Usually Nextcloud DI goes through constructor injection. This has the
implication that each instance of a class builds the full DI tree. That
is the injected services, their services, etc. Occasionally there is a
service that is only needed for one controller method. Then the DI tree
is build regardless if used or not.
If services are injected into the method, we only build the DI tree if
that method gets executed.
This is also how Laravel allows injection.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
If CSRF fails but the user is logged in that they probably logged in in
another tab. This is fine. We can just redirect.
If CSRF fails and the user is also not logged in then something is
fishy. E.g. because Nextcloud contantly regenrates the session and the
CSRF token and the user is stuck in an endless login loop.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
In case they want to not allow this because they use SSO (and do not
want the users to enter their credentials there by accident).
?direct=1 still works.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This can happen when the session was killed due to a timeout. Then
logout was triggered. Nobody wants to login only to be logged out again.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Otherwise we keep on using it with leading or trailing whitespaces for
app tokens and other logic. The reason this doesn't throw an error
immediately with local users is that (My)SQL compares strings regardless
of their padding by default. So we look up 'uid ' and get the row for
the user 'uid'.
Other back-ends will lead to a hard error, though, and the user is
unable to log out as all request fail.
Ref https://stackoverflow.com/a/10495807/2239067
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
Fixes#12568
Since the clearing of the execution context causes another reload. We
should not do the redirect_uri handling as this results in redirecting
back to the logout page on login.
This adds a simple middleware that will just check if the
ClearExecutionContext session variable is set. If that is the case it
will just redirect back to the login page.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
If the remember_login_cookie_lifetime is set to 0 this means we do not
want to use remember me at all. In that case we should also not creatae
a remember me cookie and should create a proper temp token.
Further this specifies that is not 0 the remember me time should always
be larger than the session timeout. Because else the behavior is not
really defined.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Gaspard d'Hautefeuille
provokateurin
Joas Schilling
Christoph Wurst
Marcel Müller
jld3103
Faraz Samapoor
Git'Fellow
Simon L
Carl Schwan
Christopher Ng
Vitor Mattos
Daniel Rudolf
John Molakvoæ (skjnldsv)
Roeland Jago Douma
dependabot-preview[bot]
Julius Härtl
Roeland Jago Douma
Daniel Kesselberg
Michael Weimann