Commit Graph

113 Commits

Author SHA1 Message Date
Joas Schilling 3f86f1276f
Also cache the namespace from appinfo
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 11:50:31 +01:00
Joas Schilling 5695a4ec92
Don't do a recursive search
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 10:44:13 +01:00
Joas Schilling 9208f6379c
buildAppNamespace already has the fallback
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 10:13:14 +01:00
Roeland Jago Douma 67909cf87b
Make DI work for all apps
As stated in https://github.com/nextcloud/server/pull/3901#issuecomment-288135309
appid's don't have to match the namespace.

Work around this

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 20:53:37 +01:00
Roeland Jago Douma 92f50c7d87
Core is also a special app
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 10:42:33 +01:00
Roeland Jago Douma 48c34522ed
Move a lot of stuff over to the ServerContainer
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 10:29:59 +01:00
Roeland Jago Douma c92b9ce2c4
Fix settings tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma 21641302a9
Add DI intergration tests
* Moved some interface definitions to Server.php (more to come)
* Build/Query only for existing classes in the AppContainer
* Build/Query only for classes of the App in the AppContainer
* Offload other stuff to the servercontainer

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma 7cece61ff6
Extend DI tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma 246e9ce547
More elegant handling of recursion
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma df14684817
PoC of moving the interface classes to the servercontainer
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma 886202123c
Update query method for DIContainer
To align with https://github.com/nextcloud/server/issues/2043#issuecomment-287348294
This would mean that AppContainers only hold the AppSpecific services

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:17 +01:00
Roeland Jago Douma 8626ccab1c
dont require strict same site cookies for ocs requests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-09 16:48:48 +01:00
Roeland Jago Douma f8c459f1a4 Merge pull request #3607 from nextcloud/api-to-resend-welcome-message
OCS API endpoint to resend welcome message
2017-03-03 13:50:30 +01:00
Sebastian Wessalowski e399097e3a Remove deprecated OC_User::isLoggedIn
Signed-off-by: Sebastian Wessalowski <sebastian@wessalowski.org>
2017-03-02 22:59:39 +01:00
Morris Jobke 552921d429
Fix injection of defaults
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-28 16:30:34 -06:00
Morris Jobke 50f3efad6f
OCS API endpoint to resend welcome message
* send a POST request to ocs/v1.php/cloud/users/USERNAME/resendWelcomeMessage to trigger
  the welcome message to be send
* fixes #3367

example curl statement:

  curl -i https://example.org/ocs/v1.php/cloud/users/USERNAME/welcome -H  "OCS-APIRequest: true" -u admin:password -X POST

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-28 16:30:33 -06:00
Joas Schilling 0be2921966
Fix DI of the cloud id manager into apps
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-14 12:47:46 +01:00
Morris Jobke dfaaebd765 Merge pull request #3417 from nextcloud/push-notification
Push notification
2017-02-10 16:00:47 -06:00
Joas Schilling 33fb86f68b
Fix detection of the new iOS app
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-10 10:10:21 +01:00
Joas Schilling efdc51c155
Make sure to use the right appdata directory
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-09 15:03:00 +01:00
Christoph Wurst 5e728d0eda oc_token should be nc_token
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Morris Jobke 5bad417e57 Merge pull request #2044 from nextcloud/login-credential-store
Login credential store
2017-01-30 19:30:04 -06:00
Bjoern Schiessle 32e0ec3e58
handle optional annotation parameters
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Joas Schilling 29a0a23918
Fix the regex for annotations with values
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-01-18 15:25:16 +01:00
Bjoern Schiessle df296249d6
introduce brute force protection for api calls
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:15 +01:00
Christoph Wurst a6dca9e7a0
add login credential store
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:09 +01:00
Joas Schilling bc3da3a8f5
Remove IDb interface which was deprecated for 3 years already
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-14 11:42:16 +01:00
Joas Schilling 61e15988a0
Allow to overwrite the message which we already do in SubadminMiddleware
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-08 16:23:49 +01:00
Morris Jobke d86b29b42b Merge pull request #2066 from nextcloud/fix-redirect-double-encoding
do not double encode the redirect url
2016-11-29 17:21:43 +01:00
Joas Schilling da9468522b
Add an event merger and use it for the files activities
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-25 15:36:11 +01:00
Lukas Reschke a05b8b7953
Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.

See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.

Fixes https://github.com/nextcloud/server/issues/1412

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-23 12:53:44 +01:00
Morris Jobke 332eaec4c0 Merge pull request #1447 from nextcloud/password-confirmation-for-some-actions
Password confirmation for some actions
2016-11-18 15:42:30 +01:00
Joas Schilling bb7787a157
Add the 15 seconds to the window, instead of removing
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 12:10:51 +01:00
Joas Schilling 827b6a610e
Introduce PasswordConfirmRequired annotation
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 11:57:16 +01:00
Robin Appelman 4235b18a88
allow passing a stream to StreamResponse
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:30:36 +01:00
Roeland Jago Douma f07d75a4dd
@since 9.2.0 to @since 11.0.0
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-15 18:51:52 +01:00
Christoph Wurst 0ebffa4a5f do not double encode the redirect url
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-09 16:14:46 +01:00
Christoph Wurst d907666232
bring back remember-me
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Roeland Jago Douma e55e6f1f14
Cleanup usages
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-29 14:29:50 +02:00
Roeland Jago Douma 740659a04c
Move away from OC_L10N
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-28 21:46:28 +02:00
Morris Jobke d4969abc9d Merge pull request #1800 from nextcloud/nextcloud-rich-object-strings
Nextcloud rich object strings
2016-10-27 15:30:58 +02:00
Joas Schilling c20ab0049f
Identify Chromium as Chrome
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-26 12:07:10 +02:00
Roeland Jago Douma e351ba56f1
Move browserSupportsCspV3 to CSPNonceManager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-25 22:03:10 +02:00
Lukas Reschke 9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Roeland Jago Douma 7998689bc9
Added method to DB and fix test
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-24 09:45:04 +02:00
Joas Schilling 2098648850
Add Rich Object Definitions and a validator
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-20 12:14:51 +02:00
Morris Jobke 96f8f209b9 Merge pull request #1449 from nextcloud/comments-user-mention
Notifications for simple @-mentioning in comments
2016-10-17 09:30:47 +02:00
Thomas Müller c5ca71ee82
[9.2] Register commands in info.xml (#26248)
* Use DI to load console commands from the apps - class name to be defined in the info.xml

* Load commands from info.xml

* Fix unit test

* Allow Di magic for IMountManager

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-11 19:48:26 +02:00
Thomas Müller 67d3574bdf
Don't parse info.xml but reuse already cached app infos - fixes #25603 (#25968)
* Don't parse info.xml but reuse already cached app infos - fixes #25603

* Use === in InfoParser. Fixes test

* InfoParser should not depend on UrlGenerator - fixes issue with session being closed too early
2016-10-07 20:58:22 +02:00