upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-20 05:59:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 42
83872 commits 1010 branches 1224 tags 9.6 GiB
Commit graph

19 commits

Author SHA1 Message Date
provokateurin
5fa4c3d8fd
fix(publicremote): Always grant read and delete permission for chunked uploads to a share 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-10-15 23:37:58 +02:00
Louis Chemineau
009d0c550c
fix: Move CSRF check from base to PublicAuth for public.php 
This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment.

Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF.  So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin.

We also add a redirect to be helpful to the user.

**Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view.

Fix #52482

Signed-off-by: Louis Chemineau <louis@chmn.me>
 2025-05-21 16:01:36 +02:00
Ferdinand Thiessen
3d113ab6cc
refactor(dav): use Node API instead of private files view for filedrop plugin 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2025-05-16 14:37:30 +02:00
provokateurin
46f5b07322
feat(dav): Enable chunked upload for public shares 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-05-05 13:23:11 +02:00
provokateurin
7f0953d520
refactor(dav): Replace baseuri manipulation with RootCollection for public shares 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-05-05 13:23:11 +02:00
Git'Fellow
5dcec08e98
fix(shares): Allow underscores on custom links 
Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
 2025-03-26 08:14:52 +01:00
provokateurin
81acb210ce
fix(dav): Fix share token pattern for base uri extraction 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-03-10 10:10:46 +01:00
Côme Chilliet
1580c8612b
chore(apps): Apply new rector configuration to autouse classes 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2024-10-15 10:40:25 +02:00
John Molakvoæ (skjnldsv)
abd0cddd38 feat: make systemtags public visible 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2024-10-11 16:06:44 +02:00
Ferdinand Thiessen
bbc5d32c8e
fix(dav): Public WebDAV endpoint should allow GET requests 
`GET` should be allowed even without Ajax header to allow downloading files,
or show files in the viewer. All other requests could be guarded, but this should not.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-10-09 17:10:52 +02:00
Ferdinand Thiessen
cb1b366baf
fix(dav): Ensure share properties are also set on public remote endpoint 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-08-12 11:28:03 +02:00
skjnldsv
f28d933acc feat(files_sharing): add public name prompt for files requests 
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
 2024-07-18 20:15:39 +02:00
Robin Appelman
7a9efcf4cc perf: remove full filesystem setup for accessing public link share dav endpoints 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2024-06-20 12:15:43 +02:00
Andy Scherzinger
9d4b944098
chore: Add SPDX header 
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
 2024-05-27 20:11:22 +02:00
John Molakvoæ
20a0b9cbaf fix(dav): ajax request check on public remote endpoints 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-17 09:05:11 +01:00
John Molakvoæ
9e4c9b97dd
fix(psalm): update baseline and suppress unnecessary issues 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-09 11:08:46 +01:00
John Molakvoæ
18399fc1cf
fix: improve typing and use \OCP\Server::get 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-09 10:56:34 +01:00
John Molakvoæ
82b5a19a35
fix: public dav and files_sharing testing fixes 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-09 10:56:14 +01:00
John Molakvoæ
7b6a650b6e
feat: public dav endpoint v2 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-09 10:56:06 +01:00