Commit graph

101 commits

Author SHA1 Message Date
Roeland Jago Douma
8626ccab1c
dont require strict same site cookies for ocs requests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-09 16:48:48 +01:00
Roeland Jago Douma
f8c459f1a4 Merge pull request #3607 from nextcloud/api-to-resend-welcome-message
OCS API endpoint to resend welcome message
2017-03-03 13:50:30 +01:00
Sebastian Wessalowski
e399097e3a Remove deprecated OC_User::isLoggedIn
Signed-off-by: Sebastian Wessalowski <sebastian@wessalowski.org>
2017-03-02 22:59:39 +01:00
Morris Jobke
552921d429
Fix injection of defaults
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-28 16:30:34 -06:00
Morris Jobke
50f3efad6f
OCS API endpoint to resend welcome message
* send a POST request to ocs/v1.php/cloud/users/USERNAME/resendWelcomeMessage to trigger
  the welcome message to be send
* fixes #3367

example curl statement:

  curl -i https://example.org/ocs/v1.php/cloud/users/USERNAME/welcome -H  "OCS-APIRequest: true" -u admin:password -X POST

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-28 16:30:33 -06:00
Joas Schilling
0be2921966
Fix DI of the cloud id manager into apps
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-14 12:47:46 +01:00
Morris Jobke
dfaaebd765 Merge pull request #3417 from nextcloud/push-notification
Push notification
2017-02-10 16:00:47 -06:00
Joas Schilling
33fb86f68b
Fix detection of the new iOS app
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-10 10:10:21 +01:00
Joas Schilling
efdc51c155
Make sure to use the right appdata directory
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-09 15:03:00 +01:00
Christoph Wurst
5e728d0eda oc_token should be nc_token
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Morris Jobke
5bad417e57 Merge pull request #2044 from nextcloud/login-credential-store
Login credential store
2017-01-30 19:30:04 -06:00
Bjoern Schiessle
32e0ec3e58
handle optional annotation parameters
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Joas Schilling
29a0a23918
Fix the regex for annotations with values
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-01-18 15:25:16 +01:00
Bjoern Schiessle
df296249d6
introduce brute force protection for api calls
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:15 +01:00
Christoph Wurst
a6dca9e7a0
add login credential store
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:09 +01:00
Joas Schilling
bc3da3a8f5
Remove IDb interface which was deprecated for 3 years already
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-14 11:42:16 +01:00
Joas Schilling
61e15988a0
Allow to overwrite the message which we already do in SubadminMiddleware
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-08 16:23:49 +01:00
Morris Jobke
d86b29b42b Merge pull request #2066 from nextcloud/fix-redirect-double-encoding
do not double encode the redirect url
2016-11-29 17:21:43 +01:00
Joas Schilling
da9468522b
Add an event merger and use it for the files activities
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-25 15:36:11 +01:00
Lukas Reschke
a05b8b7953
Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.

See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.

Fixes https://github.com/nextcloud/server/issues/1412

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-23 12:53:44 +01:00
Morris Jobke
332eaec4c0 Merge pull request #1447 from nextcloud/password-confirmation-for-some-actions
Password confirmation for some actions
2016-11-18 15:42:30 +01:00
Joas Schilling
bb7787a157
Add the 15 seconds to the window, instead of removing
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 12:10:51 +01:00
Joas Schilling
827b6a610e
Introduce PasswordConfirmRequired annotation
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 11:57:16 +01:00
Robin Appelman
4235b18a88
allow passing a stream to StreamResponse
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:30:36 +01:00
Roeland Jago Douma
f07d75a4dd
@since 9.2.0 to @since 11.0.0
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-15 18:51:52 +01:00
Christoph Wurst
0ebffa4a5f do not double encode the redirect url
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-09 16:14:46 +01:00
Christoph Wurst
d907666232
bring back remember-me
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Roeland Jago Douma
e55e6f1f14
Cleanup usages
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-29 14:29:50 +02:00
Roeland Jago Douma
740659a04c
Move away from OC_L10N
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-28 21:46:28 +02:00
Morris Jobke
d4969abc9d Merge pull request #1800 from nextcloud/nextcloud-rich-object-strings
Nextcloud rich object strings
2016-10-27 15:30:58 +02:00
Joas Schilling
c20ab0049f
Identify Chromium as Chrome
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-26 12:07:10 +02:00
Roeland Jago Douma
e351ba56f1
Move browserSupportsCspV3 to CSPNonceManager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-25 22:03:10 +02:00
Lukas Reschke
9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Roeland Jago Douma
7998689bc9
Added method to DB and fix test
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-24 09:45:04 +02:00
Joas Schilling
2098648850
Add Rich Object Definitions and a validator
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-20 12:14:51 +02:00
Morris Jobke
96f8f209b9 Merge pull request #1449 from nextcloud/comments-user-mention
Notifications for simple @-mentioning in comments
2016-10-17 09:30:47 +02:00
Thomas Müller
c5ca71ee82
[9.2] Register commands in info.xml (#26248)
* Use DI to load console commands from the apps - class name to be defined in the info.xml

* Load commands from info.xml

* Fix unit test

* Allow Di magic for IMountManager

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-11 19:48:26 +02:00
Thomas Müller
67d3574bdf
Don't parse info.xml but reuse already cached app infos - fixes #25603 (#25968)
* Don't parse info.xml but reuse already cached app infos - fixes #25603

* Use === in InfoParser. Fixes test

* InfoParser should not depend on UrlGenerator - fixes issue with session being closed too early
2016-10-07 20:58:22 +02:00
Arthur Schiwon
e1073cf442
Notificacations for simple @-mentioning in comments
(WIP) notify user when mentioned in comments

Fix doc, and create absolute URL for as notification link.

PSR-4 compatibility changes

also move notification creation to comments app

Do not notify yourself

unit test for controller and application

smaller fixes

- translatable app name
- remove doubles in mention array
- micro perf optimization
- display name: special label for deleted users, keep user id for users that could not be fetched from userManager

Comment Notification-Listener Unit Test

fix email adresses

remove notification when triggering comment was deleted

add and adjust tests

add missing @license tags

simplify NotificationsController registration

appinfo simplification, php docs

make string easier to translate

adjust test

replace dispatcher-based listeners with a registration method and interface

safer to not pass optional data parameter to setSubject for marking as processed. ID and mention suffices

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

update comment

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2016-10-07 17:11:19 +02:00
Joas Schilling
a0b34dfd2f Merge pull request #1629 from nextcloud/cleanup-settings-application
Cleanup settings Application class
2016-10-06 16:57:39 +02:00
Joas Schilling
8b3deb00b3
When we can not create the class, try if the variable is a registered service
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-05 16:33:19 +02:00
Roeland Jago Douma
3260f69590
Add for proper DI
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-05 11:00:16 +02:00
Lukas Reschke
598b243838 Merge pull request #1426 from nextcloud/sanitze_opt
Optimize sanitizeName
2016-09-26 14:10:50 +02:00
Joas Schilling
d9063b6141
Use default value instead of throwing when the service could not be found 2016-09-20 13:26:06 +02:00
Roeland Jago Douma
e200eda18d
Optimize sanitizeName 2016-09-16 09:52:52 +02:00
Roeland Jago Douma
7c078a81b4
Add trict CSP to OCS responses
If a repsonse now explicitly has the Empty CSP set then the middleware
won't touch it.
2016-09-15 13:11:36 +02:00
Roeland Jago Douma
959bf0d1a7
Cache the build ControllerName
Often a route.php file will have many N routes but only M controllers.
Where N >= M. Which means that in most cases the ControllerName will be
converted multiple times. This is of course far from ideal.

Note that this is per app so the cache will contain at most N entries.
Which is not to bad.
2016-09-11 13:25:32 +02:00
Roeland Jago Douma
240798329d
Set proper content type on OCS responses 2016-09-07 10:55:56 +02:00
Roeland Jago Douma
3c55fe6bab
Split OCS version handling
This cleans up a bit the OCSController/Middleware. Since the 2 versions
of OCS differ a bit. Moved a lot of stuff internal since it is of no
concern to the outside.
2016-09-06 11:57:39 +02:00
Roeland Jago Douma
7f84f05e4d
Cache parsing of info.xml 2016-09-02 09:03:09 +02:00