fix(Setup/Frontend/Json): don't show auth data in anonymous call

thx @christian Pöschl of usd AG

see usd-2024-0002 | Tine 2023.11.2 - Password Leakage

Author: pschuele

tine20/Setup/Frontend/Json.php

@@ -269,14 +269,11 @@ public function saveEmailConfig($data)
 
     /**
      * Returns registry data of setup
-     * .
-     * @see Tinebase_Application_Json_Abstract
-     * 
-     * @return mixed array 'variable name' => 'data'
-     * 
-     * @todo add 'titlePostfix'    => Tinebase_Config::getInstance()->getConfig(Tinebase_Config::PAGETITLEPOSTFIX, NULL, '')->value here?
+     *
+     * @return array
+     * @throws Tinebase_Exception_InvalidArgument
      */
-    public function getRegistryData()
+    public function getRegistryData(): array
     {
         // anonymous registry
         $registryData =  array(
@@ -289,18 +286,23 @@ public function getRegistryData()
                 // NOTE: if assetHash is not available we have a serious problem -  please don't generate one!
                 'assetHash'     => Tinebase_Frontend_Http_SinglePageApplication::getAssetHash(),
             ),
-            'authenticationData'   => $this->loadAuthenticationData(),
         );
 
-        // authenticated or non existent config
+        // authenticated or non-existent config
         if (! Setup_Core::configFileExists() || Setup_Core::isRegistered(Setup_Core::USER)) {
             $registryData = array_merge($registryData, $this->checkConfig());
             $registryData = array_merge($registryData, array(
+                'authenticationData'   => Setup_Core::isRegistered(Setup_Core::USER)
+                    ? $this->loadAuthenticationData() : [],
                 'rights'               => ['admin'],
-                'acceptedTermsVersion' => (! empty($registryData['checkDB']) && $this->_controller->isInstalled('Tinebase')) ? Setup_Controller::getInstance()->getAcceptedTerms() : 0,
+                'acceptedTermsVersion' => (! empty($registryData['checkDB']) &&
+                    $this->_controller->isInstalled(''))
+                    ? Setup_Controller::getInstance()->getAcceptedTerms() : 0,
                 'setupChecks'          => $this->envCheck(),
                 'configData'           => $this->loadConfig(),
-                'emailData'            => (! empty($registryData['checkDB']) && $this->_controller->isInstalled('Tinebase')) ? $this->getEmailConfig() : array(),
+                'emailData'            => (! empty($registryData['checkDB'])
+                    && $this->_controller->isInstalled() && Setup_Core::isRegistered(Setup_Core::USER))
+                        ? $this->getEmailConfig() : array(),
             ));
         }
 
@@ -313,11 +315,11 @@ public function getRegistryData()
 
         return $registryData;
     }
-    
+
     /**
      * Returns registry data of all applications current user has access to
      * @see Tinebase_Application_Json_Abstract
-     * 
+     *
      * @return mixed array 'variable name' => 'data'
      *
      * TODO DRY: most of this already is part of Tinebase_Frontend_Json::_getAnonymousRegistryData
@@ -328,7 +330,7 @@ public function getAllRegistryData()
         Setup_Controller::getInstance()->clearCache();
 
         $registryData['Setup'] = $this->getRegistryData();
-        
+
         // setup also need some core tinebase regdata
         $locale = Tinebase_Core::get('locale');
         $symbols = Zend_Locale::getTranslationList('symbols', $locale);
@@ -338,7 +340,7 @@ public function getAllRegistryData()
             'timeZone'         => Setup_Core::getUserTimezone(),
             'jsonKey'          => Setup_Core::get('jsonKey'),
             'locale'           => array(
-                'locale'   => $locale->toString(), 
+                'locale'   => $locale->toString(),
                 'language' => Zend_Locale::getTranslation($locale->getLanguage(), 'language', $locale),
                 'region'   => Zend_Locale::getTranslation($locale->getRegion(), 'country', $locale),
             ),