There are authentication backends such as Shibboleth that do send no Basic Auth credentials for DAV requests. This means that the ownCloud DAV backend would consider these requests coming from an untrusted source and require higher levels of security checks. (e.g. a CSRF check)
While an elegant solution would rely on authenticating via token (so that one can properly ensure that the request came indeed from a trusted client) this is a okay'ish workaround for this problem until we have something more reliable in the authentication code.
In 9.0 we converted the old shares to the new shares. So for 9.1 we can
savely remove the fallback code.
This code was required when there was no initiator set.
* Fixed unit tests
jquery.fileupload offers the [`pastezone`](https://github.com/blueimp/jQuery-File-Upload/wiki/Options#pastezone) functionality. This functionality is enabled by default and if somebody copy-pastes something into Chrome it will automatically trigger an upload of the content to any configured jquery.fileupload element embedded in the JS.
This implementation triggers some problems:
1. The pastezone is defined globally by default (🙈). So if there are multiple fileupload's on a page (such as in the personal settings) then stuff is going to be uploaded to all embedded uploads.
2. Our server code is not able to parse the data. For example for uploads in the files app we expect a file name which is not specified => Just an error is thrown. You can reproduce this by taking a file into your clipboard and in Chrome then pressing <kbd>CTRL + V</kbd>.
3. When copy-pasting some string from MS Office on the personal page a temporary avatar with said content is created.
Considering that this is anyways was never working at all and causes bugs I've set the `pastezone` to `null`. This mens that upload via copy and paste will be disabled.
Lesson learned: Third-party JS libraries can have some weird details.
When installing ownCloud with autotest and MySQL some log entries may be created which will invoke the logging class. IUserSession has a dependency on the database which will make the installation fail => 💣
Whenever a user navigates away, all ajax calls will fail with the same
result like a cross-domain redirect (SSO). To distinguish these cases,
we need to detect whether the error is a result of the user navigating
away. For this, we introduce a new flag that will be set in
"beforeunload".
Additional handling was required for false positives in case "beforeunload" is
used (ex: cancelled upload) and the user cancelled the navigation.
If the class already exists we should not load it twice. Since the composer autoloader is also used in core this could otherwise load a file twice.
This leads to problems otherwise with case insensitive operating systems like OS X. We can get rid of this once all file names in OC follow PSR-4, until then we probably need this check.
Lukas Reschke
Jenkins for ownCloud
Achim Königs
Thomas Müller
Vincent Petry
Joas Schilling
Roeland Jago Douma