- With root installation
- Core css
- App inside server root
- Secondary apps directory outside server root
- With an installation in a sub directory
- Core css
- App inside server root
- Secondary apps directory outside server root
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
On a remembered login session, we create a new session token
in the database with the values of the old one. As we actually
don't need the old session token anymore, we can delete it right
away.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Otherwise its a normal string[] with the user ids, in that
case the array_merge did it's job just fine, apart from it
not being deduplicated.
The array+array is only needed when the user id is the key,
so integer only user ids are kept as they are instead of being
reindexed.
Regression from 3820d6883d
Signed-off-by: Joas Schilling <coding@schilljs.com>
Currently static CSS files work fine in apps outside of the root.
However, as soon as an app uses SCSS, Nextcloud starts being unable to
find the web root.
Fix this problem by backporting select snippets from master
specifically targeting this issue, and add a test to ensure it doesn't
regress.
Fix#5289
Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
Currently, if the app path includes a symlink, the calculated webDir
will be incorrect when generating CSS and URLs will be pointing to the
wrong place, breaking CSS.
Use realpath when retrieving app path, and these issues go away.
Fix#6028
Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
Seeking is not needed if the $from is 0, because then the pointer is already at the correct position. Additionally another fallback is added, that if the fseek fails it just uses an fread to skip the beginning of the file until it is at the correct position. This skipping is done with a chunked fread.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Object storage instances always fall back to the content based mimetype detection, because the file name for object storage was always random due to the fact that it was temporarily storage in a generated temp file. This patch adds a check before that to make sure to use the original file name for this purpose and also remove possible other extensions like the versioning or part file extension.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
This adjusts the contacts menu to also support searching by email address which is relevant in scenarios where no UID is known such as LDAP, etc.
Furthermore, if `shareapi_allow_share_dialog_user_enumeration` is disabled only results are shown that match the full user ID or email address.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
- Groups, which are excluded from sharing should not see local users at all
- If sharing is restricted to users own groups, he should only see contacts from his groups:
Signed-off-by: Tobia De Koninck <tobia@ledfan.be>
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
In some not yet completely determined configurations, the following error could occur while writing a file:
Error: Call to a member function getUsers() on null
/var/www/nextcloud/lib/private/Share20/Manager.php - line 1277: OC\Share20\DefaultShareProvider->getAccessList(Array, true)
/var/www/nextcloud/lib/private/Share20/ShareHelper.php - line 51: OC\Share20\Manager->getAccessList(Object(OC\Files\Node\Folder), true, true)
/var/www/nextcloud/apps/activity/lib/FilesHooks.php - line 616: OC\Share20\ShareHelper->getPathsForAccessList(Object(OC\Files\Node\File))
/var/www/nextcloud/apps/activity/lib/FilesHooks.php - line 196: OCA\Activity\FilesHooks->getUserPathsFromPath('/path/to/file', 'user')
/var/www/nextcloud/apps/activity/lib/FilesHooks.php - line 157: OCA\Activity\FilesHooks->addNotificationsForFileAction('/path/to/file', 'file_changed', 'changed_self', 'changed_by')
/var/www/nextcloud/apps/activity/lib/FilesHooksStatic.php - line 55: OCA\Activity\FilesHooks->fileUpdate('/path/to/file')
/var/www/nextcloud/lib/private/legacy/hook.php - line 106: OCA\Activity\FilesHooksStatic fileUpdate(Array)
/var/www/nextcloud/lib/private/Files/View.php - line 1245: OC_Hook emit('OC_Filesystem', 'post_update', Array)
/var/www/nextcloud/lib/private/Files/View.php - line 1173: OC\Files\View->runHooks(Array, '/path/to/file', true)
/var/www/nextcloud/lib/private/Files/View.php - line 679: OC\Files\View->basicOperation('file_put_conten...', '/path/to/file', Array, '<?xml version="...')
/var/www/nextcloud/lib/private/Files/Node/File.php - line 64: OC\Files\View->file_put_contents('/path/to/file', '<?xml version="...')
[...]
Signed-off-by: Jan-Philipp Litza <janphilipp@litza.de>
* Store the auth state in the session so we don't have to query it every
time.
* Added some tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Any `\OCP\Authentication\IApacheBackend` previously had to implement `getLogoutAttribute` which returns a string.
This string is directly injected into the logout `<a>` tag, so returning something like `href="foo"` would result
in `<a href="foo">`.
This is rather error prone and also in Nextcloud 12 broken as the logout entry has been moved with
054e161eb5 inside the navigation manager where one cannot simply inject attributes.
Thus this feature is broken in Nextcloud 12 which effectively leads to the bug described at nextcloud/user_saml#112,
people cannot logout anymore when using SAML using SLO. Basically in case of SAML you have a SLO url which redirects
you to the IdP and properly logs you out there as well.
Instead of monkey patching the Navigation manager I decided to instead change `\OCP\Authentication\IApacheBackend` to
use `\OCP\Authentication\IApacheBackend::getLogoutUrl` instead where it can return a string with the appropriate logout
URL. Since this functionality is only prominently used in the SAML plugin. Any custom app would need a small change but
I'm not aware of any and there's simply no way to fix this properly otherwise.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
John Molakvoæ (skjnldsv)
Julius Härtl
Johannes Schlichenmaier
Christoph Wurst
Morris Jobke
Bjoern Schiessle
Robin Appelman
Nextcloud bot
Roeland Jago Douma
Arthur Schiwon
Joas Schilling
Kyle Fazzari
korelstar
Dariusz Olszewski
Roeland Jago Douma
William Pain
dartcafe
Lukas Reschke
Tobia De Koninck
Leon Klingele
Jan-Philipp Litza