server

Author	SHA1	Message	Date
Roeland Jago Douma	7276735eb4	Set empty CSP by default For #14179 By default responses should have the strictest (and simplest) CSP possible. Only template responses should require an actual CSP. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-04-16 14:09:39 +02:00
Marius David Wieschollek	5aeb8eac2b	[#11236 ] Set parameter type in QBMapper Signed-off-by: Marius David Wieschollek <git.public@mdns.eu>	2019-03-24 22:43:45 +01:00
Roeland Jago Douma	b68567e9ba	Add StandaloneTemplateResponse This can be used by pages that do not have the full Nextcloud UI. So notifications etc do not load there. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-06 11:26:18 +01:00
Roeland Jago Douma	d88604015a	No need to emit additonalscript event on public pages There already is a separate event for this. This will make it possible to only inject code with the logged in one on default rendered pages. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-05 20:59:36 +01:00
Roeland Jago Douma	d182037bce	Emit to load additionalscripts Fixes #13662 This will fire of an event after a Template Response has been returned. There is an event for the generic loading and one when logged in. So apps can chose to load only on loged in pages. This is a more generic approach than the files app event. As some things we might want to load on other pages as well besides the files app. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-31 12:11:40 +01:00
Joas Schilling	f8b74cf0a5	Allow resources via OCS as well Signed-off-by: Joas Schilling <coding@schilljs.com>	2019-01-22 14:18:58 +01:00
Roeland Jago Douma	ad676c0102	Set default frame-ancestors to 'self' For #13042 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-08 15:36:40 +01:00
Roeland Jago Douma	64244e1a4f	CSP: Allow fonts to be provided in data Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-07 15:07:06 +01:00
Roeland Jago Douma	54ff913de6	Cleanup middleware registering Fixes #12224 Since we only use the middleware at 1 location it makes no sense to register them in each and every container. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-03 11:50:01 +01:00
Roeland Jago Douma	514426e27d	Only trust the X-FORWARDED-HOST header for trusted proxies Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-12-17 15:54:45 +01:00
Roeland Jago Douma	0e5147f001	Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-11-02 19:20:37 +01:00
Oliver Wegner	401ca28f07	Adding handling of CIDR notation to trusted_proxies for IPv4 Signed-off-by: Oliver Wegner <void1976@gmail.com>	2018-10-30 09:15:42 +01:00
Roeland Jago Douma	579822b6a5	Add report-uri to CSP Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-21 13:38:32 +02:00
Roeland Jago Douma	5b61ef9213	Disallow unsafe-eval by default Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-14 20:45:34 +02:00
Roeland Jago Douma	8c1e75e052	Do not use file as template parameter Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-08-09 16:45:25 +02:00
Roeland Jago Douma	5455045a9b	Fix direct access to authen page Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-20 08:57:13 +02:00
Roeland Jago Douma	1bb8bc8ff9	Add AuthPublicShareControllerTest Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-20 08:53:38 +02:00
Roeland Jago Douma	61e445da88	Add PublicShareControllerTests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-20 08:53:38 +02:00
Roeland Jago Douma	e7338173e8	Add PublicShareMiddlewareTest Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-20 08:53:37 +02:00
Roeland Jago Douma	a34495933e	Move caching logic to response This avoids having to do it at all the places we want cached responses. We can't inject the ITimeFactor without breaking public API. However we can perfectly overwrite the service (resulting in the same testable effect). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-04 08:48:54 +02:00
Morris Jobke	a2db959f5c	Merge pull request #8593 from eneiluj/master Allow public page access to apps with group restrictions	2018-03-08 11:27:52 +01:00
Roeland Jago Douma	3ad7daeda5	Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-03-08 11:05:18 +01:00
Roeland Jago Douma	d179186430	Remove testcase Since a token now always requires a string we don't need to test for null Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-03-05 16:14:46 +01:00
Julius Härtl	5a4aa2b7dd	Add test for PublicTemplateResponse Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:53 +01:00
Morris Jobke	a60d7a8563	Merge pull request #8541 from nextcloud/translate-permission-error-page Provide translated error message for permission error	2018-02-26 17:50:21 +01:00
Morris Jobke	cf35c4b03a	Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-02-26 17:00:29 +01:00
Roeland Jago Douma	0ee45d3d20	Fix proper types Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-02-22 15:51:19 +01:00
Roeland Jago Douma	ca9f364fd4	Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-02-21 10:55:52 +01:00
Roeland Jago Douma	7405dfb544	Update tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-01-29 14:37:18 +01:00
Joas Schilling	bf2be08c9f	Fix risky tests without assertions Signed-off-by: Joas Schilling <coding@schilljs.com>	2018-01-25 11:33:25 +01:00
Joas Schilling	870023365c	Fix "Undefined method setExpectedException()" Signed-off-by: Joas Schilling <coding@schilljs.com>	2018-01-24 18:10:16 +01:00
Morris Jobke	2a38605545	Properly log the full exception instead of only the message Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-01-23 10:57:21 +01:00
Morris Jobke	c70927eaa0	Remove not needed 3rdparty app disabling during upgrade for PHP 5.x Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-01-19 14:00:27 +01:00
Joas Schilling	7bc9a69c3f	Remove deprecated core API Signed-off-by: Joas Schilling <coding@schilljs.com>	2018-01-15 17:54:50 +01:00
Roeland Jago Douma	57050146f6	Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-01-02 21:58:14 +01:00
Bjoern Schiessle	1bcbeb24bc	disable password confirmation with SSO Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2018-01-02 20:30:37 +01:00
Bjoern Schiessle	f0202245ee	allow 'Nextcloud' in the user agent string of Android Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2017-12-12 12:16:01 +01:00
Roeland Jago Douma	b88db3a389	Merge pull request #6921 from nextcloud/appmanager-securitymiddleware Use proper DI for security middleware for app enabled check	2017-10-24 19:58:24 +02:00
Morris Jobke	43e498844e	Use ::class in test mocks Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-10-24 17:45:32 +02:00
Morris Jobke	ce0c45a4ea	Use proper DI for security middleware for app enabled check Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-10-24 15:36:28 +02:00
Roeland Jago Douma	c257cd57d4	Handle SameSiteCookie check for index.php in AppFramework Middleware Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-09-24 21:07:16 +02:00
Thomas Citharel	ecf347bd1a	Add CSP frame-ancestors support Didn't set the @since annotation yet. Signed-off-by: Thomas Citharel <tcit@tcit.fr>	2017-09-15 15:23:10 +02:00
Lukas Reschke	f93a82b8b0	Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-08-01 17:32:03 +02:00
Morris Jobke	84c22fdeef	Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call Add metadata to \OCP\AppFramework\Http\Response::throttle	2017-08-01 14:43:47 +02:00
Roeland Jago Douma	f71dc7523f	Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-31 16:54:19 +02:00
Roeland Jago Douma	3548603a88	Fix middleware implementations signatures Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-31 16:54:19 +02:00
Lukas Reschke	f22ab3e665	Add metadata to \OCP\AppFramework\Http\Response::throttle Fixes https://github.com/nextcloud/server/issues/5891 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-07-27 14:17:45 +02:00
Roeland Jago Douma	0b495ceff8	Remove deprecated Controller Functions Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-20 11:03:12 +02:00
Lukas Reschke	8149945a91	Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 23:05:33 +02:00
Lukas Reschke	31ae39c569	Add tests for multiple parameters Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 12:00:18 +02:00

1 2 3

101 commits