Commit Graph

17 Commits

Author SHA1 Message Date
Christoph Wurst 5e55dfb2d6
create session token for DAV clients (sync clients) 2016-05-11 13:36:46 +02:00
Lukas Reschke cc8c0b6a90 Check if request is sent from official ownCloud client
There are authentication backends such as Shibboleth that do send no Basic Auth credentials for DAV requests. This means that the ownCloud DAV backend would consider these requests coming from an untrusted source and require higher levels of security checks. (e.g. a CSRF check)

While an elegant solution would rely on authenticating via token (so that one can properly ensure that the request came indeed from a trusted client) this is a okay'ish workaround for this problem until we have something more reliable in the authentication code.
2016-03-24 08:59:56 +01:00
Arthur Schiwon 117c1bffa7 adjust PrincipilUri as returned from Sabre to effective username 2016-03-18 23:31:11 +01:00
Lukas Reschke 9b3c4e8dc4 Require CSRF token for non WebDAV authenticated requests 2016-02-18 11:18:36 +01:00
Thomas Müller cca2ade199 Adding pre oc 9.0 CardDAV endpoint for migration of old clients 2016-02-08 10:52:30 +01:00
Thomas Müller 682821c71e Happy new year! 2016-01-12 15:02:18 +01:00
Roeland Jago Douma 4a38793d11 Allow only cookie auth to webdav 2016-01-07 10:44:26 +01:00
Vincent Petry 13ec2bda2d Properly check X-Requested-With header in case of multiple values
Saw this happening in IE8...
2015-12-11 11:22:38 +01:00
Thomas Müller 1d30f0fcdb Merge pull request #20760 from owncloud/webdav-authredirectfix
Only reject ajax auth if user is really logged out
2015-11-27 13:16:01 +01:00
Vincent Petry d02e0eaaf1 Only reject ajax auth if user is really logged out 2015-11-26 17:04:21 +01:00
Thomas Müller c25a7cc4da Users are available under it's own principal resource named 'principals/users' this will allow us to introduce e.g. groups as principals (one day) and system specific principals (needed for federation) 2015-11-25 22:23:34 +01:00
Thomas Müller ae36c01b95 Adjust sabre changes in core 2015-11-24 15:11:54 +01:00
Vincent Petry 055d58bfc3 Do not authenticate over ajax
This makes sure that whenever a Webdav call is done through Ajax, if the
session has expired, it will not send back a challenge but a simple 401
response. Without this fix, the default code would send back a challenge
and trigger the browser's basic auth dialog.
2015-11-23 09:44:30 +01:00
Scrutinizer Auto-Fixer 5573029485 Scrutinizer Auto-Fixes
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
2015-11-20 15:42:34 +00:00
Thomas Müller 0f434e0b9b Implement CSRF protection 2015-11-19 11:34:59 +01:00
Lukas Reschke cddc9abc06 Add tests for Sabre Auth plugin + make getCurrentUser compatible 2015-10-23 17:30:47 +02:00
Thomas Müller f2889dc6e4 Consolidate webdav code - move all to one app 2015-10-16 13:17:12 +02:00