280 commits

Author	SHA1	Message	Date
Robin Appelman	c712987878	send request id in response header ... Signed-off-by: Robin Appelman <robin@icewind.nl>	2022-02-01 14:24:01 +01:00
Carl Schwan	6312c0df69	Check style update ... Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-01-13 00:19:07 +01:00
Côme Chilliet	3a1b3745eb	Fix DateTime constructor calls with null ... Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2021-11-23 09:28:58 +01:00
Carl Schwan	6958d8005a	Add admin privilege delegation for admin settings ... This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2021-09-29 21:43:31 +02:00
Christoph Wurst	6d5cfe0c66	Move DateTime::RFC2822 to DateTimeInterface::2822 ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-06-23 15:30:43 +02:00
Christoph Wurst	770881d5d6	Move DateTime::ATOM to DateTimeInterface::ATOM ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-06-23 15:28:07 +02:00
Joas Schilling	181aab416a	Fix warnings about logException ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-06-04 10:57:09 +02:00
Lukas Reschke	377514aad1	Escape filename in Content-Disposition ... We should escape all occurences of ' and \ in here. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-06-02 19:22:17 +02:00
Joas Schilling	b6c6527705	Fix unauthorized OCS status in provisioning ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-05-12 08:16:07 +02:00
Christoph Wurst	99f0b10421	Merge pull request #26591 from nextcloud/techdebt/noid/less-ilogger ... Less ILogger	2021-04-27 15:38:12 +02:00
Joas Schilling	df47445c01	Fix unit tests ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-04-27 14:34:32 +02:00
Joas Schilling	174f4dd043	Fix ratelimit template ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-04-27 13:55:34 +02:00
Roeland Jago Douma	30e096f3f5	Allow overwriting isAuthenticated ... * Some implementations might check for different things * IT will not change how the current ones work Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2021-03-09 09:17:30 +01:00
Roeland Jago Douma	cc744740b7	Remove deprecated \OCP\API ... Time to remove this forgood now. Remaining constant moved over The world is a tiny bit better Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2021-03-03 20:54:32 +01:00
Christoph Wurst	8b64e92b92	Bump doctrine/dbal from 2.12.0 to 3.0.0 ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-01-08 11:45:19 +01:00
Roeland Jago Douma	48679ae39f	Make sure we just check for the keys ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-12-07 15:44:03 +01:00
Roeland Jago Douma	9163790b7c	Set frame-ancestors to none if none are filled ... frame-ancestors doesn't fall back to default-src. So when we apply a very restricted CSP we should make sure to set it to 'none' and not leave it empty. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-18 10:13:36 +01:00
Morris Jobke	f03bb4716b	Remove OCSResponse type hint - see #23827 ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-11-03 10:43:32 +01:00
Roeland Jago Douma	fa6a790859	Remove deprecated OCSResponse ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-01 14:12:27 +01:00
Morris Jobke	91d445909a	Fix code style ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-10-12 14:54:51 +02:00
Robin Windey	6a1f8fb3be	Fix typo 'shared'	2020-10-12 14:19:41 +02:00
Christoph Wurst	d9015a8c94	Format code to a single space around binary operators ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-10-05 20:25:24 +02:00
Joas Schilling	95a301ea57	Fix tests ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-10-02 10:37:18 +02:00
Joas Schilling	a9f22ac7b1	More test fixing ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 12:40:25 +02:00
Morris Jobke	234b510652	Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-08-12 13:55:19 +02:00
Morris Jobke	0123cd0ae3	Use assertStringContainsString instead of assertContains on strings ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-07-23 17:11:29 +02:00
Christoph Wurst	91e7f12088	Adjust apps' code to use the ContainerInterface ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-07-21 20:43:18 +02:00
Roeland Jago Douma	7d7ba61625	Add real events to load additionalscripts ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-07-15 14:07:18 +02:00
Julius Härtl	81e5593133	Move to lazy panel registration during registration context ... Signed-off-by: Julius Härtl <jus@bitgrid.net>	2020-07-15 09:27:57 +02:00
Christoph Wurst	f03f88b437	Delegate bootstrap registration lazily ... * Keep the registration context * Expose the context object for other components * Ensure registration is only run once Search providers are migrated for demonstration. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-07-14 15:33:32 +02:00
Roeland Jago Douma	3f447b9c8c	Fix supporting defaults for routes ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-07-08 19:52:45 +02:00
Roeland Jago Douma	edc1c77dd9	Do not create a RouteActionHandler object for each route ... This is not required and doesn't allow us to be properly lazy. On top of it this doesnt allow us to cache the routes (since closures/objects can't be cached). This is the first small step into cleaning up the routing we have Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-07-07 12:33:22 +02:00
Holger Hees	e70249e089	Update SecurityMiddleware.php ... OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header. in other areas OC::$WEBROOT is always used together with an /	2020-07-06 21:34:46 +02:00
Christoph Wurst	4a3ea04baa	Callable parameter injection ... This is like what we have to DI and classes, but for callables. The motivating factor is to get rid of *service locators* in the `boot` method of apps as a new pattern is about to emerge where we have lots of `query` calls on the app or server container in order to fetch some services. With this little helper it's possible to call another (public) method and magically have everything injected. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-07-03 14:37:46 +02:00
Joas Schilling	74a9cadc50	Fix IPv6 remote addresses from X_FORWARDED_FOR headers before validating ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-07-02 11:13:13 +02:00
Joas Schilling	b7060be18d	Fix robots "noindex, nofollow" signals ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-06-25 08:29:43 +02:00
Christoph Wurst	4488e846a5	Add unified search API ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-06-24 14:20:25 +02:00
blizzz	859941db32	Merge pull request #21479 from nextcloud/fix/21474/allow_specifying_cookie_type ... Allow to specify the cookie type for appframework responses	2020-06-22 13:00:12 +02:00
Roeland Jago Douma	fbf9772a3e	Allow to specify the cookie type for appframework responses ... In general it is good to set them to Lax. But also to give devs more control over them is not a bad thing. Helps with #21474 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-06-22 08:38:44 +02:00
Roeland Jago Douma	c006b5ff2a	Fix unit test of the ResponseTest ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-06-21 09:44:56 +02:00
Christoph Wurst	2b7b7144d4	Allow crash reporters registration during app bootstrap ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-06-19 10:38:26 +02:00
Christoph Wurst	69571fb536	Add dedicated API for apps' bootstrapping process ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-06-17 09:22:21 +02:00
Roeland Jago Douma	7c15c63b05	Merge pull request #20939 from nextcloud/enh/middleware/not_modified ... Move not modified check to the middleware	2020-05-13 09:04:56 +02:00
Roeland Jago Douma	4fbea316a7	Merge pull request #20897 from nextcloud/bugfix/httpcache ... Proxy server could cache http response when it is not private	2020-05-13 08:27:05 +02:00
Roeland Jago Douma	12fa748c49	Move the notmodified check to middleware where it belongs ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-05-13 08:11:24 +02:00
Clement Wong	979dd1b6f5	Fix http cache test ... Signed-off-by: Clement Wong <git@clement.hk>	2020-05-12 11:50:48 +02:00
Roeland Jago Douma	203d7eb1d3	Add AppFramework GZip middleware to gzip responses ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-05-12 09:09:48 +02:00
Roeland Jago Douma	c870b6ab2e	Fix new routing in settings etc ... Also prefix resources Unify the prefix handling Handle urls with and without slash Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-04-22 13:09:25 +02:00
Joas Schilling	250467e842	Extend tests for root url ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-04-18 11:21:28 +02:00
Christoph Wurst	1584c9ae9c	Add visibility to all methods and position of static keyword ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 16:51:06 +02:00
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function ... To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 14:19:56 +02:00
Christoph Wurst	14c996d982	Use elseif instead of else if ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 10:35:09 +02:00
Christoph Wurst	44577e4345	Remove trailing and in between spaces ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 16:07:47 +02:00
Christoph Wurst	afbd9c4e6e	Unify function spacing to PSR2 recommendation ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 13:54:22 +02:00
Christoph Wurst	2a529e453a	Use a blank line after the opening tag ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 11:50:14 +02:00
Christoph Wurst	41b5e5923a	Use exactly one empty line after the namespace declaration ... For PSR2 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 11:48:10 +02:00
Christoph Wurst	2fbad1ed72	Fix (array) indent style to always use one tab ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 10:16:08 +02:00
Christoph Wurst	85e369cddb	Fix multiline comments ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-08 22:24:54 +02:00
Christoph Wurst	463b388589	Merge pull request #20170 from nextcloud/techdebt/remove-unused-imports ... Remove unused imports	2020-03-27 17:14:08 +01:00
Christoph Wurst	b80ebc9674	Use the short array syntax, everywhere ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-26 16:34:56 +01:00
Christoph Wurst	2ee65f177e	Use the shorter phpunit syntax for mocked return values ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-25 22:21:27 +01:00
Christoph Wurst	74936c49ea	Remove unused imports ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-25 22:08:08 +01:00
Daniel Kesselberg	7af3bcb4bc	Add test to trigger "Trying to access array offset on value of type int" ... Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2020-01-23 10:18:14 +01:00
Daniel Kesselberg	8331d8296b	Make getServerHost more robust to faulty user input ... Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2020-01-16 11:26:29 +01:00
Daniel Kesselberg	d393b1612b	Modify regex to match some other chromium browsers ... Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2019-12-27 17:24:52 +01:00
Roeland Jago Douma	3a7cf40aaa	Mode to modern phpunit ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-27 15:27:18 +01:00
Roeland Jago Douma	c007ca624f	Make phpunit8 compatible ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-27 13:34:41 +01:00
Roeland Jago Douma	b607e3e6f4	Merge pull request #17948 from nextcloud/enh/check-if-property-is-bool ... Make isXXX available for bool properties only	2019-11-26 12:25:36 +01:00
Roeland Jago Douma	68748d4f85	Some php-cs fixes ... * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-22 20:52:10 +01:00
Daniel Kesselberg	a27c10daa6	Make isXXX available for bool properties only ... Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2019-11-16 00:39:48 +01:00
Christoph Wurst	de6940352a	Move settings to an app ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> Signed-off-by: npmbuildbot[bot] <npmbuildbot[bot]@users.noreply.github.com>	2019-09-28 09:39:28 +00:00
Roeland Jago Douma	3f12ec95f0	SessionMiddleware: declare session property ... * Remove request since we don't useit * Update tests as well Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-28 13:02:29 +02:00
Roeland Jago Douma	f81817b47d	Add tests ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-10 19:40:13 +02:00
Roeland Jago Douma	b8c5008acf	Add feature policy header ... This adds the events and the classes to modify the feature policy. It also adds a default restricted feature policy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-10 14:26:22 +02:00
Roeland Jago Douma	cf647451e5	Update CSP test cases to handle the new form-action ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-31 15:16:10 +02:00
Roeland Jago Douma	37a4282c7a	Split up security middleware ... With upcoming work for the feature policy header. Splitting this in smaller classes that just do 1 thing makes sense. I rather have a few small classes that are tiny and do 1 thing right (and we all understand what is going on) than have big ones. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-27 16:11:45 +02:00
Roeland Jago Douma	b0c2042a28	Merge pull request #15714 from nextcloud/fix/204_304_rfc ... Check the actual status code for 204 and 304	2019-05-24 19:51:01 +02:00
Roeland Jago Douma	b0c030cbb5	Check the actual status code for 204 and 304 ... The header is the full http header like: HTTP/1.1 304 Not Modified So comparing this to an int always yields false This also makes the 304 RFC compliant as the resulting content length should otherwise be the length of the message and not 0. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2019-05-24 15:18:32 +02:00
Christoph Wurst	22ae682823	Make it possible to show admin settings for sub admins ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-05-23 20:31:40 +02:00
Roeland Jago Douma	7276735eb4	Set empty CSP by default ... For #14179 By default responses should have the strictest (and simplest) CSP possible. Only template responses should require an actual CSP. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-04-16 14:09:39 +02:00
Marius David Wieschollek	5aeb8eac2b	[#11236] Set parameter type in QBMapper ... Signed-off-by: Marius David Wieschollek <git.public@mdns.eu>	2019-03-24 22:43:45 +01:00
Roeland Jago Douma	b68567e9ba	Add StandaloneTemplateResponse ... This can be used by pages that do not have the full Nextcloud UI. So notifications etc do not load there. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-06 11:26:18 +01:00
Roeland Jago Douma	d88604015a	No need to emit additonalscript event on public pages ... There already is a separate event for this. This will make it possible to only inject code with the logged in one on default rendered pages. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-05 20:59:36 +01:00
Roeland Jago Douma	d182037bce	Emit to load additionalscripts ... Fixes #13662 This will fire of an event after a Template Response has been returned. There is an event for the generic loading and one when logged in. So apps can chose to load only on loged in pages. This is a more generic approach than the files app event. As some things we might want to load on other pages as well besides the files app. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-31 12:11:40 +01:00
Joas Schilling	f8b74cf0a5	Allow resources via OCS as well ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2019-01-22 14:18:58 +01:00
Roeland Jago Douma	ad676c0102	Set default frame-ancestors to 'self' ... For #13042 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-08 15:36:40 +01:00
Roeland Jago Douma	64244e1a4f	CSP: Allow fonts to be provided in data ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-07 15:07:06 +01:00
Roeland Jago Douma	54ff913de6	Cleanup middleware registering ... Fixes #12224 Since we only use the middleware at 1 location it makes no sense to register them in each and every container. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-03 11:50:01 +01:00
Roeland Jago Douma	514426e27d	Only trust the X-FORWARDED-HOST header for trusted proxies ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-12-17 15:54:45 +01:00
Roeland Jago Douma	0e5147f001	Fix tests ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-11-02 19:20:37 +01:00
Oliver Wegner	401ca28f07	Adding handling of CIDR notation to trusted_proxies for IPv4 ... Signed-off-by: Oliver Wegner <void1976@gmail.com>	2018-10-30 09:15:42 +01:00
Roeland Jago Douma	579822b6a5	Add report-uri to CSP ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-21 13:38:32 +02:00
Roeland Jago Douma	5b61ef9213	Disallow unsafe-eval by default ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-14 20:45:34 +02:00
Roeland Jago Douma	8c1e75e052	Do not use file as template parameter ... Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-08-09 16:45:25 +02:00
Roeland Jago Douma	5455045a9b	Fix direct access to authen page ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-20 08:57:13 +02:00
Roeland Jago Douma	1bb8bc8ff9	Add AuthPublicShareControllerTest ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-20 08:53:38 +02:00
Roeland Jago Douma	61e445da88	Add PublicShareControllerTests ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-20 08:53:38 +02:00
Roeland Jago Douma	e7338173e8	Add PublicShareMiddlewareTest ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-20 08:53:37 +02:00
Roeland Jago Douma	a34495933e	Move caching logic to response ... This avoids having to do it at all the places we want cached responses. We can't inject the ITimeFactor without breaking public API. However we can perfectly overwrite the service (resulting in the same testable effect). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-04 08:48:54 +02:00
Morris Jobke	a2db959f5c	Merge pull request #8593 from eneiluj/master ... Allow public page access to apps with group restrictions	2018-03-08 11:27:52 +01:00
Roeland Jago Douma	3ad7daeda5	Add tests ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-03-08 11:05:18 +01:00
Roeland Jago Douma	d179186430	Remove testcase ... Since a token now always requires a string we don't need to test for null Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-03-05 16:14:46 +01:00
Julius Härtl	5a4aa2b7dd	Add test for PublicTemplateResponse ... Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:53 +01:00
Morris Jobke	a60d7a8563	Merge pull request #8541 from nextcloud/translate-permission-error-page ... Provide translated error message for permission error	2018-02-26 17:50:21 +01:00
Morris Jobke	cf35c4b03a	Provide translated error message for permission error ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-02-26 17:00:29 +01:00
Roeland Jago Douma	0ee45d3d20	Fix proper types ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-02-22 15:51:19 +01:00
Roeland Jago Douma	ca9f364fd4	Fix tests ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-02-21 10:55:52 +01:00
Roeland Jago Douma	7405dfb544	Update tests ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-01-29 14:37:18 +01:00
Joas Schilling	bf2be08c9f	Fix risky tests without assertions ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2018-01-25 11:33:25 +01:00
Joas Schilling	870023365c	Fix "Undefined method setExpectedException()" ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2018-01-24 18:10:16 +01:00
Morris Jobke	2a38605545	Properly log the full exception instead of only the message ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-01-23 10:57:21 +01:00
Morris Jobke	c70927eaa0	Remove not needed 3rdparty app disabling during upgrade for PHP 5.x ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-01-19 14:00:27 +01:00
Joas Schilling	7bc9a69c3f	Remove deprecated core API ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2018-01-15 17:54:50 +01:00
Roeland Jago Douma	57050146f6	Move passwordconfirmation to its own midleware ... Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-01-02 21:58:14 +01:00
Bjoern Schiessle	1bcbeb24bc	disable password confirmation with SSO ... Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2018-01-02 20:30:37 +01:00
Bjoern Schiessle	f0202245ee	allow 'Nextcloud' in the user agent string of Android ... Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2017-12-12 12:16:01 +01:00
Roeland Jago Douma	b88db3a389	Merge pull request #6921 from nextcloud/appmanager-securitymiddleware ... Use proper DI for security middleware for app enabled check	2017-10-24 19:58:24 +02:00
Morris Jobke	43e498844e	Use ::class in test mocks ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-10-24 17:45:32 +02:00
Morris Jobke	ce0c45a4ea	Use proper DI for security middleware for app enabled check ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-10-24 15:36:28 +02:00
Roeland Jago Douma	c257cd57d4	Handle SameSiteCookie check for index.php in AppFramework Middleware ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-09-24 21:07:16 +02:00
Thomas Citharel	ecf347bd1a	Add CSP frame-ancestors support ... Didn't set the @since annotation yet. Signed-off-by: Thomas Citharel <tcit@tcit.fr>	2017-09-15 15:23:10 +02:00
Lukas Reschke	f93a82b8b0	Remove explicit type hints for Controller ... This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-08-01 17:32:03 +02:00
Morris Jobke	84c22fdeef	Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call ... Add metadata to \OCP\AppFramework\Http\Response::throttle	2017-08-01 14:43:47 +02:00
Roeland Jago Douma	f71dc7523f	Fix tests ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-31 16:54:19 +02:00
Roeland Jago Douma	3548603a88	Fix middleware implementations signatures ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-31 16:54:19 +02:00
Lukas Reschke	f22ab3e665	Add metadata to \OCP\AppFramework\Http\Response::throttle ... Fixes https://github.com/nextcloud/server/issues/5891 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-07-27 14:17:45 +02:00
Roeland Jago Douma	0b495ceff8	Remove deprecated Controller Functions ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-20 11:03:12 +02:00
Lukas Reschke	8149945a91	Make BruteForceProtection annotation more clever ... This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 23:05:33 +02:00
Lukas Reschke	31ae39c569	Add tests for multiple parameters ... Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 12:00:18 +02:00
Lukas Reschke	a1ae5275f9	Move to dedicated MiddleWare ... Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 12:00:17 +02:00
Lukas Reschke	66835476b5	Add support for ratelimiting via annotations ... This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 12:00:16 +02:00
Roeland Jago Douma	2a9192334e	Don't try to parse empty body if there is no body ... Fixes #3890 If we do a put request without a body the current code still tries to read the body. This patch makes sure that we do not try to read the body if the content length is 0. See RFC 2616 Section 4.3 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-04-04 08:22:33 +02:00
Morris Jobke	f9bc53146d	Fix unit tests ... Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-03-28 21:00:12 -06:00
Roeland Jago Douma	21641302a9	Add DI intergration tests ... * Moved some interface definitions to Server.php (more to come) * Build/Query only for existing classes in the AppContainer * Build/Query only for classes of the App in the AppContainer * Offload other stuff to the servercontainer Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-03-21 08:52:20 +01:00
Roeland Jago Douma	7cece61ff6	Extend DI tests ... Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-03-21 08:52:20 +01:00
Lukas Reschke	5f8f29508f	Adjust tests to include base-uri ... Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-03-16 18:12:10 +01:00
Lukas Reschke	adfd1e63f6	Add base-uri to CSP policy ... As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-03-16 15:16:20 +01:00
Robin Appelman	9a8cef965f	add test for skipping cookie checks for ocs ... Signed-off-by: Robin Appelman <robin@icewind.nl>	2017-03-10 14:11:00 +01:00
Christoph Wurst	5e728d0eda	oc_token should be nc_token ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2017-02-02 21:56:44 +01:00
Bjoern Schiessle	0271ae3b46	add some unit tests ... Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2017-01-18 15:25:16 +01:00
Christoph Wurst	45c6301772	fix controller test ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2017-01-10 11:54:45 +01:00
Christoph Wurst	e3815b382d	fix data response test expected cache headers ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2017-01-10 10:13:08 +01:00
Christoph Wurst	fe6416072d	set 'no-store' cache header if we do not want FF to cache ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2017-01-09 21:29:59 +01:00
Morris Jobke	d86b29b42b	Merge pull request #2066 from nextcloud/fix-redirect-double-encoding ... do not double encode the redirect url	2016-11-29 17:21:43 +01:00
Lukas Reschke	a05b8b7953	Harden cookies more appropriate ... This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening. See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications. Fixes https://github.com/nextcloud/server/issues/1412 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2016-11-23 12:53:44 +01:00
Morris Jobke	332eaec4c0	Merge pull request #1447 from nextcloud/password-confirmation-for-some-actions ... Password confirmation for some actions	2016-11-18 15:42:30 +01:00
Joas Schilling	b2d9c20aac	Fix unit tests ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2016-11-18 12:10:51 +01:00
Robin Appelman	e4d1cf0f6d	add tests for http/output ... Signed-off-by: Robin Appelman <robin@icewind.nl>	2016-11-16 15:30:37 +01:00
Christoph Wurst	0ebffa4a5f	do not double encode the redirect url ... Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2016-11-09 16:14:46 +01:00
Joas Schilling	c20ab0049f	Identify Chromium as Chrome ... Signed-off-by: Joas Schilling <coding@schilljs.com>	2016-10-26 12:07:10 +02:00