246da73a36
fix(oauth2): retain support for legacy ownCloud clients
...
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
2025-04-01 11:25:52 +07:00
0179cb4d8d
feat(core): add setup cypress tests
...
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2025-03-13 20:51:00 +07:00
cc12719df5
feat(core): migrate setup to vue
...
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2025-03-13 16:00:18 +07:00
71dc34c03c
fix: Deprecate OC_Template, add proper template manager instead
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2025-03-06 15:49:25 +07:00
c6293204a2
feat: Close sessions created for login flow v2
...
Sessions created during the login flow v2 should be short lived to not leave an unexpected opened session in the browser.
This commit add a property to the session object to track its origin, and will close it as soon as possible, i.e., on the first non public page request.
Signed-off-by: Louis Chemineau <louis@chmn.me>
2025-02-26 13:42:18 +07:00
e757b649b7
fix: Fix psalm taint false-positives by small refactorings
...
Mostly make it clear that we trust admin input or that we correctly
escape strings.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2025-02-17 18:08:23 +07:00
2c13259093
feat(files): add mime icon endpoint
...
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2025-01-22 16:29:36 +07:00
332fa63850
feat: Two Factor API
...
Signed-off-by: SebastianKrupinski <krupinskis05@gmail.com>
2025-01-16 08:31:58 +07:00
24332e2a06
fix(taskprocessing): /tasktypes endpoint was broken by #49015
...
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
2025-01-09 10:06:25 +07:00
f52b4c5eb2
fix: Remove skip of grant page, only skip first step
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2025-01-07 10:34:30 +07:00
e7be008dc1
feat(oauth2): Skip page before login as well for authorized applications
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2025-01-07 10:34:30 +07:00
9b366c65d4
feat(oauth): Allow to skip the grant step for selected applications
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2025-01-07 10:34:30 +07:00
085d4c9364
refactor(OpenAPI): Adjust scopes to match previous behavior
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2025-01-06 14:30:40 +07:00
d4715c61f2
Merge pull request #49560 from nextcloud/fix/login-origin
...
feat(login): add origin check at login
2024-12-20 14:53:11 +07:00
dd5f560246
fix(ReferenceApiController): Bump rate limit for public resolve endpoint
...
E.g. text documents might contain hundreds of links whose previews need
to get loaded.
Fixes : nextcloud/collectives#1607
Signed-off-by: Jonas <jonas@freesources.org>
2024-12-16 13:01:55 +07:00
22051a73c1
feat(login): add origin check at login
...
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2024-12-05 09:51:53 +07:00
4591430c9c
feat(ocm): signing ocm requests
...
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
2024-12-04 09:30:55 +07:00
3ac14af26b
fix(TaskProcessing): Set up fs in getFileContentsInternal
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-11-26 11:07:20 +07:00
b15fdfd40e
chore(profile): move profile app from core to apps
...
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2024-11-14 10:25:02 +07:00
452e4be4f5
Merge pull request #46222 from nextcloud/fix/task-processing-api-controller/dont-use-plus
2024-11-06 09:02:23 +07:00
77114fb327
fix(OpenAPI): Adjust array syntax to avoid ambiguities
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-11-05 09:58:11 +07:00
c84c256261
fix: Adjust preview for view-only shares
...
Previously there was a different behavior for public shares (link-shares) and internal shares,
if the user disabled the view permission.
The legacy UI for public shares simply "disabled" the context menu and hided all download actions.
With Nextcloud 31 all share types use the consistent permissions attributes,
which simplifies code, but caused a regression: Images can no longer been viewed.
Because on 30 and before the attribute was not set, previews for view-only files
were still allowed. Now with 31 we need a new way to allow "viewing" shares.
So this is allowing previews for those files, but only for internal usage.
This is done by settin a special header, which only works with custom requests,
and not by opening the URL directly.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-10-28 15:52:27 +07:00
bb598c8451
chore(deps): Bump nextcloud/coding-standard in /vendor-bin/cs-fixer
...
Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard ) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/nextcloud/coding-standard/releases )
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md )
- [Commits](https://github.com/nextcloud/coding-standard/compare/v1.3.1...v1.3.2 )
---
updated-dependencies:
- dependency-name: nextcloud/coding-standard
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-10-19 07:57:35 +07:00
606241caeb
chore(legacy): Introduce public version ct plass and drop version methods from OC_Util
...
Signed-off-by: Julius Knorr <jus@bitgrid.net>
2024-09-20 14:53:34 +07:00
9836e9b164
chore(deps): Update nextcloud/coding-standard to v1.3.1
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-09-19 14:21:20 +07:00
8af7ecb257
chore: adjust code to adhere to coding standard
...
Signed-off-by: Anna Larch <anna@nextcloud.com>
2024-09-05 21:23:38 +07:00
af6de04e9e
style: update codestyle for coding-standard 1.2.3
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2024-08-25 19:34:58 +07:00
e77d6c913d
fix(core): Limit valid avatar sizes
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-08-14 09:29:30 +07:00
1aa29441e3
fix: Add direct parameter to flow auth v2
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2024-08-05 12:13:52 +07:00
a6d421e767
chore: Remove deprecated legacy search backend
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2024-08-01 12:33:18 +07:00
bc5c0262af
refactor(core): Make all attribute arguments named
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-27 22:36:18 +07:00
c57c3c1573
refactor(core): Replace security annotations with respective attributes
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-26 07:30:45 +07:00
a9b77c3d12
Merge pull request #46761 from nextcloud/fix/core/document-csrf-token-endpoint
2024-07-26 07:13:26 +07:00
4f2a29adf9
Merge pull request #46672 from nextcloud/fix/preview-invalid-id
...
Avoid using partial file info as valid one
2024-07-25 19:37:30 +07:00
90e108e548
fix(core): Document CSRF token endpoint
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-25 18:04:46 +07:00
060fb26686
fix(taskprocessing): run cs:fix
...
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
2024-07-25 10:10:32 +07:00
799ee8fd51
feat(TaskProcessing): Implement enums and default values
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-07-25 10:10:31 +07:00
6c1e896a03
fix: Ignore preview requests for invalid file ids
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2024-07-22 22:32:34 +07:00
fffc784769
feat(taskprocessing): add support for webhooks (http or AppAPI) in the task processing API
...
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
2024-07-22 11:34:29 +07:00
9716b0d735
refactor: Migrate some legacy and core functions to `IFilenameValidator`
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-07-19 19:41:46 +07:00
a3c3eab09c
Merge pull request #46368 from nextcloud/fix/task-processing
...
TaskProcessing follow-up
2024-07-19 12:38:30 +07:00
9fe4edca2c
fix(ReferenceApiController): Remove accidently added AnonRateLimit
...
Signed-off-by: Jonas <jonas@freesources.org>
2024-07-17 15:38:09 +07:00
0d07ad98b0
fix(TaskProcessing): Update openapi specs
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-07-17 13:55:55 +07:00
eb0b5f29fb
fix(TaskProcessingApiController): Address review comments
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-07-17 13:55:55 +07:00
4ac1ac673e
fix: psalm errors
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-07-17 13:55:55 +07:00
4ac7f8275b
feat(TaskProcessing): Allow setting task results for file slots
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-07-17 13:55:55 +07:00
1671bf3ef2
feat(Reference): Add public API endpoints to get references
...
Calling the public API endpoints will check for matching registered
reference providers that implement `IPublicReferenceProvider` and call
their respective functions. If no matching provider is found, the
default `LinkReferenceProvider` will be used to provide open graph data.
The frontend reference widget components will call these endpoints from
unauthorized sessions, e.g. in public shares.
If present, the sharing token of the origin URL is passed to
`resolveReferencePublic()` as additional information for the reference
provider to determine the access scope. This allows the respective
reference providers to determine whether the origin share has access to
the linked resource.
`getCacheKeyPublic` also gets the sharing token so it can scope the cached
entry to it.
Contributes to #45978
Signed-off-by: Jonas <jonas@freesources.org>
2024-07-17 12:56:41 +07:00
2d84d0f5bf
fix(core): use OC namespace for core ReponseDefinitions instead of OCA
...
Signed-off-by: Julien CHATY-CAPELLE <julien@chaty-capelle.fr>
2024-07-15 11:50:02 +07:00
a229723b8c
feat: Add new forbidden filename options to Capabilities
...
Allow clients to access the new filename validation options
and make frontend name validation possible.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Kate <26026535+provokateurin@users.noreply.github.com>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-07-11 13:31:54 +07:00
e5275dbada
feat: don't count failed CSRF as failed login attempt
...
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2024-07-11 09:27:33 +07:00
224779c33f
fix(TaskProcessingApiController): Don't use + to merge non-assoc. arrays
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-07-01 18:46:59 +07:00
f5ff8136ac
feat(TaskProcessingApi): Add endpoint for getting the next task
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-01 17:11:12 +07:00
e5a6698ec0
Merge pull request #45811 from nextcloud/add-test-for-profile-page-controller
...
test: add tests for ProfilePageController
2024-06-12 14:49:03 +07:00
98eb190e04
test: add tests for ProfilePageController
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2024-06-12 11:46:12 +07:00
c8e767878d
fix(core): Return X-NC-IsCustomAvatar for guest avatars too
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-06-12 10:27:29 +07:00
8bed23288b
fix(files_sharing): dark avatar support
...
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2024-06-12 10:27:29 +07:00
fb11672df6
fix(core): allow guest avatar fallback
...
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2024-06-12 10:27:29 +07:00
98b5cdc43d
Merge pull request #43942 from nextcloud/fix/43612/avoid-pwd-confirm-sso
...
fix(Session): avoid password confirmation on SSO
2024-06-07 11:25:36 +07:00
340939e688
fix(Session): avoid password confirmation on SSO
...
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.
Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2024-06-05 19:01:13 +07:00
fc3ee65526
fix(core): unsupported browser redirect url
...
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2024-06-01 09:34:22 +07:00
e07a190641
chore: Add SPDX header
...
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
2024-05-27 14:53:40 +07:00
7bc4ccba6a
Merge pull request #45354 from nextcloud/docs/taskprocessingapi/cleanup-endpoint-descriptions
2024-05-16 20:09:06 +07:00
a8abe9d3c2
fix(TaskProcessingApi): Cleanup error handling
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-05-16 15:17:10 +07:00
4c375c98a4
docs(TaskProcessingApi): Set correct status code messages
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-05-16 14:57:34 +07:00
eabbb73173
docs(TaskProcessingApi): Cleanup endpoint descriptions
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-05-16 12:43:39 +07:00
79e153735c
docs(TaskProcessingApi): Fix result endpoint description
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-05-16 12:43:22 +07:00
ef1c32a222
Merge pull request #45317 from nextcloud/bugfix/noid/limit-maximum-number-of-search-results
...
fix(search): Limit maximum number of search results
2024-05-16 10:10:09 +07:00
f3e72aff7c
Merge pull request #45094 from nextcloud/enh/taskprocessing-api
...
feat: TaskProcessing API
2024-05-15 11:43:08 +07:00
2bd54d30e5
fix(search): Limit maximum number of search results
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2024-05-15 09:48:23 +07:00
a8afa7f23d
fix(OCS-API): Add endpoint to list user tasks
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:41 +07:00
f3a88f04ec
fix(OCS-API): No csrf required for /tasks/taskId/file/fileId
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:41 +07:00
ec94a672d7
fix(ocs): change /tasktypes response to combine optional and non-optional IO slots
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:41 +07:00
c079a61181
feat: Add cancel endpoint to OCS API
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:41 +07:00
4d9a0eab5f
fix: update openai specs
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:41 +07:00
4a3b9b826e
refactor: identifier is now customId/custom_id
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:41 +07:00
ec27c538b5
fix: address review comments
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:41 +07:00
2c878099f1
fix: address review comments
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:40 +07:00
b85a0edc92
fix: Update autoloaders
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:40 +07:00
a5053d33c2
fix: Run cs:fix
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:40 +07:00
8ccb29ae3b
fix: psalm issues
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:40 +07:00
6203c1c7da
fix: Check if user is authorized to use the files they mentioned
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:40 +07:00
b150d779f3
refactor: rename getTaskType to getTaskTypeId
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:40 +07:00
8e5662602a
feat: Add ExApp endpoints
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:39 +07:00
7a947980db
fix: Fix psalm issues
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:39 +07:00
3b0925a064
chore: Regenerate openapi.json
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:39 +07:00
29cbb3cf71
chore: Run cs:fix
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:39 +07:00
b2b93e4219
feat: Add getFileContents endpoint to TaskProcessing OCS API
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:39 +07:00
44b896f999
feat: TaskProcessing OCS API
...
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
2024-05-14 11:38:39 +07:00
dd997b6ac7
docs(preview): Improve API parameter descriptions
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-05-13 12:47:24 +07:00
22dc27810e
fix(auth): Keep redirect URL during 2FA setup and challenge
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2024-04-19 10:24:26 +07:00
ec5133b739
fix: Apply new coding standard to all files
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2024-04-02 14:16:21 +07:00
3fede00732
feat(login): Clear login form (password) after IDLE timeout
...
For security reasons it is recommended to stop the login process at a defined time,
this could prevent password leaks by e.g. user forgetting that they entered their password on public devices.
Enforced e.g. by the BSI ORP.4.A13 rule.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-03-25 12:22:53 +07:00
2792d8b3f5
feat: Limit email input on auth pages to 255 chars
...
Excessively long emails reported make server unresponsive.
We could at some point, consider adding a configuration for sysadmins to bypass this setting
on their instance if they want.
Signed-off-by: fenn-cs <fenn25.fn@gmail.com>
2024-03-21 10:34:55 +07:00
0de6cc7472
feat: added login's initial possible email-states
...
Signed-off-by: Eduardo Morales <emoral435@gmail.com>
2024-03-10 10:32:21 +07:00
fd4ca13867
Merge pull request #43471 from nextcloud/cache-path-by-id
...
Cache path by id
2024-03-05 17:26:25 +07:00
c7813bfdaf
feat: Implement team provider api
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2024-03-05 08:13:58 +07:00
e7a7b4a401
perf: switch places that always use the first getById result to getFirstNodeById
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2024-03-04 13:57:31 +07:00
2c51933b6b
refactor(core): Switch to attribute based routing
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-02-21 12:07:50 +07:00
6243a9471d
feat(core): Add OCS endpoint for confirming the user password
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-02-20 14:28:00 +07:00
d95e500e45
feat(core): Expose the confirm password endpoint
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-02-20 08:04:13 +07:00
Richard Steinmetz
skjnldsv
Côme Chilliet
Louis Chemineau
SebastianKrupinski
Julien Veyssier
provokateurin
Stephan Orbaugh
Jonas
Benjamin Gaussorgues
Maxence Lange
Marcel Klehr
John Molakvoæ
Ferdinand Thiessen
dependabot[bot]
Julius Knorr
Anna Larch
Daniel Kesselberg
Kate
Andy Scherzinger
Julien CHATY-CAPELLE
Arthur Schiwon
Joas Schilling
Joas Schilling
Christoph Wurst
fenn-cs
Eduardo Morales
Robin Appelman