Make SecurityMiddleware strict

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2018-03-08 10:11:47 +01:00
parent 7da0812186
commit 340e8ef16c
No known key found for this signature in database
GPG Key ID: F941078878347C0C
1 changed files with 9 additions and 10 deletions

View File

@ -1,4 +1,5 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2016, ownCloud, Inc.
*
@ -111,9 +112,9 @@ class SecurityMiddleware extends Middleware {
INavigationManager $navigationManager,
IURLGenerator $urlGenerator,
ILogger $logger,
$appName,
$isLoggedIn,
$isAdminUser,
string $appName,
bool $isLoggedIn,
bool $isAdminUser,
ContentSecurityPolicyManager $contentSecurityPolicyManager,
CsrfTokenManager $csrfTokenManager,
ContentSecurityPolicyNonceManager $cspNonceManager,
@ -156,10 +157,8 @@ class SecurityMiddleware extends Middleware {
throw new NotLoggedInException();
}
if(!$this->reflector->hasAnnotation('NoAdminRequired')) {
if(!$this->isAdminUser) {
throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
}
if(!$this->reflector->hasAnnotation('NoAdminRequired') && !$this->isAdminUser) {
throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
}
}
@ -212,7 +211,7 @@ class SecurityMiddleware extends Middleware {
* @param Response $response
* @return Response
*/
public function afterController($controller, $methodName, Response $response) {
public function afterController($controller, $methodName, Response $response): Response {
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
if (get_class($policy) === EmptyContentSecurityPolicy::class) {
@ -241,14 +240,14 @@ class SecurityMiddleware extends Middleware {
* @throws \Exception the passed in exception if it can't handle it
* @return Response a Response object or null in case that the exception could not be handled
*/
public function afterException($controller, $methodName, \Exception $exception) {
public function afterException($controller, $methodName, \Exception $exception): Response {
if($exception instanceof SecurityException) {
if($exception instanceof StrictCookieMissingException) {
return new RedirectResponse(\OC::$WEBROOT);
}
if (stripos($this->request->getHeader('Accept'),'html') === false) {
$response = new JSONResponse(
array('message' => $exception->getMessage()),
['message' => $exception->getMessage()],
$exception->getCode()
);
} else {