server/lib/private
Roeland Jago Douma bb94b39745
Do not clear CSRF token on logout (fix for #1303)
This is a hacky way to allow the use case of #1303.

What happens is

1. User tries to login
2. PreLoginHook kicks in and figures out that the user need to change
their LDAP password or whatever => redirects user
3. While loading the redirect some logic of ours kicks in and logouts
the user (thus clearing the session).
4. We render the new page but now the session and the page disagree
about the CSRF token

This is kind of hacky but I don't think it introduces new attack
vectors.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-13 22:16:56 +01:00
..
Accounts bring back setEmailAddress for the user management 2016-11-25 10:26:48 +01:00
Activity Add an event merger and use it for the files activities 2016-11-25 15:36:11 +01:00
App Fix unit tests and improve appstore logic 2017-02-24 08:34:14 +01:00
AppFramework dont require strict same site cookies for ocs requests 2017-03-09 16:48:48 +01:00
Archive replace close:// streamwrapper with CallBackWrapper 2017-01-06 15:33:32 +01:00
Authentication do not hard-require the token provider 2017-01-11 19:20:11 +01:00
BackgroundJob
Cache Remove deprecated OC_User::isLoggedIn 2017-03-02 22:59:39 +01:00
Command
Comments @since 9.2.0 to @since 11.0.0 2016-11-15 18:51:52 +01:00
Console Revert unintentional log timestamp format change 2017-01-30 15:06:23 +01:00
DB Add bitwise AND and OR to the expression builder 2017-01-05 14:30:25 +01:00
Diagnostics Cap the number of queries we save in the query logger 2016-11-03 16:00:28 +01:00
Encryption Remove legacy class OC_Group and OC_User 2017-03-09 17:35:09 -06:00
Federation Fix DI of the cloud id manager into apps 2017-02-14 12:47:46 +01:00
Files dont allow empty wildcard search 2017-03-13 16:06:19 +01:00
Group spaces added 2017-01-10 16:43:43 +03:00
Hooks
Http/Client Rebrand to "Nextcloud" and add 100% coverage 2017-01-02 14:51:16 +01:00
IntegrityCheck Merge pull request #2724 from nextcloud/fix-23591 2016-12-21 13:03:13 +01:00
L10N Simplify isSubDirectory check 2016-10-07 21:56:43 +02:00
legacy Merge pull request #3778 from nextcloud/verify_jpg_files 2017-03-10 18:17:51 +01:00
Lock
Lockdown Implement webdav SEARCH 2017-03-01 14:06:39 +01:00
Log author update 2017-03-10 17:24:37 +08:00
Mail Fix default of mail_smtpmode - fixes #3102 2017-01-19 19:59:53 -06:00
Memcache Make sure old instances don't break 2017-01-05 11:57:18 +01:00
Migration
Notification @since 9.2.0 to @since 11.0.0 2016-11-15 18:51:52 +01:00
OCS announce public endpoints to sync trusted servers 2017-03-09 10:07:52 +01:00
Preview MP3 without cover don't get a preview 2017-03-10 08:52:23 +01:00
Repair Fix DI 2017-03-03 12:20:02 +01:00
RichObjectStrings @since 9.2.0 to @since 11.0.0 2016-11-15 18:51:52 +01:00
Route Add system config htaccess.IgnoreFrontController for prettyURLs w/o mod_env 2016-11-16 22:28:49 +01:00
Search
Security introduce brute force protection for api calls 2017-01-18 15:25:15 +01:00
Session Do not clear CSRF token on logout (fix for #1303) 2017-03-13 22:16:56 +01:00
Settings Add the icon for the default sections 2017-01-19 10:42:21 +01:00
Setup Add proper default value for datadir 2017-01-19 19:49:41 -06:00
Share Remove legacy class OC_Group and OC_User 2017-03-09 17:35:09 -06:00
Share20 Fix return type of share provider 2017-03-01 13:45:04 +01:00
SystemTag
Tagging
Template Allow using import in sass files 2017-03-09 20:29:50 +01:00
Updater Document updater channel & check for correct PHP version in updater 2016-12-06 00:19:13 +01:00
User Remove legacy class OC_Group and OC_User 2017-03-09 17:35:09 -06:00
AllConfig.php Merge pull request #3023 from nextcloud/issue-2915-filter-out-sensitive-appconfigs 2017-01-17 11:01:42 +01:00
AppConfig.php Make sure the spreed TURN server secret stays a secret 2017-01-17 11:29:10 +01:00
AppHelper.php
Avatar.php Add message to NotSquareException thrown from Avatar 2016-10-24 11:27:27 +02:00
AvatarManager.php avatar to appdata 2016-10-05 11:00:16 +02:00
CapabilitiesManager.php
Config.php
ContactsManager.php
DatabaseException.php
DatabaseSetupException.php
DateTimeFormatter.php
DateTimeZone.php
ForbiddenException.php
HintException.php add missing phpdoc to HintException 2016-11-28 11:34:23 +01:00
HTTPHelper.php
Installer.php Don't use cached informations for app version 2016-12-09 18:01:45 +01:00
LargeFileHelper.php Merge pull request #1890 from nextcloud/downstream-25428 2016-10-25 14:44:27 +02:00
Log.php Don't log the password on confirmPassword when LDAP throws an exception 2017-02-07 12:16:11 +01:00
NaturalSort.php
NaturalSort_DefaultCollator.php
NavigationManager.php Force to specify the name 2017-01-27 09:44:11 +01:00
NeedsUpdateException.php
NotSquareException.php
PreviewManager.php Rewrite old preview endpoint for PreviewManager 2017-01-04 16:51:44 +01:00
PreviewNotAvailableException.php
RedisFactory.php
Repair.php Fix DI 2017-03-03 12:20:02 +01:00
RepairException.php
Search.php
Server.php Add a single public api for resolving a cloud id to a user and remote and back 2017-02-08 15:17:02 +01:00
ServerContainer.php
ServerNotAvailableException.php
ServiceUnavailableException.php
Setup.php Serve robots.txt if the RewriteBase is configured 2017-03-06 21:55:29 +01:00
Streamer.php Add doc block for $time 2016-11-28 14:26:30 +01:00
SubAdmin.php Fix CamelCasing 2017-01-18 11:45:26 +01:00
SystemConfig.php Fix tests 2017-01-12 10:49:22 +01:00
TagManager.php
Tags.php
TemplateLayout.php Catch exception from path info 2017-02-22 11:08:58 +01:00
TempManager.php
Updater.php Fix return value of getAllowedPreviousVersions() 2017-02-09 23:24:24 -06:00
URLGenerator.php Check if the theming app is loaded 2016-12-09 12:52:17 +01:00