* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
There were some cases where a negative limit could be passed in. Which
would happily make the query explode.
This is just a quick hack to make sure it never is negative.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Avoids directly getting the token again. We just inserted it so it and
have all the info. So that query is just a waste.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Some user backends (like the database backend) allow us to obtain a user
case insensitive. However the UID itself is case sensitive.
Example:
* create a user User1
* login as User1
- This results the data/User1 folder to be created etc
* now have some code somewhere that obtains the userFolder (from
IRootFolder) but pas in 'uSER1' as uid
- The code will check if that is a valid user. And in this case it is
since User1 and uSER1 both map to the same user
- However the the UID in the user object is used for the folder a new
folder fill be create data/uSER1
With this PR this is avoided now. Since we obtain the real UID casing in
the backend before creating the user object.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#7084
Now entering wrongly cased email (roeland@ instead of Roeland@) for
password reset etc. Will also work.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#12498
This means that we set that it is a proper app token once it is
validated. This will allow the 2FA middleware to just run the same
check.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#12131
If we hit an expired token there is no need to continue checking. Since
we know it is a token.
We also should not register this with the bruteforce throttler as it is
actually a valid token. Just expired. Instead the authentication should
fail. And buisness continues as usual.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes#11097
If your password hash changed (becuse your are on 7.2 and we moved to
ARGON2). Then we shold not 'set a new password' but just update the
hash. As else we invoke the password policy again which might lock out
users.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* On weblogin check if we have invalid public key tokens
* If so update them all with the new token
This ensures that your marked as invalid tokens work again if you once
login on the web.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This protects our cookies a bit more. It makes sure that when a 3rdparty
websites embededs a public alendar for example. That all the users see
this in anonymous mode there.
It adds a small helper function.
In the future we can think about protecting other cookies like this as
well. But for now this is sufficient to not have the user logged in at
all when doing 3rdparty requests.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Sometimes when we force a session regeneration we want to update the
current token for this session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>