From e9c3533c9306dd8ee4125d8458745703ea383412 Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Thu, 19 Mar 2020 14:21:32 +0100
Subject: [PATCH] avoid misconfiguration of user "anonymous" NOT flaged as such

---
 admin/inc/class.admin_cmd_edit_user.inc.php | 5 ++++-
 api/src/Sharing.php                         | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/admin/inc/class.admin_cmd_edit_user.inc.php b/admin/inc/class.admin_cmd_edit_user.inc.php
index d10325323e..d2be5872cd 100644
--- a/admin/inc/class.admin_cmd_edit_user.inc.php
+++ b/admin/inc/class.admin_cmd_edit_user.inc.php
@@ -104,7 +104,10 @@ class admin_cmd_edit_user extends admin_cmd_change_pw
 		}
 
 		$data['changepassword'] = admin_cmd::parse_boolean($data['changepassword'],$this->account ? null : true);
-		$data['anonymous'] = admin_cmd::parse_boolean($data['anonymous'],$this->account ? null : false);
+		$data['anonymous'] = admin_cmd::parse_boolean($data['anonymous'],$this->account ? null : false) ||
+			// automatic set anonymous flag for username "anonymous", to not allow to create anonymous user without it
+			($data['account_lid'] ?: admin_cmd::$accounts->id2name($this->account)) === 'anonymous';
+
 		if ($data['mustchangepassword'] && $data['changepassword'])
 		{
 			$data['account_lastpwd_change']=0;
diff --git a/api/src/Sharing.php b/api/src/Sharing.php
index e1e5b997fc..8b842de6c5 100644
--- a/api/src/Sharing.php
+++ b/api/src/Sharing.php
@@ -482,7 +482,8 @@ class Sharing
 		// sharing is for a different share, change to current share
 		if ($this->share['share_token'] !== self::get_token())
 		{
-			self::create_session($GLOBALS['egw']->session->session_flags === 'N');
+			self::create_session($GLOBALS['egw']->session->session_flags === 'N' ||
+				$GLOBALS['egw_info']['user']['account_lid'] === 'anonymous');
 
 			return $GLOBALS['egw']->sharing->ServeRequest();
 		}