.php
@@ -72,7 +72,12 @@ class Application extends App implements IBootstrap {
 		}
 	}
 
-	public function registerEventListeners(IConfig $config, IEventDispatcher $eventDispatcher, IManager $encryptionManager): void {
+	public function registerEventListeners(
+		IConfig $config,
+		IEventDispatcher $eventDispatcher,
+		IManager $encryptionManager,
+		Util $util,
+	): void {
 		if (!$encryptionManager->isEnabled()) {
 			return;
 		}
@@ -84,18 +89,23 @@ class Application extends App implements IBootstrap {
 		}
 
 		// No maintenance so register all events
-		$eventDispatcher->addServiceListener(UserCreatedEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(UserDeletedEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(BeforePasswordUpdatedEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(PasswordUpdatedEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(BeforePasswordResetEvent::class, UserEventsListener::class);
-		$eventDispatcher->addServiceListener(PasswordResetEvent::class, UserEventsListener::class);
 		$eventDispatcher->addServiceListener(UserLoggedInEvent::class, UserEventsListener::class);
 		$eventDispatcher->addServiceListener(UserLoggedInWithCookieEvent::class, UserEventsListener::class);
 		$eventDispatcher->addServiceListener(UserLoggedOutEvent::class, UserEventsListener::class);
+		if (!$util->isMasterKeyEnabled()) {
+			// Only make sense if no master key is used
+			$eventDispatcher->addServiceListener(UserCreatedEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(UserDeletedEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(BeforePasswordUpdatedEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(PasswordUpdatedEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(BeforePasswordResetEvent::class, UserEventsListener::class);
+			$eventDispatcher->addServiceListener(PasswordResetEvent::class, UserEventsListener::class);
+		}
 	}
 
-	public function registerEncryptionModule(IManager $encryptionManager) {
+	public function registerEncryptionModule(
+		IManager $encryptionManager,
+	) {
 		$container = $this->getContainer();
 
 		$encryptionManager->registerEncryptionModule(
diff --git a/apps/encryption/lib/Services/PassphraseService.php b/apps/encryption/lib/Services/PassphraseService.php
index 0786cd3399a..bdcc3f1108a 100644
--- a/apps/encryption/lib/Services/PassphraseService.php
+++ b/apps/encryption/lib/Services/PassphraseService.php
@@ -55,6 +55,11 @@ class PassphraseService {
 			return true;
 		}
 
+		if ($this->util->isMasterKeyEnabled()) {
+			$this->logger->error('setPassphraseForUser should never be called when master key is enabled');
+			return true;
+		}
+
 		// Check user exists on backend
 		$user = $this->userManager->get($userId);
 		if ($user === null) {