|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Nextcloud - NextNote |
|
4
|
|
|
* |
|
5
|
|
|
* @copyright Copyright (c) 2015, Ben Curtis <[email protected]> |
|
6
|
|
|
* @copyright Copyright (c) 2017, Sander Brand ([email protected]) |
|
7
|
|
|
* @license GNU AGPL version 3 or any later version |
|
8
|
|
|
* |
|
9
|
|
|
* This program is free software: you can redistribute it and/or modify |
|
10
|
|
|
* it under the terms of the GNU Affero General Public License as |
|
11
|
|
|
* published by the Free Software Foundation, either version 3 of the |
|
12
|
|
|
* License, or (at your option) any later version. |
|
13
|
|
|
* |
|
14
|
|
|
* This program is distributed in the hope that it will be useful, |
|
15
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
16
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
17
|
|
|
* GNU Affero General Public License for more details. |
|
18
|
|
|
* |
|
19
|
|
|
* You should have received a copy of the GNU Affero General Public License |
|
20
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
21
|
|
|
* |
|
22
|
|
|
*/ |
|
23
|
|
|
|
|
24
|
|
|
namespace OCA\NextNote\Controller; |
|
25
|
|
|
|
|
26
|
|
|
|
|
27
|
|
|
use OCP\IConfig; |
|
28
|
|
|
use \OCP\IRequest; |
|
29
|
|
|
use \OCP\AppFramework\Http\TemplateResponse; |
|
30
|
|
|
use \OCP\AppFramework\Controller; |
|
31
|
|
|
use \OCP\AppFramework\Http\ContentSecurityPolicy; |
|
32
|
|
|
use \OCP\Util; |
|
33
|
|
|
|
|
34
|
|
|
class PageController extends Controller { |
|
35
|
|
|
|
|
36
|
|
|
private $userId; |
|
37
|
|
|
private $config; |
|
38
|
|
|
|
|
39
|
|
|
public function __construct($appName, IRequest $request, $userId, IConfig $config) { |
|
40
|
|
|
parent::__construct($appName, $request); |
|
41
|
|
|
$this->userId = $userId; |
|
42
|
|
|
$this->config = $config; |
|
43
|
|
|
} |
|
44
|
|
|
|
|
45
|
|
|
|
|
46
|
|
|
/** |
|
47
|
|
|
* CAUTION: the @Stuff turn off security checks, for this page no admin is |
|
48
|
|
|
* required and no CSRF check. If you don't know what CSRF is, read |
|
49
|
|
|
* it up in the docs or you might create a security hole. This is |
|
50
|
|
|
* basically the only required method to add this exemption, don't |
|
51
|
|
|
* add it to any other method if you don't exactly know what it does |
|
52
|
|
|
* |
|
53
|
|
|
* @NoAdminRequired |
|
54
|
|
|
* @NoCSRFRequired |
|
55
|
|
|
*/ |
|
56
|
|
|
public function index() { |
|
57
|
|
|
$shareMode = $this->config->getAppValue('nextnote', 'sharemode', 'merge'); // merge or standalone |
|
58
|
|
|
$params = array('user' => $this->userId, 'shareMode' => $shareMode); |
|
59
|
|
|
$response = new TemplateResponse('nextnote', 'main', $params); |
|
60
|
|
|
$ocVersion = \OCP\Util::getVersion(); |
|
61
|
|
|
if ($ocVersion[0] > 8 || ($ocVersion[0] == 8 && $ocVersion[1] >= 1)) { |
|
62
|
|
|
$csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); |
|
63
|
|
|
$csp->addAllowedImageDomain('data:'); |
|
64
|
|
|
$csp->addAllowedImageDomain('blob:'); |
|
65
|
|
|
$csp->addAllowedFrameDomain('data:'); |
|
66
|
|
|
|
|
67
|
|
|
$allowedFrameDomains = array( |
|
68
|
|
|
'https://www.youtube.com' |
|
69
|
|
|
); |
|
70
|
|
|
foreach ($allowedFrameDomains as $domain) { |
|
71
|
|
|
$csp->addAllowedFrameDomain($domain); |
|
72
|
|
|
} |
|
73
|
|
|
|
|
74
|
|
|
$csp->addAllowedScriptDomain("'nonce-test'"); |
|
75
|
|
|
$response->setContentSecurityPolicy($csp); |
|
76
|
|
|
} |
|
77
|
|
|
return $response; |
|
78
|
|
|
} |
|
79
|
|
|
} |
|
80
|
|
|
|
brantje /
nextnote
