The default expiration date for internal shares was set from the default
link expiration date instead of the internal one.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
In certain cases changeLock to EXCLUSIVE fails
and throws LockedException. This leaves the
file locked as SHARED in file_put_contents,
which prevents retrying (because on second
call file_put_contents takes another SHARED
lock on the same file, and changeLock doesn't
allow more than a single SHARED lock to promote
to EXCLUSIVE).
To avoid this case, we catch the LockedException
and unlock before re-throwing.
Signed-off-by: Ashod Nakashian <ashod.nakashian@collabora.co.uk>
The comparisson of NULL is a bit special.
So we need to handle this a tad beter else it might not replace NULL
values. or allow you to set NULL values on updates.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This is within the failed lock acquiring branch. So the lock is free by another process and should not be removed because the cached file (that was created by the process having the lock) appeared on the filesystem.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
The QBMapper is kind of a generic type, though this concept does not
exist in php. Hence you have a lot of type coercion in subtypes (mappers
in the individual apps) because you suddenly don't expect an Entity[]
but your specific type.
Luckily Psalm lets us type those. Then in the subclass you can
psalm-implement the mapper with a concrete type and psalm will do all
the magic to ensure types are used correctly.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
On some systems with a lot of users this creates a lot of extra DB
writes.
Being able to increase this interval helps there.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
When asking for sharees we compare not only UID and displayname but also
the email address. And if that matches we return the sharee as an exact
match. This logic had a flaw as in that it also matched the empty string
to users with no email address.
This is most noticeable when you disable sharee enumeration and open the
ownership transfer dialog. It suggested other users of the instance
before. This has stopped now.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Before when you have a user "smith" and a federated user "smith@example.com"
you could see the federation result with "smit" but not with "smith" anymore.
With most LDAP configurations and local backend setups this is disturbing and
causes issues.
The idea of not showing the email and federation on a matching user was with:
Local user registered with "smith@example.com" user id and having that same
email / cloud id in your contacts addressbook. So we now only hide those
"side results" when the search does contain an @
Signed-off-by: Joas Schilling <coding@schilljs.com>
Since we try to do range requests this will fail hard.
However since empty files are not that interesting to read anyways we
just read from an emptry memory stream.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Since all the compiled routes are based on the server webroot,
we have to use this, independent from which app this belongs to.
Signed-off-by: Joas Schilling <coding@schilljs.com>
When your password changes out of bounds your Nextcloud tokens will
become invalid. There is no real way around that. However we should make
sure that if you successfully log in again your passwords are all
updates
* Added event listener to the PostLoggedInEvent so that we can act on it
- Only if it is not a token login
* Make sure that we actually reset the invalid state when we update a
token. Else it keeps being marked invalid and thus not used.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Else we might run into the issue that for an external storage where the
size is not known yet we do not use zip64. Which then of course fails on
large zip files.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
If the object store errors we should not always delete the filecache
entry. As this might lead to people losing access to their files.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
instead of showing the generic 'Your storage is full' message, better explain that it's the group folder/external storage that is full
Signed-off-by: Robin Appelman <robin@icewind.nl>
- a configured flow can be brought into consideration, despite its event
was not fired
- it could either run through
- or run into a RuntimeException and killing processing of valid flows
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Systems that upgrade have this enabled by default
* New systems disable it
* We'll have to add some wargning in the setup checks if this is enabled
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
having the "cache rename" after the "storage move" caused the target
to get the fileid from the source file, without taking care that the object
is stored under the original file id.
By doing the "cache rename" first, we trigger the "update existing file"
logic while moving the file to the object store and the object gets stored for the
correct file id
Signed-off-by: Robin Appelman <robin@icewind.nl>
this allows an admin to configure the max trashbin size instead of always relying on the users quota.
The trashbin size can be configured using the `occ trash:size` command and can be set both globally and per-user
Signed-off-by: Robin Appelman <robin@icewind.nl>
Else people might have the feeling this is also doing 2FA. And since it
is only prefered it can be ignored and hacked around.
Once we have proper 2FA with webauthn in one go this probably needs to
be revisted.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
even when token is invalid or has no password.
Returning the uid as loginname is wrong, and leads to problems when
these differ. E.g. the getapppassword API was creating app token with
the uid as loginname. In a scenario with external authentication (such
as LDAP), these tokens were then invalidated next time their underlying
password was checked, and systematically ceased to function.
Signed-off-by: Lionel Elie Mamane <lionel@mamane.lu>
If we use the owners mount point this results in null. And then the rest
of the checks get called with null. Which doesn't work.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
The problem is that despite it's name IGroup::searchDisplayName()
only searches by userid and this is less fixable than changing back to this method here
Signed-off-by: Joas Schilling <coding@schilljs.com>
In general it is good to set them to Lax. But also to give devs more
control over them is not a bad thing.
Helps with #21474
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
The S3 client enables this by default and then tries to read
`.aws/config`. This causes `open_basedir` restriction related error for
some setups. So this patch disables the CSM because it's most likely
unused anyway.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Some S3 providers need a custom upload part size (500 MB static value in Nextcloud).
Here is a commit to change this value via S3 configuration, instead of using S3_UPLOAD_PART_SIZE constant.
A new parameter is added for an S3 connection : uploadPartSize
Signed-off-by: Florent <florent@coppint.com>
When "send password by Talk" was disabled in a mail share it was
possible to keep the same password as before, as it does not pose any
security issue (unlike keeping it when "send password by Talk" is
enabled, as in that case the password was already disclosed by mail).
However, if a mail share is updated but the password is not set again
only the hashed password will be available. In that case it would not
make sense to send the password by mail, so now the password must be
changed when disabling "send password by Talk".
Note that, even if explicitly setting the same password again along with
the "send password by Talk" property would work, this was also prevented
for simplicity.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
When "send password by Talk" is enabled in a mail share a new password
must be also set. However, when the passwords of the original and the
new share were compared it was not taken into account that the original
password is now hashed, while the new one is not (unless no new password
was sent, in which case the password of the original share was set in
the new share by the controller, but that was already prevented due to
both passwords being literally the same), so it was possible to set the
same password again.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
When "send password by Talk" is enabled in a link share now a non empty
password is enforced.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Else if a lot of writes happen. It might happen that an old stat result
is used. Resulting in a wrong file size for the file. For example the
text app when a lot of people edit at the same time.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Before the resources/config/ca-bundle.crt was only used when the list of custom
certificates was empty and the instance was not installed. But it should also
be used when the list is empty and the instance is installed.
This is inverting the logic to stop if the instance is not installed to use the
default bundle. And it also does this when the list is empty.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Before we'd also get the diplayname for each group in the backend. In a
separate query. This is of course not ideal as this information is
obtained on each and every query. Now this is queried once and properly
cached.
Also added more caching to the manager.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
In test it reduced the transfered data from 5 MB to 2 MB. This should reduce the load on the appstore significantly.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>