61d687631b
chore(ExternalShareMenuAction): Remove unused legacy properties
...
Keep them in the constructor to not break the API,
but they are not used anymore.
This way of adding a share was deprecated in Nextcloud 12 (2016!),
in favor of the federated share API, in Nextcloud 28 this way to create a share was removed.
So we can cleanup as all it takes now to create a federeated share is the share token + federated user ID.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-03 16:07:50 +07:00
4d2556d4cf
refactor(IMenuAction): Make public menu actions use the new Vue UI
...
This removes custom rendering code an replaces it with the declarative menu actions.
Also adjust the template to allow the Vue UI to mount.
Custom entries still are possible.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-03 16:07:49 +07:00
af6de04e9e
style: update codestyle for coding-standard 1.2.3
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2024-08-25 19:34:58 +07:00
009761be58
test: Adjust tests for CSP nonce
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-08-13 10:06:32 +07:00
86f01a3358
fix: Make sure CSP nonce is not double base64 encoded
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-08-13 09:52:33 +07:00
8bbd326143
feat: Allow passing additional encode flags for json response
...
Signed-off-by: Christopher Ng <chrng8@gmail.com>
2024-08-01 09:14:44 +07:00
b859260423
feat: Increase max depth of encoded json
...
Signed-off-by: Christopher Ng <chrng8@gmail.com>
2024-08-01 09:14:44 +07:00
b7af6ec200
feat: allow for ExApps to call Admin endpoints marked with specific attr
...
Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
2024-07-18 15:11:39 +07:00
a65cdd1e70
fix: ARateLimit documentation
...
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2024-07-12 20:14:30 +07:00
355ef202e4
feat(OpenAPI): Add ex_app scope
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-02 09:12:48 +07:00
5aefdc399e
feat(AppFramework): Add ExAppRequired attribute
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-01 14:41:20 +07:00
dae7c159f7
chore: Add SPDX header
...
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
2024-05-24 13:11:22 +07:00
db77eab677
fix(AppFramework): Fix error message about 204 not allowing custom headers
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-04-08 16:08:44 +07:00
ec5133b739
fix: Apply new coding standard to all files
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2024-04-02 14:16:21 +07:00
78ba1b0712
fix: Allow nonce in csp header also if no other reasons are given
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2024-03-08 12:11:46 +07:00
df6175ccb1
feat(AppFramework): Add Route attribute
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-02-21 12:07:50 +07:00
f6b6776c93
fix(API): Use a distinct exception so apps can react to it and customize the return
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-11-28 06:11:57 +07:00
aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2023-11-23 10:36:13 +07:00
ecf9f0a872
fix(CSP): Only add `strict-dynamic` when using nonces
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2023-11-17 22:01:02 +07:00
e231abd9bf
fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on `script-src-elem`
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2023-11-17 14:42:36 +07:00
7df9eb3351
feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only
...
This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`.
The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2023-11-17 11:12:57 +07:00
ffc1bb774b
feat(openapi): Add OpenAPI attribute to allow multiple scopes and overwriting tags
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-11-03 09:25:11 +07:00
066f6ef16c
Stop sending deprecated Pragma header
...
Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
2023-08-28 15:11:22 +07:00
ccf57e0715
add separate event for rendering login page template
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2023-08-17 10:57:56 +07:00
41f2d912d2
Allow "wasm-unsafe-eval" in CSP
...
If a page has a Content Security Policy header and the `script-src` (or
`default-src`) directive does not contain neither `wasm-unsafe-eval` nor
`unsafe-eval` loading and executing WebAssembly is blocked in the page
(although it is still possible to load and execute WebAssembly in a
worker thread).
Although the Nextcloud classes to manage the CSP already supported
allowing `unsafe-eval` this affects not only WebAssembly, but also the
`eval` operation in JavaScript.
To make possible to allow WebAssembly execution without allowing
JavaScript `eval` this commit adds support for allowing
`wasm-unsafe-eval`.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2023-08-10 02:38:41 +07:00
1b387bb341
fix!: Remove legacy event dispatching Symfony's GenericEvent from AdditionalScripts
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-07-27 09:57:52 +07:00
2d6a62ccee
Add IgnoreOpenAPI attribute
...
Signed-off-by: jld3103 <jld3103yt@gmail.com>
2023-07-10 14:25:22 +07:00
14719110b9
chore: Replace \OC::$server->query with \OCP\Server::get in /lib
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-07-06 15:21:22 +07:00
b0001c6010
Add template types to responses
...
Signed-off-by: jld3103 <jld3103yt@gmail.com>
2023-06-30 09:33:29 +07:00
08a3f37695
chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-06-12 10:03:59 +07:00
5b5895a130
Drop meta robots tag
...
Revert mistake
Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
2023-06-09 18:06:37 +07:00
5b2d5767e1
fix(docs): Fix language and copy-paste class name in docs of CSP
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-05-30 13:39:33 +07:00
ecb8b55c5c
feat(security): Add PHP \Attribute for remaining security annotations
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-25 14:50:32 +07:00
89c3c31402
feat(ratelimit): Add Attributes support to rate limit middleware
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-24 12:24:48 +07:00
e839eb9b5c
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-03-08 12:09:22 +07:00
5f90b8eb11
Change X-Robots-Tag header from "none" to "noindex, nofollow"
...
While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names
https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list
https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240
Signed-off-by: MichaIng <micha@dietpi.com>
2023-02-15 20:16:51 +07:00
20e00cdf17
feat(app-framework): Add UseSession attribute to replace annotation
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-01-27 09:40:35 +07:00
f5c361cf44
composer run cs:fix
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2023-01-20 11:45:08 +07:00
82b98b4b9b
Fix typo in deprecated
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-10-04 11:42:24 +07:00
c55ae98a3f
Add description for public and immutable
...
Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Daniel <mail@danielkesselberg.de>
2022-09-03 15:58:18 +07:00
855ef21883
Update docblock for cacheFor
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2022-09-03 15:28:23 +07:00
df89e7fd39
Merge pull request #32485 from nextcloud/debt/noid/psalm-streamer-fh
...
[Psalm] Fix docblock for addFileFromStream
2022-05-31 14:22:05 +07:00
3901a93c72
Use JSON_THROW_ON_ERROR instead of custom error handling
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-05-30 19:17:49 +07:00
be99ea969e
Fix type for resource
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2022-05-24 22:05:59 +07:00
ad908cd87a
Make appName of TemplateResponse accessible in BeforeTemplateRenderedEvent
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-05-20 15:03:40 +07:00
7cd356ee7d
Fix psalm warning for zip response due wrong type
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2022-05-13 15:50:26 +07:00
18c013d8fc
Add CSP policy merge priority for booleans
...
When two booleans conflict when merging CSP policies, true will win.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2022-04-01 13:56:34 +07:00
bd03dd37be
Allow to set a strict-dynamic CSP through the API
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-03-09 15:10:27 +07:00
7dddbd0c35
Improve caching policy
...
* Cache css with version in url. This makes most js and css requests to
be cached by the browser
* Force caching previews, the etag is in the url so that if the propfind
gives a new etag, we will refresh it otherwise it's no use to try to
fetch the new etag and do tons of DB queries
Tested with firefox and 'debug' => false (important so that the js/css
urls are generated with ?v= parameter)
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-02-16 11:35:57 +07:00
c712987878
send request id in response header
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2022-02-01 14:24:01 +07:00
Ferdinand Thiessen
Daniel Kesselberg
Christopher Ng
Alexander Piskun
skjnldsv
provokateurin
Andy Scherzinger
Côme Chilliet
Julius Härtl
Joas Schilling
Git'Fellow
Robin Appelman
Daniel Calviño Sánchez
jld3103
Christoph Wurst
MichaIng
blizzz
Vincent Petry
Carl Schwan