1ab09ec753
chore: Apply new coding standard to all files
...
The diff can be checked using: git diff --ignore-all-space --ignore-blank-lines
To see only the changes not related to blank lines.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com >
2026-06-01 13:46:39 +02:00
e21b7d1121
feat: Add generate session token to CsrfTokenManager
...
Signed-off-by: Carl Schwan <carlschwan@kde.org >
2026-05-12 18:24:12 +02:00
279bface8e
refactor: Delete deprecated code from OC_Util
...
Signed-off-by: Carl Schwan <carlschwan@kde.org >
2026-05-12 18:24:12 +02:00
32bc6f54d3
refactor: Replace old Utils::callRegister with new API
...
Signed-off-by: Carl Schwan <carlschwan@kde.org >
2026-05-12 18:24:12 +02:00
e0ba4d71b6
chore: add missing Override attribute to OC
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de >
2026-04-28 21:29:27 +02:00
9b54b06de5
fix(SecurityMiddleware): return header to distinguish error type
...
Currently we return a 403 (Forbidden) when the password confirmation
failed - which itself seems to be inappropriate as its basically a login
failing so a 401 (not authorized) is more appropriate.
This is especially a problem because APIs might return 403 internally
for good reason (e.g. user missing permission) but 401 would not be a
problem.
But as this is a breaking change so my solution to be able to
distinguish API error from password confirmation error is:
Add a header inside the response that marks failed password confirmation
`X-NC-Auth-NotConfirmed`.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de >
2026-03-11 15:11:29 +01:00
65e769a861
refactor: Apply comments
...
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com >
2026-02-06 13:50:46 +01:00
7b6078875b
refactor: Run rector on lib/private
...
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com >
2026-02-06 13:50:18 +01:00
f81475445d
refactor: Move hasAnnotationOrAttribute to MiddlewareUtils
...
Signed-off-by: Carl Schwan <carlschwan@kde.org >
2026-01-28 21:48:16 +01:00
5981b7eb51
chore: apply new CSFixer rules
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de >
# Conflicts:
# apps/settings/lib/SetupChecks/PhpOpcacheSetup.php
2025-07-01 16:26:50 +02:00
095ab4419e
fix(l10n): Improve english source strings
...
- No leading/trailing whitespace
- Use asci single quote
Signed-off-by: Joas Schilling <coding@schilljs.com >
2025-02-26 09:54:32 +01:00
8b60df1600
perf: delay getting (sub)admin status for user in the security middleware untill we need it
...
Signed-off-by: Robin Appelman <robin@icewind.nl >
2024-08-23 15:26:40 +02:00
047479ccf9
feat(security): Add public API to allow validating IP Ranges and checking for "in range"
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com >
2024-07-19 16:28:03 +02:00
202e5b1e95
feat(security): restrict admin actions to IP ranges
...
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com >
2024-07-19 16:28:03 +02:00
b7af6ec200
feat: allow for ExApps to call Admin endpoints marked with specific attr
...
Signed-off-by: Alexander Piskun <bigcat88@icloud.com >
2024-07-18 15:11:39 +03:00
e5dcdfb9e0
feat(Security): Warn about using annotations instead of attributes
...
Signed-off-by: provokateurin <kate@provokateurin.de >
2024-07-18 11:25:32 +02:00
5aefdc399e
feat(AppFramework): Add ExAppRequired attribute
...
Signed-off-by: provokateurin <kate@provokateurin.de >
2024-07-01 14:41:20 +02:00
dae7c159f7
chore: Add SPDX header
...
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de >
2024-05-24 13:11:22 +02:00
839ddaa354
feat: rename users to account or person
...
Replace translated text in most locations
Signed-off-by: Vincent Petry <vincent@nextcloud.com >
2024-02-13 21:06:30 +01:00
aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com >
2023-11-23 10:36:13 +01:00
12f8543815
Rewrite OCS CSRF check to be readable
...
Signed-off-by: jld3103 <jld3103yt@gmail.com >
2023-08-16 15:52:36 +02:00
e7cc7653b8
Refactors "strpos" calls in lib/private to improve code readability.
...
Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com >
2023-05-15 15:17:19 +03:30
ecb8b55c5c
feat(security): Add PHP \Attribute for remaining security annotations
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
2023-04-25 14:50:32 +02:00
f5c361cf44
composer run cs:fix
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com >
2023-01-20 11:45:08 +01:00
80388663af
Add direct arg to login flow
...
Signed-off-by: Vincent Petry <vincent@nextcloud.com >
Co-Authored-by: Carl Schwan <carl@carlschwan.eu >
2022-03-28 10:28:45 +02:00
61dd1d3d97
Pass username prefill through unauthenticated request redirects
...
Signed-off-by: Julius Härtl <jus@bitgrid.net >
2021-12-29 11:52:31 +01:00
6958d8005a
Add admin privilege delegation for admin settings
...
This makes it possible for selected groups to access some settings
pages.
Signed-off-by: Carl Schwan <carl@carlschwan.eu >
2021-09-29 21:43:31 +02:00
215aef3cbd
Update php licenses
...
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com >
2021-06-04 22:02:41 +02:00
56ae87c281
Less ILogger
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
2021-04-27 14:34:32 +02:00
2a054e6c04
Update the license headers for Nextcloud 20
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at >
2020-08-24 14:54:25 +02:00
e70249e089
Update SecurityMiddleware.php
...
OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header.
in other areas OC::$WEBROOT is always used together with an /
2020-07-06 21:34:46 +02:00
caff1023ea
Format control structures, classes, methods and function
...
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at >
2020-04-10 14:19:56 +02:00
2fbad1ed72
Fix (array) indent style to always use one tab
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at >
2020-04-09 10:16:08 +02:00
d445f9b9fe
Fix loaded controller check
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
2020-01-21 16:35:10 +01:00
5bf3d1bb38
Update license headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at >
2019-12-05 15:38:45 +01:00
68748d4f85
Some php-cs fixes
...
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl >
2019-11-22 20:52:10 +01:00
6ad54f3f27
Merge pull request #17850 from nextcloud/bugfix/noid/mark-spreed-as-active-on-call-urls
...
Mark "Talk" active on /call/token URLs
2019-11-20 10:33:45 +01:00
9055f46351
Make phan happy ;)
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de >
2019-11-19 16:16:26 +01:00
0a1937208f
Fixes a 500 without userid
...
plus cleanup of unused use statements
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de >
2019-11-16 01:10:19 +01:00
15f00f0126
Mark "Talk" active on /call/token URLs
...
Signed-off-by: Joas Schilling <coding@schilljs.com >
2019-11-12 21:39:20 +01:00
37a4282c7a
Split up security middleware
...
With upcoming work for the feature policy header. Splitting this in
smaller classes that just do 1 thing makes sense.
I rather have a few small classes that are tiny and do 1 thing right
(and we all understand what is going on) than have big ones.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl >
2019-07-27 16:11:45 +02:00
22ae682823
Make it possible to show admin settings for sub admins
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at >
2019-05-23 20:31:40 +02:00
8c1e75e052
Do not use file as template parameter
...
Using file will overwrite the $file parameter in the template base.
Leading to trying to include a file that is the exception message. Which
will of course fail.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl >
2018-08-09 16:45:25 +02:00
38a90130ce
move log constants to ILogger
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de >
2018-04-26 10:45:52 +02:00
3ad7daeda5
Add tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl >
2018-03-08 11:05:18 +01:00
340e8ef16c
Make SecurityMiddleware strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl >
2018-03-08 10:11:47 +01:00
7da0812186
Do not throw AppNotEnabledException for app public pages - refs #6962 , refs #5309
...
It allows non-logged user to access public pages of applications restricted to a group
Signed-off-by: Julien Veyssier <eneiluj@posteo.net >
2018-02-28 20:35:53 +01:00
cf35c4b03a
Provide translated error message for permission error
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de >
2018-02-26 17:00:29 +01:00
c0adfa4375
Don't perform CSRF check on OCS routes with Bearer auth
...
Fixes #5694
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl >
2018-01-29 14:37:18 +01:00
2a38605545
Properly log the full exception instead of only the message
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de >
2018-01-23 10:57:21 +01:00
Côme Chilliet
Carl Schwan
Ferdinand Thiessen
Carl Schwan
Joas Schilling
Robin Appelman
Benjamin Gaussorgues
Alexander Piskun
provokateurin
Andy Scherzinger
Vincent Petry
jld3103
Faraz Samapoor
Julius Härtl
Carl Schwan
John Molakvoæ (skjnldsv)
Christoph Wurst
Holger Hees
Roeland Jago Douma
Joas Schilling
Daniel Kesselberg
Arthur Schiwon
Julien Veyssier
Morris Jobke