5981b7eb51
chore: apply new CSFixer rules
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
# Conflicts:
# apps/settings/lib/SetupChecks/PhpOpcacheSetup.php
2025-07-01 16:26:50 +07:00
095ab4419e
fix(l10n): Improve english source strings
...
- No leading/trailing whitespace
- Use asci single quote
Signed-off-by: Joas Schilling <coding@schilljs.com>
2025-02-26 09:54:32 +07:00
8b60df1600
perf: delay getting (sub)admin status for user in the security middleware untill we need it
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2024-08-23 15:26:40 +07:00
047479ccf9
feat(security): Add public API to allow validating IP Ranges and checking for "in range"
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2024-07-19 16:28:03 +07:00
202e5b1e95
feat(security): restrict admin actions to IP ranges
...
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2024-07-19 16:28:03 +07:00
b7af6ec200
feat: allow for ExApps to call Admin endpoints marked with specific attr
...
Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
2024-07-18 15:11:39 +07:00
e5dcdfb9e0
feat(Security): Warn about using annotations instead of attributes
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-18 11:25:32 +07:00
5aefdc399e
feat(AppFramework): Add ExAppRequired attribute
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-01 14:41:20 +07:00
dae7c159f7
chore: Add SPDX header
...
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
2024-05-24 13:11:22 +07:00
839ddaa354
feat: rename users to account or person
...
Replace translated text in most locations
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2024-02-13 21:06:30 +07:00
aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2023-11-23 10:36:13 +07:00
12f8543815
Rewrite OCS CSRF check to be readable
...
Signed-off-by: jld3103 <jld3103yt@gmail.com>
2023-08-16 15:52:36 +07:00
e7cc7653b8
Refactors "strpos" calls in lib/private to improve code readability.
...
Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
2023-05-15 15:17:19 +07:00
ecb8b55c5c
feat(security): Add PHP \Attribute for remaining security annotations
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-25 14:50:32 +07:00
f5c361cf44
composer run cs:fix
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2023-01-20 11:45:08 +07:00
80388663af
Add direct arg to login flow
...
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Co-Authored-by: Carl Schwan <carl@carlschwan.eu>
2022-03-28 10:28:45 +07:00
61dd1d3d97
Pass username prefill through unauthenticated request redirects
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2021-12-29 11:52:31 +07:00
6958d8005a
Add admin privilege delegation for admin settings
...
This makes it possible for selected groups to access some settings
pages.
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2021-09-29 21:43:31 +07:00
215aef3cbd
Update php licenses
...
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2021-06-04 22:02:41 +07:00
56ae87c281
Less ILogger
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2021-04-27 14:34:32 +07:00
2a054e6c04
Update the license headers for Nextcloud 20
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-08-24 14:54:25 +07:00
e70249e089
Update SecurityMiddleware.php
...
OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header.
in other areas OC::$WEBROOT is always used together with an /
2020-07-06 21:34:46 +07:00
caff1023ea
Format control structures, classes, methods and function
...
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +07:00
2fbad1ed72
Fix (array) indent style to always use one tab
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 10:16:08 +07:00
d445f9b9fe
Fix loaded controller check
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-01-21 16:35:10 +07:00
5bf3d1bb38
Update license headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-05 15:38:45 +07:00
68748d4f85
Some php-cs fixes
...
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +07:00
6ad54f3f27
Merge pull request #17850 from nextcloud/bugfix/noid/mark-spreed-as-active-on-call-urls
...
Mark "Talk" active on /call/token URLs
2019-11-20 10:33:45 +07:00
9055f46351
Make phan happy ;)
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-11-19 16:16:26 +07:00
0a1937208f
Fixes a 500 without userid
...
plus cleanup of unused use statements
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-11-16 01:10:19 +07:00
15f00f0126
Mark "Talk" active on /call/token URLs
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2019-11-12 21:39:20 +07:00
37a4282c7a
Split up security middleware
...
With upcoming work for the feature policy header. Splitting this in
smaller classes that just do 1 thing makes sense.
I rather have a few small classes that are tiny and do 1 thing right
(and we all understand what is going on) than have big ones.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-27 16:11:45 +07:00
22ae682823
Make it possible to show admin settings for sub admins
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-05-23 20:31:40 +07:00
8c1e75e052
Do not use file as template parameter
...
Using file will overwrite the $file parameter in the template base.
Leading to trying to include a file that is the exception message. Which
will of course fail.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-08-09 16:45:25 +07:00
38a90130ce
move log constants to ILogger
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-04-26 10:45:52 +07:00
3ad7daeda5
Add tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 11:05:18 +07:00
340e8ef16c
Make SecurityMiddleware strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 10:11:47 +07:00
7da0812186
Do not throw AppNotEnabledException for app public pages - refs #6962 , refs #5309
...
It allows non-logged user to access public pages of applications restricted to a group
Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
2018-02-28 20:35:53 +07:00
cf35c4b03a
Provide translated error message for permission error
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-26 17:00:29 +07:00
c0adfa4375
Don't perform CSRF check on OCS routes with Bearer auth
...
Fixes #5694
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-29 14:37:18 +07:00
2a38605545
Properly log the full exception instead of only the message
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-23 10:57:21 +07:00
57050146f6
Move passwordconfirmation to its own midleware
...
Add tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-02 21:58:14 +07:00
1bcbeb24bc
disable password confirmation with SSO
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-01-02 20:30:37 +07:00
0eebff152a
Update license headers
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +07:00
ce0c45a4ea
Use proper DI for security middleware for app enabled check
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 15:36:28 +07:00
f93a82b8b0
Remove explicit type hints for Controller
...
This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 17:32:03 +07:00
3548603a88
Fix middleware implementations signatures
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +07:00
72c1b24844
Check whether the $_SERVER['REQUEST_*'] vars exist before using them
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-15 14:33:27 +07:00
8149945a91
Make BruteForceProtection annotation more clever
...
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.
Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +07:00
a1ae5275f9
Move to dedicated MiddleWare
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:17 +07:00
Ferdinand Thiessen
Joas Schilling
Robin Appelman
Benjamin Gaussorgues
Alexander Piskun
provokateurin
Andy Scherzinger
Vincent Petry
jld3103
Faraz Samapoor
Côme Chilliet
Julius Härtl
Carl Schwan
John Molakvoæ (skjnldsv)
Christoph Wurst
Holger Hees
Roeland Jago Douma
Joas Schilling
Daniel Kesselberg
Arthur Schiwon
Julien Veyssier
Morris Jobke
Bjoern Schiessle
Lukas Reschke