Commit Graph

190 Commits

Author SHA1 Message Date
Roeland Jago Douma 0660e57b1f
Don't polute log when loggin into dav with email
* We first try the email as username but this fails
* Then we get the uid from the email and try again

We should not log the first attempt since it polutes the log with failed
login attempts while the login actually is valid.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-23 09:41:44 +01:00
Arthur Schiwon 4f3d52a364
never translate login names when requiring with a user id
where appropriate, the preLoginNameUsedAsUserName hook should be thrown.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-01-03 13:25:00 +01:00
Robin Appelman aad01894e3
refactor user searching
add additional user searching tests

Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-12-20 15:51:37 +01:00
Abijeet ec28c54dbc Adds search by email function on the users screen.
Fixes #7175.

- Updated the query to fetch the users in users > everyone tab.
- Updated the query to fetch the users in users > admin tab.
- Tested to ensure that the disabled users are also being fetched.
- Added test cases.

Signed-off-by: Abijeet <abijeetpatro@gmail.com>
2017-12-16 17:18:05 +05:30
Morris Jobke eb0f3ebf75
Fix search in user managent when no group is selected
* also allows to search by displayname

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-14 17:32:03 +01:00
Morris Jobke 31c5c2a592
Change @georgehrke's email
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 20:38:59 +01:00
Morris Jobke 0eebff152a
Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Christoph Wurst 87aeae21e3
Fix failing csp/nonce check due to timed out session
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-09-04 17:29:26 +02:00
Lukas Reschke ed8a98eaa1
Prevent SQL error message in case of error
`\OC\User\Database::createUser` can throw a PHP exception in case the UID is longer than
permitted in the database. This is against it's PHPDocs and we should cast this to `false`,
so that the regular error handling triggers in.

The easiest way to reproduce is on MySQL:

1. Create user `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` in admin panel
2. Create user `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` in admin panel again
3. See SQL exception as error message

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-17 12:08:40 +02:00
Joas Schilling 20f8d1094a
Can not insert auto increment on oracle
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-08-02 09:48:16 +02:00
Robin Appelman 5185a3c0c9
null users dont exist
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-07-13 15:53:14 +02:00
Joas Schilling b726204f91
Create users in non default backends first
Most of the time, when people have multiple backends or add a
custom backend, they want to create the users there and not in
the default backend. But since that is registered first, users
were always created there.

Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-06-20 19:59:41 +02:00
Arthur Schiwon 999455c1aa
emit changeUser only if there really was a change (quota, displayname)
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-06-01 11:34:17 +02:00
Lukas Reschke 5f71805c35
Add basic implementation for OAuth 2.0 Authorization Code Flow
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-18 20:49:03 +02:00
Christoph Wurst 0a43c259c4
Fix encryption + remembered login due to missing login hook
The encryption app relies on the post_login hook to initialize its keys.
Since we do not emit it on a remembered login, the keys were always un-
initialized and the user was asked to log out and in again.
This patch *translates* the postRememberedLogin hook to a post_login
hook.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-05-16 08:41:11 +02:00
Joas Schilling 975e572a3d
Remove account data on user deletion
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-15 13:31:31 +02:00
Robin Appelman 2b0da0f218
handle permissions errors when copying the skeleton for a read only user
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-05-05 14:44:51 +02:00
Arthur Schiwon 668fe7df51
UserManager can now count disabled users
Users page takes advantage of that

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-29 00:59:09 -03:00
Joas Schilling 9212089151
Use the new method in the old one to remove duplicate code
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-27 08:56:51 +02:00
Joas Schilling 9e6ac3de70
Allow to create a user for a specific backend
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-26 15:07:11 +02:00
Joas Schilling ac0c21f4a7
Trigger change when a user is enabled/disabled
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-25 17:20:35 +02:00
Joas Schilling a3922bbcdc
Better validation of allowed user names
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-18 14:29:34 +02:00
Roeland Jago Douma f40b9fa9bd Merge pull request #4330 from nextcloud/activities-for-password-mail-change
Add activities when email or password is changed
2017-04-14 08:16:43 +02:00
Morris Jobke d36751ee38 Merge pull request #2424 from nextcloud/fix-login-controller-test-consolidate-login
Fix login controller test and consolidate login
2017-04-13 12:16:38 -05:00
Morris Jobke ac05d6dd67
Improve PHPDoc
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-13 12:16:12 -05:00
Joas Schilling 1110b51aa3
Allow to read the old email on the hook as well
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-13 12:34:02 +02:00
Joas Schilling 7ad791efb4
Dont create a log entry on email login
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-07 10:15:20 +02:00
Arthur Schiwon fbadb37b9b
use known LockdownManager
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:27:30 +02:00
Arthur Schiwon 0a463e55ae
Save correct login name
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:43 +02:00
Arthur Schiwon daf9d23547
don't regenerate Session ID twice, also fixes tests
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:43 +02:00
Arthur Schiwon 50844e8c47
regenerate session id on successful login, fixes integration test
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:43 +02:00
Arthur Schiwon 7b3fdfeeaa
do login routine only once when done via LoginController
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:42 +02:00
Robin Appelman baec42e80a
Save the scope of an auth token in the session
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-04-05 17:58:33 +02:00
Robin Appelman 0aeb595784
user ids are strings
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-03-30 12:24:46 +02:00
Morris Jobke d197f609a8 Merge pull request #3889 from nextcloud/downstream-26950
Sharing dialog: make autocomplete sorting case insensitive
2017-03-23 23:45:28 -06:00
Morris Jobke dbaebc53b0
fix sorting in the backend
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-23 15:41:25 -06:00
Joas Schilling 257fbd85eb Merge pull request #3929 from nextcloud/downstream-27068
cache loadUser if not exists
2017-03-20 12:44:54 +01:00
Vincent Petry aacfef463c
Add tests for database user backend caching
Add comment, closeCursor in user DB query

Invalidate user in cache after successful creation

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-20 02:03:03 -06:00
Jörn Friedrich Dreyer 592c04a9db
cache loadUser if not exists
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-20 02:01:41 -06:00
Felix Rupp e7dc1f4326
Add postLogout hook to finish sessions from external session managers (#27048)
* Add postLogout hook to finish sessions from external session managers like CAS

* Add postLogout hook to finish sessions from external session managers like CAS

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-19 23:00:12 -06:00
Lukas Reschke d134dea508
Don't call function in constructor
The constructor is iniitiated already very early in base.php, thus requiring this here will break the setup and some more. For now we probably have to live with a static function call here thus.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 21:59:47 +01:00
Lukas Reschke 085891a15d
Escape like parameters in database user backend
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-15 22:46:40 +01:00
Morris Jobke a5ba1f7803
Remove legacy class OC_Group and OC_User
* basically a straight replacement of the wrapped code at the calling code parts

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-09 17:35:09 -06:00
blizzz 19fc68cbdc Merge pull request #2606 from temparus/master
Add preLoginValidation hook
2017-02-15 21:47:47 +01:00
Morris Jobke dfaaebd765 Merge pull request #3417 from nextcloud/push-notification
Push notification
2017-02-10 16:00:47 -06:00
Joas Schilling 7c47f822a1
Save the used token id in the session so it can be used later on
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-09 15:02:59 +01:00
Robin Appelman fa49c4a13b
Add a single public api for resolving a cloud id to a user and remote and back
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-02-08 15:17:02 +01:00
Sandro Lutz 9b6f99ab08 Update license header
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-07 01:25:39 +01:00
Sandro Lutz fa1d607bfa Merge remote-tracking branch 'nextcloud/master'
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-07 00:15:30 +01:00
Sandro Lutz 6feff0ceba Add check if UserManager is of type PublicEmitter before calling preLogin hook
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-01 21:53:50 +01:00
Sandro Lutz e30d28f7eb Change where preLogin hook gets called
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-01 21:53:42 +01:00
Morris Jobke a4ad8af6e3
Add proper default value for datadir
* better safe than sorry
* fixes #3091

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-01-19 19:49:41 -06:00
Bjoern Schiessle cdf01feba7
add action to existing brute force protection
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Loki3000 8ab16f87ac spaces added 2017-01-10 16:44:14 +03:00
Loki3000 5c77923360 allowed '0' uid 2017-01-10 16:39:10 +03:00
Loki3000 b0ff59d42f remove non required db requests 2017-01-10 13:09:33 +03:00
Loki3000 135198bf0d Default value for null user
For guest users on every request executes query:
SELECT `uid`, `displayname` FROM `users` WHERE LOWER(`uid`) = LOWER(null)
as I see, uid can't be equal to null by design.
2017-01-09 23:34:23 +03:00
Joas Schilling 5aa388bbe2
Make sure the loginname is set when logging in via cookie
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-01-05 12:17:30 +01:00
Vincent Petry 91cd57e55b
Get user home folder before deletion
After the deletion getHome() will fail because the user doesn't exist
any more, so we need to fetch that value earlier.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-12-23 12:42:31 +01:00
Roeland Jago Douma e368a745aa
Set last-login-check on basic auth
Else the last-login-check fails hard because the session value is not
set and thus defaults to 0.

* Started with tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-12-05 20:57:15 +01:00
Christoph Wurst 9b808c4014 do not remember session tokens by default
We have to respect the value of the remember-me checkbox. Due to an error
in the source code the default value for the session token was to remember
it.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-27 14:03:28 +01:00
Robin Appelman 0e88b519d1
fix warning with token login
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 16:33:56 +01:00
Robin Appelman 2389e0f250
read lockdown scope from token
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:27 +01:00
Robin Appelman b56f2c9ed0
basic lockdown logic
Signed-off-by: Robin Appelman <icewind@owncloud.com>
2016-11-16 15:24:23 +01:00
Roeland Jago Douma f07d75a4dd
@since 9.2.0 to @since 11.0.0
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-15 18:51:52 +01:00
Thomas Müller 506ccdbd8d
Introduce an event for first time login based on the last login time stamp
Use firstLogin event to trigger creation of default calendar and default address book

Delay login of admin user after setup so that firstLogin event can properly be processed for the admin

Fixing tests ...

Skeleton files are not copied over -> only 3 cache entries are remaining

Use updateLastLoginTimestamp to properly setup lastLogin value for a test user
2016-11-14 14:50:10 +01:00
Christoph Wurst 6f86e468d4
inject ISecureRandom into user session and use injected config too
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Christoph Wurst d907666232
bring back remember-me
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Roeland Jago Douma f722640a32
Proper DI of config
* Fixed comments

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-28 10:13:35 +02:00
Jörn Friedrich Dreyer f8352fcb8d
introduce callForSeenUsers and countSeenUsers (#26361)
* introduce callForSeenUsers and countSeenUsers

* add tests

* oracle should support not null on clob

* since 9.2.0
2016-10-28 08:44:05 +02:00
Vincent Petry 6d1e858aa4
Fix logClientIn for non-existing users (#26292)
The check for two factor enforcement would return true for non-existing
users. This fix makes it return false in order to be able to perform
the regular login which will then fail and return false.

This prevents throwing PasswordLoginForbidden for non-existing users.
2016-10-25 09:34:27 +02:00
Robin Appelman 25ed6714c7
dont update the auth token twice
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-10-11 11:05:25 +02:00
Roeland Jago Douma 1273d82e8b
Cache non existing DB user
We always query the database backend. Even if we use a different one
(ldap for example). Now we do this everytime we try to get a user object
so caching that a user is not in the DB safes some queries on each
request then (at least 2 what I found).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-10 09:30:36 +02:00
Joas Schilling 4d1acfd4ef
Only trigger postDelete hooks when the user was deleted...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-09-29 15:40:53 +02:00
Joas Schilling 5b7b8f8dac
Remove notifications upon user deletion
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-09-29 15:40:52 +02:00
Lukas Reschke 57f9117843 Merge pull request #1087 from nextcloud/get-delay-twice
dont get bruteforce delay twice
2016-08-30 18:43:01 +02:00
Thomas Müller 82e8762c84
Fix issues where some user settings cannot be loaded when the user id differs in case sensitivity - fixes #25684 (#25686) 2016-08-29 14:33:16 +02:00
Robin Appelman 6c93fe08f5 dont get bruteforce delay twice 2016-08-29 13:36:49 +02:00
Roeland Jago Douma 6c360ad79f
Add PHPdoc 2016-08-15 11:14:28 +02:00
Jörn Friedrich Dreyer 291b3fd8b4
missing PHPDoc 2016-08-14 19:37:52 +02:00
Jörn Friedrich Dreyer da5633c31a
Type compatability 2016-08-14 19:37:37 +02:00
Jörn Friedrich Dreyer 3593668413
Method is deprecated 2016-08-14 19:37:11 +02:00
Jörn Friedrich Dreyer 5aef60d2ca
Unreachable statement 2016-08-14 19:36:42 +02:00
Jörn Friedrich Dreyer d2a16c4dc8
Unnecessary fully qualified names 2016-08-14 19:36:06 +02:00
michag86 5fb39bd0cb Apply password policy on user creation 2016-08-03 11:52:15 +02:00
Joas Schilling 0215b004da
Update with robin 2016-07-21 18:13:58 +02:00
Joas Schilling ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke c1589f163c
Mitigate race condition 2016-07-20 23:09:27 +02:00
Lukas Reschke ba4f12baa0
Implement brute force protection
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Lukas Reschke 179a355b2c Merge remote-tracking branch 'upstream/master' into master-sync-upstream 2016-07-01 11:36:35 +02:00
Christoph Wurst 1710de8afb Login hooks (#25260)
* fix login hooks

* adjust user session tests

* fix login return value of successful token logins

* trigger preLogin hook earlier; extract method 'loginWithPassword'

* call postLogin hook earlier; add PHPDoc
2016-06-27 22:16:22 +02:00
Lukas Reschke 6670d37658 Merge remote-tracking branch 'upstream/master' into master-sync-upstream 2016-06-27 18:23:00 +02:00
Bjoern Schiessle 2a990a0db5
verify user password on change 2016-06-27 14:08:11 +02:00
Christoph Wurst 89198e62e8 check login name when authenticating with client token 2016-06-24 13:57:09 +02:00
Vincent Petry 3db5de95bd Merge pull request #25172 from owncloud/token-login-validation
Token login validation
2016-06-22 13:58:56 +02:00
Christoph Wurst b805908dca
update session token password on user password change 2016-06-21 10:24:25 +02:00
Christoph Wurst 56199eba37
fix unit test warning/errors 2016-06-20 10:41:23 +02:00
Christoph Wurst 9d74ff02a4
fix nitpick 2016-06-20 09:13:47 +02:00
Christoph Wurst 1889df5c7c
dont create a session token for clients, validate the app password instead 2016-06-17 15:42:28 +02:00
Christoph Wurst 0c0a216f42
store last check timestamp in token instead of session 2016-06-17 15:42:28 +02:00