b108@volgograd
bf167ad3ac
Remove duplicate functionality
...
This functionality implemented in the next line:
$requestUri = preg_replace('%/{2,}%', '/', $requestUri);
2019-01-20 13:29:58 +04:00
Roeland Jago Douma
54ff913de6
Cleanup middleware registering
...
Fixes #12224
Since we only use the middleware at 1 location it makes no sense to
register them in each and every container.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-03 11:50:01 +01:00
Roeland Jago Douma
514426e27d
Only trust the X-FORWARDED-HOST header for trusted proxies
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-17 15:54:45 +01:00
Morris Jobke
411d2dece5
Merge pull request #11786 from nextcloud/feature/password_confirmation_backend
...
Expose password confirmation capabilities in the user backend
2018-11-06 00:44:18 +01:00
Roeland Jago Douma
2452a3ec73
Properly query the methodreflector
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Roeland Jago Douma
0e5147f001
Fix tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Roeland Jago Douma
bfb5ef4b29
The identityproof manager should be in Server
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Roeland Jago Douma
8f833a309a
No need to register it also in the DI Container
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Roeland Jago Douma
fbd0d0bdcf
The Encryption manager belongs in Server.php
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Roeland Jago Douma
9c28d2d7c4
SearchResult should be difined in Server as it is a core component
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Roeland Jago Douma
964ebed86c
The UserSession is constructed in the server
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Roeland Jago Douma
b2501dbf9a
TimeFactory is already regsitsered in the Server Container
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:37 +01:00
Roeland Jago Douma
61adb513fe
Request is already regsitered in the Server container
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:36 +01:00
Roeland Jago Douma
421a40e7db
Was already registered in Server
...
The DIContainaer will query server anyways if it can't find it
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 19:20:35 +01:00
Roeland Jago Douma
603b672a11
Update password confirmation middleware
...
If the userbackend doesn't allow validating the password for a given uid
then there is no need to perform this check.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-02 13:44:45 +01:00
Morris Jobke
dccfe4bf84
Merge pull request #12036 from olivermg/master
...
Add capability of specifying "trusted_proxies" entries in CIDR notation (IPv4)
2018-10-30 10:49:08 +01:00
Morris Jobke
c9e6a99637
Merge pull request #12085 from nextcloud/add-gss-to-excluded-backends
...
add global site selector as user back-end which doesn't support password confirmation
2018-10-30 10:16:07 +01:00
Oliver Wegner
401ca28f07
Adding handling of CIDR notation to trusted_proxies for IPv4
...
Signed-off-by: Oliver Wegner <void1976@gmail.com>
2018-10-30 09:15:42 +01:00
Bjoern Schiessle
85d9f06cb8
add global site selector as user back-end which doesn't support password confirmation
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-27 15:43:51 +02:00
Daniel Kesselberg
986f4df2a5
Add REMOTE_ADDR to getHeader
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2018-10-25 22:26:49 +02:00
Joas Schilling
840dd4b39c
Allow to inject/mock `new \DateTime()` similar to time()
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-10-09 15:38:31 +02:00
Robin Appelman
dccbdc8c01
only catch QueryException when trying to build class
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-09-21 18:32:15 +02:00
Roeland Jago Douma
9319d557a4
Add wrapper Logger in DIContainer
...
This makes sure that for example app for the context is always set.
We can in the future extend this to include more info.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 10:05:25 +02:00
Robin Appelman
c0a283fefb
ensure we always return an array from `Request::getParams`
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-08-28 18:11:42 +02:00
Roeland Jago Douma
8c1e75e052
Do not use file as template parameter
...
Using file will overwrite the $file parameter in the template base.
Leading to trying to include a file that is the exception message. Which
will of course fail.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-08-09 16:45:25 +02:00
Roeland Jago Douma
e7338173e8
Add PublicShareMiddlewareTest
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-20 08:53:37 +02:00
Roeland Jago Douma
20e514690c
Don't allow public share pages if link sharing is disabled
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-20 08:53:37 +02:00
Roeland Jago Douma
366981fba6
Move public preview endpoint over
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-20 08:53:37 +02:00
Roeland Jago Douma
f36ef8ca80
Add the new PublicShareController and PublicShareMiddleware
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-20 08:53:35 +02:00
Joas Schilling
b4bacf46f3
Do not send a body for "No content", "Not modified" and others
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-05-04 13:46:13 +02:00
Joas Schilling
f5b143e318
Allow to inject ISearchResult
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-04-26 12:19:15 +02:00
Arthur Schiwon
38a90130ce
move log constants to ILogger
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-04-26 10:45:52 +02:00
Roeland Jago Douma
129a608ebe
OCP\AppFramework\App strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-09 08:42:03 +01:00
Morris Jobke
a2db959f5c
Merge pull request #8593 from eneiluj/master
...
Allow public page access to apps with group restrictions
2018-03-08 11:27:52 +01:00
Roeland Jago Douma
3ad7daeda5
Add tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 11:05:18 +01:00
Roeland Jago Douma
340e8ef16c
Make SecurityMiddleware strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 10:11:47 +01:00
Joas Schilling
1dd40b1f45
Single quotes
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-03-07 16:50:18 +01:00
Joas Schilling
559978c50e
Suppress phan error
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-03-07 16:43:16 +01:00
Joas Schilling
09d8387b00
Try without autoloading
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-03-06 13:56:44 +01:00
Joas Schilling
97c4c00e3f
Better debugging for "Your test case is not allowed to access the database."
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-03-05 16:06:29 +01:00
Julien Veyssier
7da0812186
Do not throw AppNotEnabledException for app public pages - refs #6962 , refs #5309
...
It allows non-logged user to access public pages of applications restricted to a group
Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
2018-02-28 20:35:53 +01:00
Morris Jobke
a60d7a8563
Merge pull request #8541 from nextcloud/translate-permission-error-page
...
Provide translated error message for permission error
2018-02-26 17:50:21 +01:00
Morris Jobke
cf35c4b03a
Provide translated error message for permission error
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-26 17:00:29 +01:00
Roeland Jago Douma
043a824e6a
Fix comments
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma
0ee45d3d20
Fix proper types
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma
a229095af1
Make Request strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma
fb41a93a95
Merge pull request #8473 from nextcloud/strict_cmr
...
Strict OCP\AppFramework\Utility\IControllerMethodReflector
2018-02-21 22:56:40 +01:00
Roeland Jago Douma
4859775893
Don't try to match on false
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 20:38:14 +01:00
Roeland Jago Douma
aa060f5332
Strict OCP\AppFramework\Utility\IControllerMethodReflector
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 19:55:49 +01:00
Roeland Jago Douma
ca9f364fd4
Fix tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 10:55:52 +01:00
Roeland Jago Douma
a773b055fc
Make the middlewareDispatcher strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 10:55:24 +01:00
Roeland Jago Douma
bb0c7b2943
Make AppFramework/Http/Dispatcher strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 08:51:46 +01:00
Roeland Jago Douma
cf83eb5e77
Merge pull request #8336 from nextcloud/cleanup-unused-parameter
...
Cleanup unused parameter
2018-02-20 10:16:59 +01:00
Morris Jobke
d3d045dd5c
Remove unused import statements
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-14 16:55:43 +01:00
Morris Jobke
d18d323f21
Remove fromMailAddress from MailSettingsController
...
Was removed in https://github.com/nextcloud/server/pull/4379 (0a54d5a
) and https://github.com/nextcloud/server/pull/4380 (bae64e8
)
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-13 21:40:38 +01:00
Morris Jobke
01482b32a1
Merge pull request #8062 from nextcloud/use-class
...
Use ::class statement instead of string
2018-01-29 15:25:08 +01:00
Roeland Jago Douma
c0adfa4375
Don't perform CSRF check on OCS routes with Bearer auth
...
Fixes #5694
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-29 14:37:18 +01:00
Morris Jobke
eb51f06a3b
Use ::class statement instead of string
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-29 12:03:47 +01:00
Morris Jobke
870fe20acc
Use $var[] = $a instead of array_push - 2x faster
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-25 22:36:03 +01:00
Morris Jobke
2a38605545
Properly log the full exception instead of only the message
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-23 10:57:21 +01:00
Morris Jobke
4ef302c0be
Request->getHeader() should always return a string
...
PHPDoc (of the public API) says that this method returns string but it also returns null, which is not allowed in some method calls. This fixes that behaviour and returns an empty string and fixes all code paths that explicitly checked for null to be still compliant.
Found while enabling the strict_typing for lib/private for the PHP7+ migration.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-17 09:51:31 +01:00
Joas Schilling
7bc9a69c3f
Remove deprecated core API
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-15 17:54:50 +01:00
Roeland Jago Douma
d44de92c31
Merge pull request #7838 from nextcloud/timefactory_strict
...
Make the ITimeFactory strict + return types
2018-01-15 09:27:37 +01:00
Roeland Jago Douma
7ffd62bf95
Make the ITimeFactory strict + return types
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-14 21:55:40 +01:00
Roeland Jago Douma
704133d732
Remove deprecated functions from DI Container
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-13 19:29:52 +01:00
Roeland Jago Douma
57050146f6
Move passwordconfirmation to its own midleware
...
Add tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-02 21:58:14 +01:00
Bjoern Schiessle
1bcbeb24bc
disable password confirmation with SSO
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-01-02 20:30:37 +01:00
Roeland Jago Douma
ca70694502
Also check for empty content lenth
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-12-14 21:48:59 +01:00
Morris Jobke
31c5c2a592
Change @georgehrke's email
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 20:38:59 +01:00
Morris Jobke
0eebff152a
Update license headers
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Roeland Jago Douma
b88db3a389
Merge pull request #6921 from nextcloud/appmanager-securitymiddleware
...
Use proper DI for security middleware for app enabled check
2017-10-24 19:58:24 +02:00
Morris Jobke
ce0c45a4ea
Use proper DI for security middleware for app enabled check
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 15:36:28 +02:00
Julius Härtl
4cfa1c66b8
Doc: Fix phpDoc issues
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-10-23 23:23:56 +02:00
Roeland Jago Douma
c257cd57d4
Handle SameSiteCookie check for index.php in AppFramework Middleware
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-24 21:07:16 +02:00
Joas Schilling
c4b3198ac2
Rethrow the correct exception when there was an error in an app container
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-09-12 11:54:13 +02:00
Bjoern Schiessle
9524badccc
extend the identity proof manager to allow system wide key pairs
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-08-10 14:27:35 +02:00
Roeland Jago Douma
9717cdfb9e
If there is no content don't error
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-09 15:51:13 +02:00
Lukas Reschke
f93a82b8b0
Remove explicit type hints for Controller
...
This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 17:32:03 +02:00
Morris Jobke
84c22fdeef
Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call
...
Add metadata to \OCP\AppFramework\Http\Response::throttle
2017-08-01 14:43:47 +02:00
Morris Jobke
6010c4f267
Merge pull request #5877 from nextcloud/typehint_middleware
...
Prop argument type for Middleware
2017-08-01 14:28:16 +02:00
Roeland Jago Douma
ede15f0988
Fix L10N::t
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-01 08:20:17 +02:00
Roeland Jago Douma
3548603a88
Fix middleware implementations signatures
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +02:00
Lukas Reschke
f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
...
Fixes https://github.com/nextcloud/server/issues/5891
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Roeland Jago Douma
5f227bd93b
More phpstorm inspection fixes
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-24 11:39:29 +02:00
Bjoern Schiessle
7c2d473d76
add new config switched for the global scale architecture
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-05-29 18:19:28 +02:00
Joas Schilling
72c1b24844
Check whether the $_SERVER['REQUEST_*'] vars exist before using them
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-15 14:33:27 +02:00
coderkun
bdc7bb1f26
Add IPv6 to “localhost” regex ( #440 )
...
Signed-off-by: Oliver Hanraths <olli@coderkun.de>
2017-05-14 21:29:03 +02:00
Joas Schilling
ca39940614
Automatic creation of Identity manager
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-10 09:45:11 +02:00
Morris Jobke
c54a59d51e
Remove unused use statements
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-22 19:23:31 -05:00
Roeland Jago Douma
d12ec7cff1
Revert "Match slashes in ../{id} resource routes"
...
This reverts commit 31f9be7a75
.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-18 21:50:36 +02:00
Lukas Reschke
8149945a91
Make BruteForceProtection annotation more clever
...
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.
Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +02:00
Morris Jobke
d0c0f6cfc1
Merge pull request #4326 from nextcloud/downstream-27562
...
Reorder the entries of the log for easier reading
2017-04-13 13:11:47 -05:00
Joas Schilling
695696a4a6
Use constants
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-13 12:04:32 -05:00
Lukas Reschke
a1ae5275f9
Move to dedicated MiddleWare
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:17 +02:00
Lukas Reschke
511524c668
Add isset() as it can be an empty result
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:17 +02:00
Lukas Reschke
d729bde98c
Register in ServerContainer
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:16 +02:00
Lukas Reschke
66835476b5
Add support for ratelimiting via annotations
...
This allows adding rate limiting via annotations to controllers, as one example:
```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```
Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:16 +02:00
Juan Pablo Villafáñez
38e5135cb9
Reorder the entries of the log for easier reading
2017-04-12 13:03:19 +02:00
Morris Jobke
fa4107893d
Merge pull request #4138 from nextcloud/resources_match_fullid
...
Match slashes in ../{id} resource routes
2017-04-04 15:52:53 -05:00
Roeland Jago Douma
31f9be7a75
Match slashes in ../{id} resource routes
...
Fixes #2954
Before we could match on <prefix>/{id} however if the id contains a /
this would not match properly. But since we define the resource routes
internally we now make sure that we match all chars (up until the ?).
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-04 08:37:11 +02:00
Roeland Jago Douma
2a9192334e
Don't try to parse empty body if there is no body
...
Fixes #3890
If we do a put request without a body the current code still tries to
read the body. This patch makes sure that we do not try to read the body
if the content length is 0.
See RFC 2616 Section 4.3
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-04 08:22:33 +02:00
Joas Schilling
3f86f1276f
Also cache the namespace from appinfo
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 11:50:31 +01:00
Joas Schilling
5695a4ec92
Don't do a recursive search
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 10:44:13 +01:00
Joas Schilling
9208f6379c
buildAppNamespace already has the fallback
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 10:13:14 +01:00
Roeland Jago Douma
67909cf87b
Make DI work for all apps
...
As stated in https://github.com/nextcloud/server/pull/3901#issuecomment-288135309
appid's don't have to match the namespace.
Work around this
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 20:53:37 +01:00
Roeland Jago Douma
92f50c7d87
Core is also a special app
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 10:42:33 +01:00
Roeland Jago Douma
48c34522ed
Move a lot of stuff over to the ServerContainer
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 10:29:59 +01:00
Roeland Jago Douma
c92b9ce2c4
Fix settings tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma
21641302a9
Add DI intergration tests
...
* Moved some interface definitions to Server.php (more to come)
* Build/Query only for existing classes in the AppContainer
* Build/Query only for classes of the App in the AppContainer
* Offload other stuff to the servercontainer
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma
7cece61ff6
Extend DI tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma
246e9ce547
More elegant handling of recursion
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma
df14684817
PoC of moving the interface classes to the servercontainer
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma
886202123c
Update query method for DIContainer
...
To align with https://github.com/nextcloud/server/issues/2043#issuecomment-287348294
This would mean that AppContainers only hold the AppSpecific services
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:17 +01:00
Roeland Jago Douma
8626ccab1c
dont require strict same site cookies for ocs requests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-09 16:48:48 +01:00
Roeland Jago Douma
f8c459f1a4
Merge pull request #3607 from nextcloud/api-to-resend-welcome-message
...
OCS API endpoint to resend welcome message
2017-03-03 13:50:30 +01:00
Sebastian Wessalowski
e399097e3a
Remove deprecated OC_User::isLoggedIn
...
Signed-off-by: Sebastian Wessalowski <sebastian@wessalowski.org>
2017-03-02 22:59:39 +01:00
Morris Jobke
552921d429
Fix injection of defaults
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-28 16:30:34 -06:00
Morris Jobke
50f3efad6f
OCS API endpoint to resend welcome message
...
* send a POST request to ocs/v1.php/cloud/users/USERNAME/resendWelcomeMessage to trigger
the welcome message to be send
* fixes #3367
example curl statement:
curl -i https://example.org/ocs/v1.php/cloud/users/USERNAME/welcome -H "OCS-APIRequest: true" -u admin:password -X POST
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-28 16:30:33 -06:00
Joas Schilling
0be2921966
Fix DI of the cloud id manager into apps
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-14 12:47:46 +01:00
Morris Jobke
dfaaebd765
Merge pull request #3417 from nextcloud/push-notification
...
Push notification
2017-02-10 16:00:47 -06:00
Joas Schilling
33fb86f68b
Fix detection of the new iOS app
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-10 10:10:21 +01:00
Joas Schilling
efdc51c155
Make sure to use the right appdata directory
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-09 15:03:00 +01:00
Christoph Wurst
5e728d0eda
oc_token should be nc_token
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Morris Jobke
5bad417e57
Merge pull request #2044 from nextcloud/login-credential-store
...
Login credential store
2017-01-30 19:30:04 -06:00
Bjoern Schiessle
32e0ec3e58
handle optional annotation parameters
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Joas Schilling
29a0a23918
Fix the regex for annotations with values
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-01-18 15:25:16 +01:00
Bjoern Schiessle
df296249d6
introduce brute force protection for api calls
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:15 +01:00
Christoph Wurst
a6dca9e7a0
add login credential store
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:09 +01:00
Joas Schilling
bc3da3a8f5
Remove IDb interface which was deprecated for 3 years already
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-14 11:42:16 +01:00
Joas Schilling
61e15988a0
Allow to overwrite the message which we already do in SubadminMiddleware
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-08 16:23:49 +01:00
Morris Jobke
d86b29b42b
Merge pull request #2066 from nextcloud/fix-redirect-double-encoding
...
do not double encode the redirect url
2016-11-29 17:21:43 +01:00
Joas Schilling
da9468522b
Add an event merger and use it for the files activities
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-25 15:36:11 +01:00
Lukas Reschke
a05b8b7953
Harden cookies more appropriate
...
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.
See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.
Fixes https://github.com/nextcloud/server/issues/1412
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-23 12:53:44 +01:00
Morris Jobke
332eaec4c0
Merge pull request #1447 from nextcloud/password-confirmation-for-some-actions
...
Password confirmation for some actions
2016-11-18 15:42:30 +01:00
Joas Schilling
bb7787a157
Add the 15 seconds to the window, instead of removing
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 12:10:51 +01:00
Joas Schilling
827b6a610e
Introduce PasswordConfirmRequired annotation
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 11:57:16 +01:00
Robin Appelman
4235b18a88
allow passing a stream to StreamResponse
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:30:36 +01:00
Roeland Jago Douma
f07d75a4dd
@since 9.2.0 to @since 11.0.0
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-15 18:51:52 +01:00
Christoph Wurst
0ebffa4a5f
do not double encode the redirect url
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-09 16:14:46 +01:00
Christoph Wurst
d907666232
bring back remember-me
...
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Roeland Jago Douma
e55e6f1f14
Cleanup usages
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-29 14:29:50 +02:00
Roeland Jago Douma
740659a04c
Move away from OC_L10N
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-28 21:46:28 +02:00
Morris Jobke
d4969abc9d
Merge pull request #1800 from nextcloud/nextcloud-rich-object-strings
...
Nextcloud rich object strings
2016-10-27 15:30:58 +02:00
Joas Schilling
c20ab0049f
Identify Chromium as Chrome
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-26 12:07:10 +02:00
Roeland Jago Douma
e351ba56f1
Move browserSupportsCspV3 to CSPNonceManager
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-25 22:03:10 +02:00
Lukas Reschke
9e6634814e
Add support for CSP nonces
...
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.
At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)
IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.
Implementing this offers the following advantages:
1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.
If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Roeland Jago Douma
7998689bc9
Added method to DB and fix test
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-24 09:45:04 +02:00
Joas Schilling
2098648850
Add Rich Object Definitions and a validator
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-20 12:14:51 +02:00
Morris Jobke
96f8f209b9
Merge pull request #1449 from nextcloud/comments-user-mention
...
Notifications for simple @-mentioning in comments
2016-10-17 09:30:47 +02:00
Thomas Müller
c5ca71ee82
[9.2] Register commands in info.xml ( #26248 )
...
* Use DI to load console commands from the apps - class name to be defined in the info.xml
* Load commands from info.xml
* Fix unit test
* Allow Di magic for IMountManager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-11 19:48:26 +02:00
Thomas Müller
67d3574bdf
Don't parse info.xml but reuse already cached app infos - fixes #25603 ( #25968 )
...
* Don't parse info.xml but reuse already cached app infos - fixes #25603
* Use === in InfoParser. Fixes test
* InfoParser should not depend on UrlGenerator - fixes issue with session being closed too early
2016-10-07 20:58:22 +02:00
Arthur Schiwon
e1073cf442
Notificacations for simple @-mentioning in comments
...
(WIP) notify user when mentioned in comments
Fix doc, and create absolute URL for as notification link.
PSR-4 compatibility changes
also move notification creation to comments app
Do not notify yourself
unit test for controller and application
smaller fixes
- translatable app name
- remove doubles in mention array
- micro perf optimization
- display name: special label for deleted users, keep user id for users that could not be fetched from userManager
Comment Notification-Listener Unit Test
fix email adresses
remove notification when triggering comment was deleted
add and adjust tests
add missing @license tags
simplify NotificationsController registration
appinfo simplification, php docs
make string easier to translate
adjust test
replace dispatcher-based listeners with a registration method and interface
safer to not pass optional data parameter to setSubject for marking as processed. ID and mention suffices
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
update comment
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2016-10-07 17:11:19 +02:00
Joas Schilling
a0b34dfd2f
Merge pull request #1629 from nextcloud/cleanup-settings-application
...
Cleanup settings Application class
2016-10-06 16:57:39 +02:00
Joas Schilling
8b3deb00b3
When we can not create the class, try if the variable is a registered service
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-05 16:33:19 +02:00
Roeland Jago Douma
3260f69590
Add for proper DI
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-05 11:00:16 +02:00
Lukas Reschke
598b243838
Merge pull request #1426 from nextcloud/sanitze_opt
...
Optimize sanitizeName
2016-09-26 14:10:50 +02:00
Joas Schilling
d9063b6141
Use default value instead of throwing when the service could not be found
2016-09-20 13:26:06 +02:00
Roeland Jago Douma
e200eda18d
Optimize sanitizeName
2016-09-16 09:52:52 +02:00
Roeland Jago Douma
7c078a81b4
Add trict CSP to OCS responses
...
If a repsonse now explicitly has the Empty CSP set then the middleware
won't touch it.
2016-09-15 13:11:36 +02:00
Roeland Jago Douma
959bf0d1a7
Cache the build ControllerName
...
Often a route.php file will have many N routes but only M controllers.
Where N >= M. Which means that in most cases the ControllerName will be
converted multiple times. This is of course far from ideal.
Note that this is per app so the cache will contain at most N entries.
Which is not to bad.
2016-09-11 13:25:32 +02:00
Roeland Jago Douma
240798329d
Set proper content type on OCS responses
2016-09-07 10:55:56 +02:00
Roeland Jago Douma
3c55fe6bab
Split OCS version handling
...
This cleans up a bit the OCSController/Middleware. Since the 2 versions
of OCS differ a bit. Moved a lot of stuff internal since it is of no
concern to the outside.
2016-09-06 11:57:39 +02:00
Roeland Jago Douma
7f84f05e4d
Cache parsing of info.xml
2016-09-02 09:03:09 +02:00
Roeland Jago Douma
21a87d3c2e
No body or content-length for 204 and 304 responses
...
See: https://tools.ietf.org/html/rfc7230#section-3.3
2016-08-31 23:07:48 +02:00
Joas Schilling
f9cea0b582
Merge pull request #797 from nextcloud/only-match-for-auth-cookie
...
Match only for actual session cookie
2016-08-31 15:59:16 +02:00
Lukas Reschke
d50e7ee36c
Remove reading PATH_INFO from server variable
...
Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used.
Fixes https://github.com/nextcloud/server/issues/983
2016-08-19 14:48:13 +02:00
Joas Schilling
027069cbae
Merge pull request #846 from nextcloud/provisioning_api_ocs
...
Move Provisioning API to the AppFramework
2016-08-17 10:23:13 +02:00
Marius Blüm
c1632c3abd
Merge pull request #893 from nextcloud/ie8_be_gone
...
IE8 be gone!
2016-08-17 09:02:58 +02:00
Roeland Jago Douma
8f3dc0ba43
Remove IE_8 user agent string
2016-08-16 21:01:32 +02:00
Arthur Schiwon
75a73a5a73
satisfy dependencies for files_external
2016-08-15 13:38:02 +02:00
Roeland Jago Douma
e3b0e50dda
Extend OCSMiddleware
...
* Always set 401 (v1.php and v2.php)
* Set proper error codes for v2.php
* Proper OCS output on unhandled exceptions
2016-08-14 18:34:01 +02:00
Roeland Jago Douma
deba0f9922
Move OCS Middleware before security middleware
...
This is required to be able to catch the NotLoggedIn exceptions etc in
the OCSMiddleware and convert them to proper OCS Responses.
2016-08-14 18:34:01 +02:00
Arthur Schiwon
8188bb4509
simplify encryption manager fetching in DIContainer
2016-08-13 01:26:11 +02:00
Lukas Reschke
8261ccce1b
Merge branch 'master' into implement_712
2016-08-11 19:37:17 +02:00
Arthur Schiwon
a2f752bcf3
adjust files_external
2016-08-11 15:50:31 +02:00
Arthur Schiwon
1eb8b951c2
more admin page splitup improvements
...
* bump version to ensure tables are created
* make updatenotification app use settings api
* change IAdmin::render() to getForm() and change return type from Template to TemplateResponse
* adjust User_LDAP accordingly, as well as built-in forms
* add IDateTimeFormatter to AppFramework/DependencyInjection/DIContainer.php. This is important so that \OC::$server->query() is able to resolve the
constructor parameters. We should ensure that all OCP/* stuff that is available from \OC::$server is available here. Kudos to @LukasReschke
* make sure apps that have settings info in their info.xml are loaded before triggering adding the settings setup method
2016-08-10 15:21:25 +02:00
Lukas Reschke
5214b62d55
Merge pull request #691 from nextcloud/ocs_allow_all_old_routes
...
Allow ocs/v2.php/cloud/... routes
2016-08-09 20:52:49 +02:00
Lukas Reschke
b53ea18ea5
Match only for actual session cookie
...
OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.
2016-08-09 19:23:08 +02:00
Roeland Jago Douma
0032a5c2d1
Hanlde Core and Settings app in AppFramework
...
'core' and 'settings' are just apps but we treat them slightly
different. Make sure that we construct the correct namespace so we can
actually do automatic AppFramework stuff.
2016-08-08 20:48:16 +02:00
Roeland Jago Douma
63f6d2d558
Allow ocs/v2.php/cloud/... routes
...
One of the possibilities of the old OCS API is that you can define the
url yourself.
This PR makes this possible again by adding an optional root elemenet to
the route. Routes are thus:
.../ocs/v2.php/<root>/<url>
By default <root> = apps/<app>
This will allow for example the provisioning API etc to be in
../ovs/v2/php/cloud/users
2016-08-08 15:01:26 +02:00
Roeland Jago Douma
5c718b13b8
We should properly check for 'true' instaed of the bool
2016-08-01 08:52:50 +02:00
Roeland Jago Douma
f7f5216aa3
Dark hackery to not always disable CSRF for OCS controllers
2016-07-29 15:49:27 +02:00
Roeland Jago Douma
8bdd0adcee
Support subdir in the OCS v2 endpoint
...
We should check against the ending substring since people could
run their nextcloud in a subfolder.
* Added test
2016-07-27 15:28:35 +02:00
Joas Schilling
da97a69148
Allow DI of the workflow manager by the OCP interface
2016-07-27 11:46:09 +02:00
Morris Jobke
e51afa1684
Merge pull request #509 from nextcloud/appframework_magic_allow_default_vars
...
AppFramework add default values (ApiController) as parameters
2016-07-25 13:18:53 +02:00
Roeland Jago Douma
b543fd8d30
Set proper status code in OCS AppFramework Middleware
2016-07-22 12:53:47 +02:00
Roeland Jago Douma
1b73a63041
Inject parameters
2016-07-22 10:12:26 +02:00
Morris Jobke
8c7d7d7746
Merge pull request #507 from nextcloud/run-le-script
...
Update emails and license headers with latest changes
2016-07-21 23:27:15 +02:00
Lukas Reschke
562e63cf69
Merge pull request #480 from nextcloud/fix_ocs_response_format
...
AppFramework default response for OCS is xml
2016-07-21 19:52:17 +02:00
Joas Schilling
0215b004da
Update with robin
2016-07-21 18:13:58 +02:00
Joas Schilling
ba87db3fcc
Fix others
2016-07-21 18:13:57 +02:00
Lukas Reschke
c385423d10
Merge pull request #479 from nextcloud/add-bruteforce-throttler
...
Implement brute force protection
2016-07-21 00:31:02 +02:00
Lukas Reschke
ba4f12baa0
Implement brute force protection
...
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.
It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Roeland Jago Douma
e42f2f2650
AppFramework do not get default response
...
The OCSResponse differs from other responses in that it defaults to
XML. However we fell back to json by default.
This makes sure that if nothing is set we don't pass anything.
Which defaults then to the controllers default (which is often 'json')
but in the case of the OCSResponse 'xml'.
2016-07-20 22:05:43 +02:00
Lukas Reschke
020a2a6958
Merge pull request #476 from nextcloud/port-same-site-cookies
...
[master] Port Same-Site Cookies to master
2016-07-20 21:35:02 +02:00
Roeland Jago Douma
ea47974a08
Add OCSMiddleware to catch OCS exceptions
...
* OCSException
* OCSBadRequestException
* OCSForbiddenException
* OCSNotFoundException
2016-07-20 20:03:49 +02:00
Lukas Reschke
a299fa38a9
[master] Port Same-Site Cookies to master
...
Fixes https://github.com/nextcloud/server/issues/50
2016-07-20 18:37:57 +02:00
Roeland Douma
13a25535d2
Merge pull request #400 from nextcloud/ocs_appframework
...
OCS routes use AppFramework
2016-07-19 12:21:14 +02:00
Joas Schilling
b1d652e8b0
Copy the regexes to the public interface
2016-07-18 15:11:44 +02:00
Roeland Jago Douma
0bda09236e
Add route tests
2016-07-18 11:09:49 +02:00