Roeland Jago Douma
b0c2042a28
Merge pull request #15714 from nextcloud/fix/204_304_rfc
...
Check the actual status code for 204 and 304
2019-05-24 19:51:01 +02:00
Roeland Jago Douma
b0c030cbb5
Check the actual status code for 204 and 304
...
The header is the full http header like: HTTP/1.1 304 Not Modified
So comparing this to an int always yields false
This also makes the 304 RFC compliant as the resulting content length
should otherwise be the length of the message and not 0.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2019-05-24 15:18:32 +02:00
Christoph Wurst
22ae682823
Make it possible to show admin settings for sub admins
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-23 20:31:40 +02:00
Roeland Jago Douma
7276735eb4
Set empty CSP by default
...
For #14179
By default responses should have the strictest (and simplest) CSP
possible. Only template responses should require an actual CSP.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-04-16 14:09:39 +02:00
Marius David Wieschollek
5aeb8eac2b
[ #11236 ] Set parameter type in QBMapper
...
Signed-off-by: Marius David Wieschollek <git.public@mdns.eu>
2019-03-24 22:43:45 +01:00
Roeland Jago Douma
b68567e9ba
Add StandaloneTemplateResponse
...
This can be used by pages that do not have the full Nextcloud UI.
So notifications etc do not load there.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-06 11:26:18 +01:00
Roeland Jago Douma
d88604015a
No need to emit additonalscript event on public pages
...
There already is a separate event for this. This will make it possible
to only inject code with the logged in one on default rendered pages.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-05 20:59:36 +01:00
Roeland Jago Douma
d182037bce
Emit to load additionalscripts
...
Fixes #13662
This will fire of an event after a Template Response has been returned.
There is an event for the generic loading and one when logged in. So
apps can chose to load only on loged in pages.
This is a more generic approach than the files app event. As some things
we might want to load on other pages as well besides the files app.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-31 12:11:40 +01:00
Joas Schilling
f8b74cf0a5
Allow resources via OCS as well
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-01-22 14:18:58 +01:00
Roeland Jago Douma
ad676c0102
Set default frame-ancestors to 'self'
...
For #13042
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-08 15:36:40 +01:00
Roeland Jago Douma
64244e1a4f
CSP: Allow fonts to be provided in data
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-07 15:07:06 +01:00
Roeland Jago Douma
54ff913de6
Cleanup middleware registering
...
Fixes #12224
Since we only use the middleware at 1 location it makes no sense to
register them in each and every container.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-03 11:50:01 +01:00
Roeland Jago Douma
514426e27d
Only trust the X-FORWARDED-HOST header for trusted proxies
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-17 15:54:45 +01:00
Roeland Jago Douma
0e5147f001
Fix tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Oliver Wegner
401ca28f07
Adding handling of CIDR notation to trusted_proxies for IPv4
...
Signed-off-by: Oliver Wegner <void1976@gmail.com>
2018-10-30 09:15:42 +01:00
Roeland Jago Douma
579822b6a5
Add report-uri to CSP
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +02:00
Roeland Jago Douma
5b61ef9213
Disallow unsafe-eval by default
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-14 20:45:34 +02:00
Roeland Jago Douma
8c1e75e052
Do not use file as template parameter
...
Using file will overwrite the $file parameter in the template base.
Leading to trying to include a file that is the exception message. Which
will of course fail.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-08-09 16:45:25 +02:00
Roeland Jago Douma
5455045a9b
Fix direct access to authen page
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-20 08:57:13 +02:00
Roeland Jago Douma
1bb8bc8ff9
Add AuthPublicShareControllerTest
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-20 08:53:38 +02:00
Roeland Jago Douma
61e445da88
Add PublicShareControllerTests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-20 08:53:38 +02:00
Roeland Jago Douma
e7338173e8
Add PublicShareMiddlewareTest
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-20 08:53:37 +02:00
Roeland Jago Douma
a34495933e
Move caching logic to response
...
This avoids having to do it at all the places we want cached responses.
We can't inject the ITimeFactor without breaking public API.
However we can perfectly overwrite the service (resulting in the same
testable effect).
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-04 08:48:54 +02:00
Morris Jobke
a2db959f5c
Merge pull request #8593 from eneiluj/master
...
Allow public page access to apps with group restrictions
2018-03-08 11:27:52 +01:00
Roeland Jago Douma
3ad7daeda5
Add tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 11:05:18 +01:00
Roeland Jago Douma
d179186430
Remove testcase
...
Since a token now always requires a string we don't need to test for
null
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 16:14:46 +01:00
Julius Härtl
5a4aa2b7dd
Add test for PublicTemplateResponse
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:53 +01:00
Morris Jobke
a60d7a8563
Merge pull request #8541 from nextcloud/translate-permission-error-page
...
Provide translated error message for permission error
2018-02-26 17:50:21 +01:00
Morris Jobke
cf35c4b03a
Provide translated error message for permission error
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-26 17:00:29 +01:00
Roeland Jago Douma
0ee45d3d20
Fix proper types
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma
ca9f364fd4
Fix tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 10:55:52 +01:00
Roeland Jago Douma
7405dfb544
Update tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-29 14:37:18 +01:00
Joas Schilling
bf2be08c9f
Fix risky tests without assertions
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-25 11:33:25 +01:00
Joas Schilling
870023365c
Fix "Undefined method setExpectedException()"
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-24 18:10:16 +01:00
Morris Jobke
2a38605545
Properly log the full exception instead of only the message
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-23 10:57:21 +01:00
Morris Jobke
c70927eaa0
Remove not needed 3rdparty app disabling during upgrade for PHP 5.x
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-19 14:00:27 +01:00
Joas Schilling
7bc9a69c3f
Remove deprecated core API
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-15 17:54:50 +01:00
Roeland Jago Douma
57050146f6
Move passwordconfirmation to its own midleware
...
Add tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-02 21:58:14 +01:00
Bjoern Schiessle
1bcbeb24bc
disable password confirmation with SSO
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-01-02 20:30:37 +01:00
Bjoern Schiessle
f0202245ee
allow 'Nextcloud' in the user agent string of Android
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-12-12 12:16:01 +01:00
Roeland Jago Douma
b88db3a389
Merge pull request #6921 from nextcloud/appmanager-securitymiddleware
...
Use proper DI for security middleware for app enabled check
2017-10-24 19:58:24 +02:00
Morris Jobke
43e498844e
Use ::class in test mocks
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 17:45:32 +02:00
Morris Jobke
ce0c45a4ea
Use proper DI for security middleware for app enabled check
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 15:36:28 +02:00
Roeland Jago Douma
c257cd57d4
Handle SameSiteCookie check for index.php in AppFramework Middleware
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-24 21:07:16 +02:00
Thomas Citharel
ecf347bd1a
Add CSP frame-ancestors support
...
Didn't set the @since annotation yet.
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2017-09-15 15:23:10 +02:00
Lukas Reschke
f93a82b8b0
Remove explicit type hints for Controller
...
This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 17:32:03 +02:00
Morris Jobke
84c22fdeef
Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call
...
Add metadata to \OCP\AppFramework\Http\Response::throttle
2017-08-01 14:43:47 +02:00
Roeland Jago Douma
f71dc7523f
Fix tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +02:00
Roeland Jago Douma
3548603a88
Fix middleware implementations signatures
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +02:00
Lukas Reschke
f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
...
Fixes https://github.com/nextcloud/server/issues/5891
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00