`\OC_User::loginWithApache` is used in combination with backend mechanisms like our SSO / SAML integration. Those can optionally already provide a displayname using other means. For example by mapping SAML attributes.
The current approach makes it however impossible for backends using `\OCP\Authentication\IApacheBackend` to set a displayname on their own. Because the display name will simply be overwritten with the loginname.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* we introduced this setting in the begining because our
avatar support caused some performance issues, but we
fixed them and should only provide one way how Nextcloud
looks
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Prevent PHP request to get killed when using fclose callback
* Add ignore_user_abort everywhere where the time limit is set to 0
Signed-off-by: Robin Appelman <robin@icewind.nl>
* Allow clearing default user backends in config.php
When specifying "user_backends" in config.php, a new option "default"
when set to false will prevent the default user backend to be
registered. The default one is the database backend.
This makes it possible to select exclusive user backends from apps.
* Testing app provides test user backend for alternative homes
The backend provide md5 result to getHome()
* Only md5 the user home when it's not the admin
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
When installing an app from the appstore the `\OC_App::getAppVersion` code is triggered twice:
- First when the downloader tries to compare the current version to the new version on the appstore to check if there is a newer version. This protects against downgrade attacks and is implemented in `\OC\Installer::downloadApp`.
- Second, when the app is actually installed the current version is written to the database. (`\OC\Installer::installApp`)
This fails however when the version is actually cached. Because in step 1 the cached version will be set to "0" and then be reused in the second step.
While this is probably not the cleanest version I assume this is an approach that is least invasive. Feedback and suggestions welcome :)
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Added the system config which sets all conditions to true that query the
FrontControllerActive mod_env variable.
Signed-off-by: Felix A. Epp <work@felixepp.de>
If the session is cleared and closed for whatever reason the loadVersion
will write to the session anyways. This will lead to an exception.
This should fix#1303
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Pages that do not use the AppFramework have its CSP inherited from `\OC_Response::addSecurityHeaders`. While those are not many anymore, there are some examples such as the "Help" page.
To stay completely backwards-compatible we should also add the nonce to the legacy CSP response.
To test that open your browser console and open the help page. Without this you will get a JS error. With this you won't.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>