nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Ferdinand Thiessen	f655f83c84	fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>	2023-02-16 22:55:18 +07:00
Côme Chilliet	f5c361cf44	composer run cs:fix Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:45:08 +07:00
Jonas Rittershofer	c8b7a233a5	Allow CSRF on CORS routes Co-authored-by: Julius Härtl <jus@bitgrid.net> Co-authored-by: Andreas Brinner <andreas@everlanes.net> Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>	2022-09-21 10:42:00 +07:00
Carl Schwan	b70c6a128f	Update core to PHP 7.4 standard - Typed properties - Port to LoggerInterface Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-05-20 22:18:06 +07:00
Vincent Petry	80388663af	Add direct arg to login flow Signed-off-by: Vincent Petry <vincent@nextcloud.com> Co-Authored-by: Carl Schwan <carl@carlschwan.eu>	2022-03-28 10:28:45 +07:00
Carl Schwan	6312c0df69	Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-01-13 00:19:07 +07:00
Julius Härtl	61dd1d3d97	Pass username prefill through unauthenticated request redirects Signed-off-by: Julius Härtl <jus@bitgrid.net>	2021-12-29 11:52:31 +07:00
Carl Schwan	6958d8005a	Add admin privilege delegation for admin settings This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2021-09-29 21:43:31 +07:00
John Molakvoæ (skjnldsv)	215aef3cbd	Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2021-06-04 22:02:41 +07:00
korelstar	b38e8678e4	fix error when using CORS with no auth credentials	2021-05-18 07:11:10 +07:00
Christoph Wurst	99f0b10421	Merge pull request #26591 from nextcloud/techdebt/noid/less-ilogger Less ILogger	2021-04-27 15:38:12 +07:00
Joas Schilling	56ae87c281	Less ILogger Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-04-27 14:34:32 +07:00
Joas Schilling	174f4dd043	Fix ratelimit template Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-04-27 13:55:34 +07:00
Christoph Wurst	d9015a8c94	Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-10-05 20:25:24 +07:00
Christoph Wurst	2a054e6c04	Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-08-24 14:54:25 +07:00
Joas Schilling	35a8519591	Fix CS Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	e66bc4a8a7	Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:35 +07:00
Holger Hees	e70249e089	Update SecurityMiddleware.php OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header. in other areas OC::$WEBROOT is always used together with an /	2020-07-06 21:34:46 +07:00
Christoph Wurst	cb057829f7	Update license headers for 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-29 11:57:22 +07:00
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 14:19:56 +07:00
Christoph Wurst	afbd9c4e6e	Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 13:54:22 +07:00
Christoph Wurst	2fbad1ed72	Fix (array) indent style to always use one tab Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 10:16:08 +07:00
Christoph Wurst	74936c49ea	Remove unused imports Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-25 22:08:08 +07:00
Joas Schilling	d445f9b9fe	Fix loaded controller check Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-01-21 16:35:10 +07:00
Christoph Wurst	5bf3d1bb38	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-12-05 15:38:45 +07:00
Roeland Jago Douma	68748d4f85	Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-22 20:52:10 +07:00
Joas Schilling	6ad54f3f27	Merge pull request #17850 from nextcloud/bugfix/noid/mark-spreed-as-active-on-call-urls Mark "Talk" active on /call/token URLs	2019-11-20 10:33:45 +07:00
Daniel Kesselberg	9055f46351	Make phan happy ;) Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2019-11-19 16:16:26 +07:00
Arthur Schiwon	0a1937208f	Fixes a 500 without userid plus cleanup of unused use statements Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2019-11-16 01:10:19 +07:00
Joas Schilling	15f00f0126	Mark "Talk" active on /call/token URLs Signed-off-by: Joas Schilling <coding@schilljs.com>	2019-11-12 21:39:20 +07:00
Roeland Jago Douma	b8c5008acf	Add feature policy header This adds the events and the classes to modify the feature policy. It also adds a default restricted feature policy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-10 14:26:22 +07:00
Roeland Jago Douma	37a4282c7a	Split up security middleware With upcoming work for the feature policy header. Splitting this in smaller classes that just do 1 thing makes sense. I rather have a few small classes that are tiny and do 1 thing right (and we all understand what is going on) than have big ones. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-27 16:11:45 +07:00
Christoph Wurst	22ae682823	Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-05-23 20:31:40 +07:00
Roeland Jago Douma	60e5a5eca4	Do not do redirect handling when loggin out Fixes #12568 Since the clearing of the execution context causes another reload. We should not do the redirect_uri handling as this results in redirecting back to the logout page on login. This adds a simple middleware that will just check if the ClearExecutionContext session variable is set. If that is the case it will just redirect back to the login page. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-06 11:29:32 +07:00
Roeland Jago Douma	603b672a11	Update password confirmation middleware If the userbackend doesn't allow validating the password for a given uid then there is no need to perform this check. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-11-02 13:44:45 +07:00
Bjoern Schiessle	85d9f06cb8	add global site selector as user back-end which doesn't support password confirmation Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2018-10-27 15:43:51 +07:00
Roeland Jago Douma	8c1e75e052	Do not use file as template parameter Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-08-09 16:45:25 +07:00
Arthur Schiwon	38a90130ce	move log constants to ILogger Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2018-04-26 10:45:52 +07:00
Roeland Jago Douma	3ad7daeda5	Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-03-08 11:05:18 +07:00
Roeland Jago Douma	340e8ef16c	Make SecurityMiddleware strict Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-03-08 10:11:47 +07:00
Julien Veyssier	7da0812186	Do not throw AppNotEnabledException for app public pages - refs #6962 , refs #5309 It allows non-logged user to access public pages of applications restricted to a group Signed-off-by: Julien Veyssier <eneiluj@posteo.net>	2018-02-28 20:35:53 +07:00
Morris Jobke	cf35c4b03a	Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-02-26 17:00:29 +07:00
Morris Jobke	d3d045dd5c	Remove unused import statements Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-02-14 16:55:43 +07:00
Roeland Jago Douma	c0adfa4375	Don't perform CSRF check on OCS routes with Bearer auth Fixes #5694 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-01-29 14:37:18 +07:00
Morris Jobke	2a38605545	Properly log the full exception instead of only the message Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-01-23 10:57:21 +07:00
Roeland Jago Douma	57050146f6	Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-01-02 21:58:14 +07:00
Bjoern Schiessle	1bcbeb24bc	disable password confirmation with SSO Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2018-01-02 20:30:37 +07:00
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-11-06 16:56:19 +07:00
Morris Jobke	ce0c45a4ea	Use proper DI for security middleware for app enabled check Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-10-24 15:36:28 +07:00
Roeland Jago Douma	c257cd57d4	Handle SameSiteCookie check for index.php in AppFramework Middleware Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-09-24 21:07:16 +07:00

1 2

81 Commits (00a7478d8df2007697d5caf2e0cb1c298afbb3fd)