Make SecurityMiddleware strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
7da0812186
commit
340e8ef16c
|
@ -1,4 +1,5 @@
|
||||||
<?php
|
<?php
|
||||||
|
declare(strict_types=1);
|
||||||
/**
|
/**
|
||||||
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
||||||
*
|
*
|
||||||
|
@ -111,9 +112,9 @@ class SecurityMiddleware extends Middleware {
|
||||||
INavigationManager $navigationManager,
|
INavigationManager $navigationManager,
|
||||||
IURLGenerator $urlGenerator,
|
IURLGenerator $urlGenerator,
|
||||||
ILogger $logger,
|
ILogger $logger,
|
||||||
$appName,
|
string $appName,
|
||||||
$isLoggedIn,
|
bool $isLoggedIn,
|
||||||
$isAdminUser,
|
bool $isAdminUser,
|
||||||
ContentSecurityPolicyManager $contentSecurityPolicyManager,
|
ContentSecurityPolicyManager $contentSecurityPolicyManager,
|
||||||
CsrfTokenManager $csrfTokenManager,
|
CsrfTokenManager $csrfTokenManager,
|
||||||
ContentSecurityPolicyNonceManager $cspNonceManager,
|
ContentSecurityPolicyNonceManager $cspNonceManager,
|
||||||
|
@ -156,10 +157,8 @@ class SecurityMiddleware extends Middleware {
|
||||||
throw new NotLoggedInException();
|
throw new NotLoggedInException();
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!$this->reflector->hasAnnotation('NoAdminRequired')) {
|
if(!$this->reflector->hasAnnotation('NoAdminRequired') && !$this->isAdminUser) {
|
||||||
if(!$this->isAdminUser) {
|
throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
|
||||||
throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -212,7 +211,7 @@ class SecurityMiddleware extends Middleware {
|
||||||
* @param Response $response
|
* @param Response $response
|
||||||
* @return Response
|
* @return Response
|
||||||
*/
|
*/
|
||||||
public function afterController($controller, $methodName, Response $response) {
|
public function afterController($controller, $methodName, Response $response): Response {
|
||||||
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
|
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
|
||||||
|
|
||||||
if (get_class($policy) === EmptyContentSecurityPolicy::class) {
|
if (get_class($policy) === EmptyContentSecurityPolicy::class) {
|
||||||
|
@ -241,14 +240,14 @@ class SecurityMiddleware extends Middleware {
|
||||||
* @throws \Exception the passed in exception if it can't handle it
|
* @throws \Exception the passed in exception if it can't handle it
|
||||||
* @return Response a Response object or null in case that the exception could not be handled
|
* @return Response a Response object or null in case that the exception could not be handled
|
||||||
*/
|
*/
|
||||||
public function afterException($controller, $methodName, \Exception $exception) {
|
public function afterException($controller, $methodName, \Exception $exception): Response {
|
||||||
if($exception instanceof SecurityException) {
|
if($exception instanceof SecurityException) {
|
||||||
if($exception instanceof StrictCookieMissingException) {
|
if($exception instanceof StrictCookieMissingException) {
|
||||||
return new RedirectResponse(\OC::$WEBROOT);
|
return new RedirectResponse(\OC::$WEBROOT);
|
||||||
}
|
}
|
||||||
if (stripos($this->request->getHeader('Accept'),'html') === false) {
|
if (stripos($this->request->getHeader('Accept'),'html') === false) {
|
||||||
$response = new JSONResponse(
|
$response = new JSONResponse(
|
||||||
array('message' => $exception->getMessage()),
|
['message' => $exception->getMessage()],
|
||||||
$exception->getCode()
|
$exception->getCode()
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
|
|
Loading…
Reference in New Issue