use new controllermethodreflector for corsmiddleware

This commit is contained in:
Bernhard Posselt 2014-05-11 17:55:59 +02:00
parent 474b8f071d
commit 63f2f16b85
3 changed files with 27 additions and 11 deletions

View File

@ -104,7 +104,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{
});
$this['CORSMiddleware'] = $this->share(function($c) {
return new CORSMiddleware($c['Request']);
return new CORSMiddleware(
$c['Request'],
$c['ControllerMethodReflector']
);
});
$middleWares = &$this->middleWares;

View File

@ -11,7 +11,7 @@
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Utility\MethodAnnotationReader;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OCP\IRequest;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Middleware;
@ -25,12 +25,16 @@ use OCP\AppFramework\Middleware;
class CORSMiddleware extends Middleware {
private $request;
private $reflector;
/**
* @param IRequest $request
* @param ControllerMethodReflector $reflector
*/
public function __construct(IRequest $request) {
public function __construct(IRequest $request,
ControllerMethodReflector $reflector) {
$this->request = $request;
$this->reflector = $reflector;
}
@ -46,10 +50,9 @@ class CORSMiddleware extends Middleware {
*/
public function afterController($controller, $methodName, Response $response){
// only react if its a CORS request and if the request sends origin and
$reflector = new MethodAnnotationReader($controller, $methodName);
if(isset($this->request->server['HTTP_ORIGIN']) &&
$reflector->hasAnnotation('CORS')) {
$this->reflector->hasAnnotation('CORS')) {
// allow credentials headers must not be true or CSRF is possible
// otherwise
@ -57,7 +60,7 @@ class CORSMiddleware extends Middleware {
if(strtolower($header) === 'access-control-allow-credentials' &&
strtolower(trim($value)) === 'true') {
$msg = 'Access-Control-Allow-Credentials must not be '.
'set to true in order to prevent CSRF';
'set to true in order to prevent CSRF';
throw new SecurityException($msg);
}
}

View File

@ -13,11 +13,19 @@
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Http\Request;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OCP\AppFramework\Http\Response;
class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
private $reflector;
protected function setUp() {
$this->reflector = new ControllerMethodReflector();
}
/**
* @CORS
*/
@ -25,11 +33,11 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
$request = new Request(
array('server' => array('HTTP_ORIGIN' => 'test'))
);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector);
$middleware = new CORSMiddleware($request);
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
}
@ -38,7 +46,7 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
$request = new Request(
array('server' => array('HTTP_ORIGIN' => 'test'))
);
$middleware = new CORSMiddleware($request);
$middleware = new CORSMiddleware($request, $this->reflector);
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
@ -51,8 +59,9 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
*/
public function testNoOriginHeaderNoCORSHEADER() {
$request = new Request();
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector);
$middleware = new CORSMiddleware($request);
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
@ -67,7 +76,8 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
$request = new Request(
array('server' => array('HTTP_ORIGIN' => 'test'))
);
$middleware = new CORSMiddleware($request);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector);
$response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');