Commit Graph

357 Commits

Author SHA1 Message Date
Roeland Jago Douma a2dec13283 Harden middleware check
These annotations will allow for extra checks. And thus make it harder
to break things.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-10-25 14:34:41 +00:00
Sergej Nikolaev 907660e05c fix oauth client redirect
Signed-off-by: Sergej Nikolaev <kinolaev@gmail.com>
2019-10-07 10:05:03 +00:00
Roeland Jago Douma cd1f443804
Allow rotation of apppasswords
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-27 13:46:06 +02:00
Daniel Kesselberg e32b2c4b76
Stop if there is no encrypted token
Fix Argument 1 passed to OC\Security\Crypto::decrypt() must be of the type string, null given

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-08-18 19:58:50 +02:00
Roeland Jago Douma 6dc179ee12
Fix login flow form actions
So fun fact. Chrome considers a redirect after submitting a form part of
the form actions. Since we redirect to a new protocol (nc://login/).
Causing the form submission to work but the redirect failing hard.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-11 19:53:49 +02:00
Roeland Jago Douma 436f7b92d5
Merge pull request #16544 from nextcloud/bugfix/16540
Add missing password reset page to vue
2019-07-31 11:02:20 +02:00
Julius Härtl 3b0d13944a
Move actual password reset to vue
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-07-31 09:19:07 +02:00
Morris Jobke ec7e837d6a
Merge pull request #16563 from nextcloud/enh/lostcontroller/better_exceptions
Use proper exception in lostController
2019-07-29 10:42:36 +02:00
Roeland Jago Douma b6dd2ebd39
Use proper exception in lostController
There is no need to log the expcetion of most of the stuff here.
We should properly log them but an exception is excessive.

This moves it to a proper exception which we can catch and then log.
The other exceptions will still be fully logged.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-27 20:12:16 +02:00
Roeland Jago Douma a2a53848b0
Update PreviewController
The constructor is called with the userId. However if a user is not
logged in this is null. Which means that we get an exception instead of
this being handled gracefully in the middleware.

There are cleaner solutions. But this is the solution that is the
easiest to apply without lots of work and risk of breaking things
(handling the logged in middleware before initializing the controller
etc).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-26 17:37:11 +02:00
Morris Jobke 5c21b29d7f
Merge pull request #16308 from nextcloud/fix/undefined-offset-0
Prevent undefined offset 0 in findByUserIdOrMail
2019-07-10 12:16:36 +02:00
Daniel Kesselberg d57540ac84
Return first value from $users
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-07-09 19:29:14 +02:00
Daniel Kesselberg 6235a66aac
Don't send executionContexts for Clear-Site-Data
There are plans to remove executionContexts from the spec: https://github.com/w3c/webappsec-clear-site-data/issues/59

Firefox already removed it https://bugzilla.mozilla.org/show_bug.cgi?id=1548034

Chromium implementation is not finish: https://bugs.chromium.org/p/chromium/issues/detail?id=898503&q=clear-site-data&sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-07-09 15:08:25 +02:00
Joas Schilling 05381f00d2
Fall back to black for non-color values
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-06-20 15:23:06 +02:00
Julius Härtl df072471a7
Add extendedSupport to Subscription
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-06-17 16:36:23 +02:00
Christoph Wurst 64c4bb5bce
Vueify the login page
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-29 11:05:16 +02:00
Roeland Jago Douma f03eb7ec3c
Remote wipe support
This allows a user to mark a token for remote wipe.
Clients that support this can then wipe the device properly.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-20 20:50:27 +02:00
Roeland Jago Douma 528eb1b223
Merge pull request #15304 from nextcloud/enh/2fa_setup_at_login
2FA setup during login
2019-05-17 11:04:42 +02:00
Roeland Jago Douma 579162d7b9
Allow 2FA to be setup on first login
Once 2FA is enforced for a user and they have no 2FA setup yet this will
now prompt them with a setup screen. Given that providers are enabled
that allow setup then.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-17 10:11:53 +02:00
Roeland Jago Douma 2dcb4cfbd6
Allow clients to delete their own apptoken
Fixes #15480

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-05-17 09:52:06 +02:00
Christoph Wurst 170582d4f5
Add a login chain to reduce the complexity of LoginController::tryLogin
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-07 18:04:36 +02:00
Roeland Jago Douma 7e7146db7f
Block install without CAN_INSTALL file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-04-11 09:32:33 +02:00
Joas Schilling c5560117da
Make the endpoint more robust against faulty resource providers
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-28 09:26:38 +01:00
Joas Schilling 21425eb964
Return 200 instead of 404 when asking for collections of a resource
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-19 13:13:53 +01:00
Joas Schilling 3022ef687a
Use rich objects instead of name, link and icon
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-19 13:06:55 +01:00
Joas Schilling 403b673b93
Replace the icon-class with an absolute link to an image
Otherwise the icon can not be displayed in mobile apps

Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-19 13:06:55 +01:00
Joas Schilling eecd9323c5
Also check the access to collections on preparing
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 20:56:58 +01:00
Joas Schilling 59c92a7513
Further work on the access cache
Searching for all is still a problem

Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 20:56:19 +01:00
Joas Schilling dee6f7f61f
Fix doc blocks
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 20:56:18 +01:00
Julius Härtl e404ce7096
Implement search and rename in backend
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-03-01 20:56:18 +01:00
Julius Härtl 53ac9bdda1
Implement frontend for search/rename
Signed-off-by: Julius Härtl <jus@bitgrid.net>

Move to vuex

Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-03-01 20:56:18 +01:00
Julius Härtl 88aa3de784
Add iconClass to resources
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-03-01 20:56:17 +01:00
Julius Härtl 555afff015
Make sure we query the node before fetching the name
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-03-01 20:56:17 +01:00
Julius Härtl a72a6d73a3
Adjust parameter names on createCollectionOnResource
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-03-01 20:56:16 +01:00
Joas Schilling 702dcfb728
Make names mandatory
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 20:56:16 +01:00
Joas Schilling 5dfc56e925
Allow to create collections
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 20:56:15 +01:00
Joas Schilling 136d2c39ac
Provider functionality
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 20:56:15 +01:00
Joas Schilling 65a9ab47ea
Add a controller with the most important methods
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-03-01 20:56:15 +01:00
Joas Schilling 55f627d20b
Add an event to the Autocomplete Controller to allow to filter the results
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-02-26 15:32:14 +01:00
Morris Jobke 5cbe6532a0
Fix typo in info log for autoconfig
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2019-02-25 21:28:22 +01:00
Roeland Jago Douma e819e97829
Login flow V2
This adds the new login flow. The desktop client will open up a browser
and poll a returned endpoint at regular intervals to check if the flow
is done.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-25 07:24:50 +01:00
Daniel Kesselberg c583c5e7e2
Emit event if app password created
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-02-18 17:47:43 +01:00
Daniel Kesselberg 149a98edf6
Publish activity for app token created by client login flow
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-02-17 23:49:54 +01:00
Daniel Kesselberg 2ade2bef8c
Publish activity for app token created by ocs api
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-02-17 23:37:22 +01:00
Morris Jobke 0e9903c420
Merge pull request #13969 from nextcloud/enh/additional_scripts_no_on_public_pages
No need to emit additonalscript event on public pages
2019-02-07 15:57:14 +01:00
Michael Weimann bf1253cb49
Implement guest avatar endpoint
Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
2019-02-07 14:23:16 +01:00
Roeland Jago Douma 60e5a5eca4
Do not do redirect handling when loggin out
Fixes #12568
Since the clearing of the execution context causes another reload. We
should not do the redirect_uri handling as this results in redirecting
back to the logout page on login.

This adds a simple middleware that will just check if the
ClearExecutionContext session variable is set. If that is the case it
will just redirect back to the login page.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-06 11:29:32 +01:00
Roeland Jago Douma b68567e9ba
Add StandaloneTemplateResponse
This can be used by pages that do not have the full Nextcloud UI.
So notifications etc do not load there.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-06 11:26:18 +01:00
Roeland Jago Douma deb7d2364f
Merge pull request #13869 from nextcloud/enh/clean_pending_2fa_session_on_password_change
Clean pending 2FA authentication on password reset
2019-01-29 19:50:15 +01:00
Roeland Jago Douma ac8a6e2244
Clean pending 2FA authentication on password reset
When a password is reste we should make sure that all users are properly
logged in. Pending states should be cleared. For example a session where
the 2FA code is not entered yet should be cleared.

The token is now removed so the session will be killed the next time
this is checked (within 5 minutes).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-29 13:08:56 +01:00