Whilst we currently state that SSRF is generally outside of our threat model, this is something where we should invest to improve this.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Since version 1.8.0 of Mink "Mink::getSession()" no longer starts the
session automatically (see https://github.com/minkphp/Mink/pull/705), so
it now needs to be explicitly started.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Since version 1.4.0 the Selenium driver for Mink uses again the element
on which the value was set (see
https://github.com/minkphp/MinkSelenium2Driver/pull/286). When creating
a new folder or renaming one sending a new line ("\r") caused the
element on which the value was set to be removed, so the element was no
longer attached to the DOM when the driver tried to use it again, and
thus a "StaleElementReference" exception was thrown.
Due to this now it is needed to explicitly click the confirm button when
creating a new folder. In the case of the renaming, on the other hand,
nothing else besides not sending the new line is needed, as the Selenium
driver now unfocuses the element (that is why it uses again the element
after setting the value) which triggers the renaming.
Besides that, the Selenium driver for Mink uses a library to simulate
certain events, bitovi/syn. In version 1.4.0 that library was updated to
version 0.0.3, which seems to somehow break pressing the "escape" key.
Due to this now the sharing menu has to be closed by pressing "enter" on
the share menu button instead.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The PHPUnit update also required an update of "symfony/yaml", so besides
the changes needed for PHPUnit the "behat.yml" file also had to be
adjusted.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
When avatar scope is private, the PlaceholderAvatar is used to deliver a
placeholder avatar based on the user's initials.
This was implemented as a separate class for now to avoid messing with
the existing UserAvatar implementation and its generated vs
non-generated logic.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Use new scope values in settings page.
Adjust all consumers to use the new constants.
Map old scope values to new ones in account property getter.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Added new v2-private account manager scope that restricts the scope
further by excluding public link access.
Avatars with v2-private account scope are now showing the guest avatar
instead of the real avatar.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Remove "ocs-provider" test folder reference as it doesn't exist any
more.
Added back "Test" test subdir and fixed the tests inside.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
It seems Phpunit < 9 was case insensitive.
Fixed the phpunit config to target the correct name for the "Core" test
directory.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Updating a user or group share now uses the correct method for the
validation of the expiration date. Instead of using the one from links
it uses the one for internal shares.
To avoid future confusion, the method "validateExpirationDate" has been
renamed to "validateExpirationDateLink".
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
* Some implementations might check for different things
* IT will not change how the current ones work
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
User "user1" is added when installing and configuring the server, so it
is already added in all tests.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
User "user1" is added when installing and configuring the server, so it
is already added in all tests. As the test verifies that just added
users can be searched in the contacts menu a new user should be actually
added.
The test did not fail because it assumed that "user1" did not exist and
just checked that it existed after "adding" it, but not whether adding
it failed.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The input element is always hidden, so the check always ended falling
back to the label. Moreover, the label is the element that the user
interacts with, so it must be the one used.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Although if the element could not be found an exception would be thrown
and the test aborted if an element is in the DOM but hidden it would be
found and the test would pass.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Instead of looking for the bundle button and then checking its value now
the expected value is included in the locator and the button is checked
similarly to other elements.
No "Disable all" locator was added as it was not currently needed
anywhere.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
"Actor::find" is a more robust way to look for elements, as it handles
some exceptions that may be thrown. Therefore, even if the elements are
not actually used and it is only checked whether they exist or not using
the actor is the preferred way when possible (and it also makes it
consistent with the rest of the acceptance tests).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Adding some missing asserts showed that the "delete user" acceptance
test was silently failing, as the deletion was not being confirmed in
the dialog and thus the user was not being deleted.
The dialog button contains a single quote ("user0's"), so the XPath
expression had to be adjusted (it seems that it is not possible to
escape a single quote in a string enclosed in single quotes in XPath
1.0).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
WaitFor::element... calls only perform the waiting and return whether
the condition succeeded or not, but that result needs to be explicitly
checked to prevent further steps from being executed if the wait failed.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
As no timeout was specified the elements were tried to be found just
once. This caused the steps to fail if the elements did not appear yet
in the page when they were tried to be found.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Psalm found an issue. However the issue found was because of lying
docblocks. Fixed those and did some typing to make it all better.
For #25839
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Generated avatars as well as text file previews are rendered using the
"core/fonts/NotoSans-Regular.ttf" font. The file was the standard hinted
"NotoSans-Regular.ttf" file from https://www.google.com/get/noto/.
However that file does not cover some non LGC (Latin, Greek, Cyrillic)
scripts, like Arabic, Devanagari or Hebrew, to name a few.
Markdown file previews also use "core/fonts/NotoSans-Bold.ttf", which is
in the same situation as the regular one.
Due to limitations in the TTF format it is not possible to provide a
single file for each style that includes all Noto fonts. However, it is
possible to add more scripts to the standard "NotoSans-Regular.ttf" and
"NotoSans-Bold.ttf" files (although no CJK (Chinese, Japanese, Korean)
glyph can be included due to the aforementioned limitations).
This commit replaces the standard files with an extended version created
using the Noto Tools. The build script (as well as a patch for the Noto
Tools) is also included for reference and to be able to update the font
files in the future if needed.
Due to the additional scripts added the font files are now much larger,
although this does not seem to increase the time spent rendering LGC
scripts.
Note that the file for the bold style still contains less scripts than
the regular one, as not all scripts supported by Noto have a bold
weight.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>