Arthur Schiwon
776d9e6805
never translate login names when requiring with a user id
...
where appropriate, the preLoginNameUsedAsUserName hook should be thrown.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-01-04 11:47:31 +01:00
Christoph Wurst
55c7aa674c
Fix failing csp/nonce check due to timed out session
...
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-09-11 10:08:06 +02:00
Joas Schilling
d6b888461d
Can not insert auto increment on oracle
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-08-03 16:40:00 +02:00
Robin Appelman
ce45f87699
null users dont exist
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-07-13 15:54:16 +02:00
Joas Schilling
7257206bcf
Create users in non default backends first
...
Most of the time, when people have multiple backends or add a
custom backend, they want to create the users there and not in
the default backend. But since that is registered first, users
were always created there.
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-06-22 13:02:53 +02:00
Arthur Schiwon
c1f4191a77
emit changeUser only if there really was a change (quota, displayname)
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-06-01 13:08:23 +02:00
Lukas Reschke
5f71805c35
Add basic implementation for OAuth 2.0 Authorization Code Flow
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-18 20:49:03 +02:00
Christoph Wurst
0a43c259c4
Fix encryption + remembered login due to missing login hook
...
The encryption app relies on the post_login hook to initialize its keys.
Since we do not emit it on a remembered login, the keys were always un-
initialized and the user was asked to log out and in again.
This patch *translates* the postRememberedLogin hook to a post_login
hook.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-05-16 08:41:11 +02:00
Joas Schilling
975e572a3d
Remove account data on user deletion
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-15 13:31:31 +02:00
Robin Appelman
2b0da0f218
handle permissions errors when copying the skeleton for a read only user
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-05-05 14:44:51 +02:00
Arthur Schiwon
668fe7df51
UserManager can now count disabled users
...
Users page takes advantage of that
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-29 00:59:09 -03:00
Joas Schilling
9212089151
Use the new method in the old one to remove duplicate code
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-27 08:56:51 +02:00
Joas Schilling
9e6ac3de70
Allow to create a user for a specific backend
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-26 15:07:11 +02:00
Joas Schilling
ac0c21f4a7
Trigger change when a user is enabled/disabled
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-25 17:20:35 +02:00
Joas Schilling
a3922bbcdc
Better validation of allowed user names
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-18 14:29:34 +02:00
Roeland Jago Douma
f40b9fa9bd
Merge pull request #4330 from nextcloud/activities-for-password-mail-change
...
Add activities when email or password is changed
2017-04-14 08:16:43 +02:00
Morris Jobke
d36751ee38
Merge pull request #2424 from nextcloud/fix-login-controller-test-consolidate-login
...
Fix login controller test and consolidate login
2017-04-13 12:16:38 -05:00
Morris Jobke
ac05d6dd67
Improve PHPDoc
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-13 12:16:12 -05:00
Joas Schilling
1110b51aa3
Allow to read the old email on the hook as well
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-13 12:34:02 +02:00
Joas Schilling
7ad791efb4
Dont create a log entry on email login
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-07 10:15:20 +02:00
Arthur Schiwon
fbadb37b9b
use known LockdownManager
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:27:30 +02:00
Arthur Schiwon
0a463e55ae
Save correct login name
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:43 +02:00
Arthur Schiwon
daf9d23547
don't regenerate Session ID twice, also fixes tests
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:43 +02:00
Arthur Schiwon
50844e8c47
regenerate session id on successful login, fixes integration test
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:43 +02:00
Arthur Schiwon
7b3fdfeeaa
do login routine only once when done via LoginController
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-04-06 15:22:42 +02:00
Robin Appelman
baec42e80a
Save the scope of an auth token in the session
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-04-05 17:58:33 +02:00
Robin Appelman
0aeb595784
user ids are strings
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-03-30 12:24:46 +02:00
Morris Jobke
d197f609a8
Merge pull request #3889 from nextcloud/downstream-26950
...
Sharing dialog: make autocomplete sorting case insensitive
2017-03-23 23:45:28 -06:00
Morris Jobke
dbaebc53b0
fix sorting in the backend
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-23 15:41:25 -06:00
Joas Schilling
257fbd85eb
Merge pull request #3929 from nextcloud/downstream-27068
...
cache loadUser if not exists
2017-03-20 12:44:54 +01:00
Vincent Petry
aacfef463c
Add tests for database user backend caching
...
Add comment, closeCursor in user DB query
Invalidate user in cache after successful creation
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-20 02:03:03 -06:00
Jörn Friedrich Dreyer
592c04a9db
cache loadUser if not exists
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-20 02:01:41 -06:00
Felix Rupp
e7dc1f4326
Add postLogout hook to finish sessions from external session managers ( #27048 )
...
* Add postLogout hook to finish sessions from external session managers like CAS
* Add postLogout hook to finish sessions from external session managers like CAS
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-19 23:00:12 -06:00
Lukas Reschke
d134dea508
Don't call function in constructor
...
The constructor is iniitiated already very early in base.php, thus requiring this here will break the setup and some more. For now we probably have to live with a static function call here thus.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 21:59:47 +01:00
Lukas Reschke
085891a15d
Escape like parameters in database user backend
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-15 22:46:40 +01:00
Morris Jobke
a5ba1f7803
Remove legacy class OC_Group and OC_User
...
* basically a straight replacement of the wrapped code at the calling code parts
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-09 17:35:09 -06:00
blizzz
19fc68cbdc
Merge pull request #2606 from temparus/master
...
Add preLoginValidation hook
2017-02-15 21:47:47 +01:00
Morris Jobke
dfaaebd765
Merge pull request #3417 from nextcloud/push-notification
...
Push notification
2017-02-10 16:00:47 -06:00
Joas Schilling
7c47f822a1
Save the used token id in the session so it can be used later on
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-09 15:02:59 +01:00
Robin Appelman
fa49c4a13b
Add a single public api for resolving a cloud id to a user and remote and back
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-02-08 15:17:02 +01:00
Sandro Lutz
9b6f99ab08
Update license header
...
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-07 01:25:39 +01:00
Sandro Lutz
fa1d607bfa
Merge remote-tracking branch 'nextcloud/master'
...
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-07 00:15:30 +01:00
Sandro Lutz
6feff0ceba
Add check if UserManager is of type PublicEmitter before calling preLogin hook
...
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-01 21:53:50 +01:00
Sandro Lutz
e30d28f7eb
Change where preLogin hook gets called
...
Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>
2017-02-01 21:53:42 +01:00
Morris Jobke
a4ad8af6e3
Add proper default value for datadir
...
* better safe than sorry
* fixes #3091
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-01-19 19:49:41 -06:00
Bjoern Schiessle
cdf01feba7
add action to existing brute force protection
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Loki3000
8ab16f87ac
spaces added
2017-01-10 16:44:14 +03:00
Loki3000
5c77923360
allowed '0' uid
2017-01-10 16:39:10 +03:00
Loki3000
b0ff59d42f
remove non required db requests
2017-01-10 13:09:33 +03:00
Loki3000
135198bf0d
Default value for null user
...
For guest users on every request executes query:
SELECT `uid`, `displayname` FROM `users` WHERE LOWER(`uid`) = LOWER(null)
as I see, uid can't be equal to null by design.
2017-01-09 23:34:23 +03:00