nextcloud /
server
@@ -76,138 +76,138 @@ discard block |
||
| 76 | 76 | * check fails |
| 77 | 77 | */ |
| 78 | 78 | class SecurityMiddleware extends Middleware { |
| 79 | - /** @var INavigationManager */ |
|
| 80 | - private $navigationManager; |
|
| 81 | - /** @var IRequest */ |
|
| 82 | - private $request; |
|
| 83 | - /** @var ControllerMethodReflector */ |
|
| 84 | - private $reflector; |
|
| 85 | - /** @var string */ |
|
| 86 | - private $appName; |
|
| 87 | - /** @var IURLGenerator */ |
|
| 88 | - private $urlGenerator; |
|
| 89 | - /** @var LoggerInterface */ |
|
| 90 | - private $logger; |
|
| 91 | - /** @var bool */ |
|
| 92 | - private $isLoggedIn; |
|
| 93 | - /** @var bool */ |
|
| 94 | - private $isAdminUser; |
|
| 95 | - /** @var bool */ |
|
| 96 | - private $isSubAdmin; |
|
| 97 | - /** @var IAppManager */ |
|
| 98 | - private $appManager; |
|
| 99 | - /** @var IL10N */ |
|
| 100 | - private $l10n; |
|
| 101 | - /** @var AuthorizedGroupMapper */ |
|
| 102 | - private $groupAuthorizationMapper; |
|
| 103 | - /** @var IUserSession */ |
|
| 104 | - private $userSession; |
|
| 79 | + /** @var INavigationManager */ |
|
| 80 | + private $navigationManager; |
|
| 81 | + /** @var IRequest */ |
|
| 82 | + private $request; |
|
| 83 | + /** @var ControllerMethodReflector */ |
|
| 84 | + private $reflector; |
|
| 85 | + /** @var string */ |
|
| 86 | + private $appName; |
|
| 87 | + /** @var IURLGenerator */ |
|
| 88 | + private $urlGenerator; |
|
| 89 | + /** @var LoggerInterface */ |
|
| 90 | + private $logger; |
|
| 91 | + /** @var bool */ |
|
| 92 | + private $isLoggedIn; |
|
| 93 | + /** @var bool */ |
|
| 94 | + private $isAdminUser; |
|
| 95 | + /** @var bool */ |
|
| 96 | + private $isSubAdmin; |
|
| 97 | + /** @var IAppManager */ |
|
| 98 | + private $appManager; |
|
| 99 | + /** @var IL10N */ |
|
| 100 | + private $l10n; |
|
| 101 | + /** @var AuthorizedGroupMapper */ |
|
| 102 | + private $groupAuthorizationMapper; |
|
| 103 | + /** @var IUserSession */ |
|
| 104 | + private $userSession; |
|
| 105 | 105 | |
| 106 | - public function __construct(IRequest $request, |
|
| 107 | - ControllerMethodReflector $reflector, |
|
| 108 | - INavigationManager $navigationManager, |
|
| 109 | - IURLGenerator $urlGenerator, |
|
| 110 | - LoggerInterface $logger, |
|
| 111 | - string $appName, |
|
| 112 | - bool $isLoggedIn, |
|
| 113 | - bool $isAdminUser, |
|
| 114 | - bool $isSubAdmin, |
|
| 115 | - IAppManager $appManager, |
|
| 116 | - IL10N $l10n, |
|
| 117 | - AuthorizedGroupMapper $mapper, |
|
| 118 | - IUserSession $userSession |
|
| 119 | - ) { |
|
| 120 | - $this->navigationManager = $navigationManager; |
|
| 121 | - $this->request = $request; |
|
| 122 | - $this->reflector = $reflector; |
|
| 123 | - $this->appName = $appName; |
|
| 124 | - $this->urlGenerator = $urlGenerator; |
|
| 125 | - $this->logger = $logger; |
|
| 126 | - $this->isLoggedIn = $isLoggedIn; |
|
| 127 | - $this->isAdminUser = $isAdminUser; |
|
| 128 | - $this->isSubAdmin = $isSubAdmin; |
|
| 129 | - $this->appManager = $appManager; |
|
| 130 | - $this->l10n = $l10n; |
|
| 131 | - $this->groupAuthorizationMapper = $mapper; |
|
| 132 | - $this->userSession = $userSession; |
|
| 133 | - } |
|
| 106 | + public function __construct(IRequest $request, |
|
| 107 | + ControllerMethodReflector $reflector, |
|
| 108 | + INavigationManager $navigationManager, |
|
| 109 | + IURLGenerator $urlGenerator, |
|
| 110 | + LoggerInterface $logger, |
|
| 111 | + string $appName, |
|
| 112 | + bool $isLoggedIn, |
|
| 113 | + bool $isAdminUser, |
|
| 114 | + bool $isSubAdmin, |
|
| 115 | + IAppManager $appManager, |
|
| 116 | + IL10N $l10n, |
|
| 117 | + AuthorizedGroupMapper $mapper, |
|
| 118 | + IUserSession $userSession |
|
| 119 | + ) { |
|
| 120 | + $this->navigationManager = $navigationManager; |
|
| 121 | + $this->request = $request; |
|
| 122 | + $this->reflector = $reflector; |
|
| 123 | + $this->appName = $appName; |
|
| 124 | + $this->urlGenerator = $urlGenerator; |
|
| 125 | + $this->logger = $logger; |
|
| 126 | + $this->isLoggedIn = $isLoggedIn; |
|
| 127 | + $this->isAdminUser = $isAdminUser; |
|
| 128 | + $this->isSubAdmin = $isSubAdmin; |
|
| 129 | + $this->appManager = $appManager; |
|
| 130 | + $this->l10n = $l10n; |
|
| 131 | + $this->groupAuthorizationMapper = $mapper; |
|
| 132 | + $this->userSession = $userSession; |
|
| 133 | + } |
|
| 134 | 134 | |
| 135 | - /** |
|
| 136 | - * This runs all the security checks before a method call. The |
|
| 137 | - * security checks are determined by inspecting the controller method |
|
| 138 | - * annotations |
|
| 139 | - * |
|
| 140 | - * @param Controller $controller the controller |
|
| 141 | - * @param string $methodName the name of the method |
|
| 142 | - * @throws SecurityException when a security check fails |
|
| 143 | - * |
|
| 144 | - * @suppress PhanUndeclaredClassConstant |
|
| 145 | - */ |
|
| 146 | - public function beforeController($controller, $methodName) { |
|
| 147 | - // this will set the current navigation entry of the app, use this only |
|
| 148 | - // for normal HTML requests and not for AJAX requests |
|
| 149 | - $this->navigationManager->setActiveEntry($this->appName); |
|
| 135 | + /** |
|
| 136 | + * This runs all the security checks before a method call. The |
|
| 137 | + * security checks are determined by inspecting the controller method |
|
| 138 | + * annotations |
|
| 139 | + * |
|
| 140 | + * @param Controller $controller the controller |
|
| 141 | + * @param string $methodName the name of the method |
|
| 142 | + * @throws SecurityException when a security check fails |
|
| 143 | + * |
|
| 144 | + * @suppress PhanUndeclaredClassConstant |
|
| 145 | + */ |
|
| 146 | + public function beforeController($controller, $methodName) { |
|
| 147 | + // this will set the current navigation entry of the app, use this only |
|
| 148 | + // for normal HTML requests and not for AJAX requests |
|
| 149 | + $this->navigationManager->setActiveEntry($this->appName); |
|
| 150 | 150 | |
| 151 | - if (get_class($controller) === \OCA\Talk\Controller\PageController::class && $methodName === 'showCall') { |
|
| 152 | - $this->navigationManager->setActiveEntry('spreed'); |
|
| 153 | - } |
|
| 151 | + if (get_class($controller) === \OCA\Talk\Controller\PageController::class && $methodName === 'showCall') { |
|
| 152 | + $this->navigationManager->setActiveEntry('spreed'); |
|
| 153 | + } |
|
| 154 | 154 | |
| 155 | - $reflectionMethod = new ReflectionMethod($controller, $methodName); |
|
| 155 | + $reflectionMethod = new ReflectionMethod($controller, $methodName); |
|
| 156 | 156 | |
| 157 | - // security checks |
|
| 158 | - $isPublicPage = $this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class); |
|
| 159 | - if (!$isPublicPage) { |
|
| 160 | - if (!$this->isLoggedIn) { |
|
| 161 | - throw new NotLoggedInException(); |
|
| 162 | - } |
|
| 163 | - $authorized = false; |
|
| 164 | - if ($this->hasAnnotationOrAttribute($reflectionMethod, 'AuthorizedAdminSetting', AuthorizedAdminSetting::class)) { |
|
| 165 | - $authorized = $this->isAdminUser; |
|
| 157 | + // security checks |
|
| 158 | + $isPublicPage = $this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class); |
|
| 159 | + if (!$isPublicPage) { |
|
| 160 | + if (!$this->isLoggedIn) { |
|
| 161 | + throw new NotLoggedInException(); |
|
| 162 | + } |
|
| 163 | + $authorized = false; |
|
| 164 | + if ($this->hasAnnotationOrAttribute($reflectionMethod, 'AuthorizedAdminSetting', AuthorizedAdminSetting::class)) { |
|
| 165 | + $authorized = $this->isAdminUser; |
|
| 166 | 166 | |
| 167 | - if (!$authorized && $this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)) { |
|
| 168 | - $authorized = $this->isSubAdmin; |
|
| 169 | - } |
|
| 167 | + if (!$authorized && $this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)) { |
|
| 168 | + $authorized = $this->isSubAdmin; |
|
| 169 | + } |
|
| 170 | 170 | |
| 171 | - if (!$authorized) { |
|
| 172 | - $settingClasses = $this->getAuthorizedAdminSettingClasses($reflectionMethod); |
|
| 173 | - $authorizedClasses = $this->groupAuthorizationMapper->findAllClassesForUser($this->userSession->getUser()); |
|
| 174 | - foreach ($settingClasses as $settingClass) { |
|
| 175 | - $authorized = in_array($settingClass, $authorizedClasses, true); |
|
| 171 | + if (!$authorized) { |
|
| 172 | + $settingClasses = $this->getAuthorizedAdminSettingClasses($reflectionMethod); |
|
| 173 | + $authorizedClasses = $this->groupAuthorizationMapper->findAllClassesForUser($this->userSession->getUser()); |
|
| 174 | + foreach ($settingClasses as $settingClass) { |
|
| 175 | + $authorized = in_array($settingClass, $authorizedClasses, true); |
|
| 176 | 176 | |
| 177 | - if ($authorized) { |
|
| 178 | - break; |
|
| 179 | - } |
|
| 180 | - } |
|
| 181 | - } |
|
| 182 | - if (!$authorized) { |
|
| 183 | - throw new NotAdminException($this->l10n->t('Logged in user must be an admin, a sub admin or gotten special right to access this setting')); |
|
| 184 | - } |
|
| 185 | - } |
|
| 186 | - if ($this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class) |
|
| 187 | - && !$this->isSubAdmin |
|
| 188 | - && !$this->isAdminUser |
|
| 189 | - && !$authorized) { |
|
| 190 | - throw new NotAdminException($this->l10n->t('Logged in user must be an admin or sub admin')); |
|
| 191 | - } |
|
| 192 | - if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class) |
|
| 193 | - && !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoAdminRequired', NoAdminRequired::class) |
|
| 194 | - && !$this->isAdminUser |
|
| 195 | - && !$authorized) { |
|
| 196 | - throw new NotAdminException($this->l10n->t('Logged in user must be an admin')); |
|
| 197 | - } |
|
| 198 | - } |
|
| 177 | + if ($authorized) { |
|
| 178 | + break; |
|
| 179 | + } |
|
| 180 | + } |
|
| 181 | + } |
|
| 182 | + if (!$authorized) { |
|
| 183 | + throw new NotAdminException($this->l10n->t('Logged in user must be an admin, a sub admin or gotten special right to access this setting')); |
|
| 184 | + } |
|
| 185 | + } |
|
| 186 | + if ($this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class) |
|
| 187 | + && !$this->isSubAdmin |
|
| 188 | + && !$this->isAdminUser |
|
| 189 | + && !$authorized) { |
|
| 190 | + throw new NotAdminException($this->l10n->t('Logged in user must be an admin or sub admin')); |
|
| 191 | + } |
|
| 192 | + if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class) |
|
| 193 | + && !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoAdminRequired', NoAdminRequired::class) |
|
| 194 | + && !$this->isAdminUser |
|
| 195 | + && !$authorized) { |
|
| 196 | + throw new NotAdminException($this->l10n->t('Logged in user must be an admin')); |
|
| 197 | + } |
|
| 198 | + } |
|
| 199 | 199 | |
| 200 | - // Check for strict cookie requirement |
|
| 201 | - if ($this->hasAnnotationOrAttribute($reflectionMethod, 'StrictCookieRequired', StrictCookiesRequired::class) || |
|
| 202 | - !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) { |
|
| 203 | - if (!$this->request->passesStrictCookieCheck()) { |
|
| 204 | - throw new StrictCookieMissingException(); |
|
| 205 | - } |
|
| 206 | - } |
|
| 207 | - // CSRF check - also registers the CSRF token since the session may be closed later |
|
| 208 | - Util::callRegister(); |
|
| 209 | - if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) { |
|
| 210 | - /* |
|
| 200 | + // Check for strict cookie requirement |
|
| 201 | + if ($this->hasAnnotationOrAttribute($reflectionMethod, 'StrictCookieRequired', StrictCookiesRequired::class) || |
|
| 202 | + !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) { |
|
| 203 | + if (!$this->request->passesStrictCookieCheck()) { |
|
| 204 | + throw new StrictCookieMissingException(); |
|
| 205 | + } |
|
| 206 | + } |
|
| 207 | + // CSRF check - also registers the CSRF token since the session may be closed later |
|
| 208 | + Util::callRegister(); |
|
| 209 | + if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) { |
|
| 210 | + /* |
|
| 211 | 211 | * Only allow the CSRF check to fail on OCS Requests. This kind of |
| 212 | 212 | * hacks around that we have no full token auth in place yet and we |
| 213 | 213 | * do want to offer CSRF checks for web requests. |
@@ -215,123 +215,123 @@ discard block |
||
| 215 | 215 | * Additionally we allow Bearer authenticated requests to pass on OCS routes. |
| 216 | 216 | * This allows oauth apps (e.g. moodle) to use the OCS endpoints |
| 217 | 217 | */ |
| 218 | - if (!$this->request->passesCSRFCheck() && !( |
|
| 219 | - $controller instanceof OCSController && ( |
|
| 220 | - $this->request->getHeader('OCS-APIREQUEST') === 'true' || |
|
| 221 | - strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0 |
|
| 222 | - ) |
|
| 223 | - )) { |
|
| 224 | - throw new CrossSiteRequestForgeryException(); |
|
| 225 | - } |
|
| 226 | - } |
|
| 218 | + if (!$this->request->passesCSRFCheck() && !( |
|
| 219 | + $controller instanceof OCSController && ( |
|
| 220 | + $this->request->getHeader('OCS-APIREQUEST') === 'true' || |
|
| 221 | + strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0 |
|
| 222 | + ) |
|
| 223 | + )) { |
|
| 224 | + throw new CrossSiteRequestForgeryException(); |
|
| 225 | + } |
|
| 226 | + } |
|
| 227 | 227 | |
| 228 | - /** |
|
| 229 | - * Checks if app is enabled (also includes a check whether user is allowed to access the resource) |
|
| 230 | - * The getAppPath() check is here since components such as settings also use the AppFramework and |
|
| 231 | - * therefore won't pass this check. |
|
| 232 | - * If page is public, app does not need to be enabled for current user/visitor |
|
| 233 | - */ |
|
| 234 | - try { |
|
| 235 | - $appPath = $this->appManager->getAppPath($this->appName); |
|
| 236 | - } catch (AppPathNotFoundException $e) { |
|
| 237 | - $appPath = false; |
|
| 238 | - } |
|
| 228 | + /** |
|
| 229 | + * Checks if app is enabled (also includes a check whether user is allowed to access the resource) |
|
| 230 | + * The getAppPath() check is here since components such as settings also use the AppFramework and |
|
| 231 | + * therefore won't pass this check. |
|
| 232 | + * If page is public, app does not need to be enabled for current user/visitor |
|
| 233 | + */ |
|
| 234 | + try { |
|
| 235 | + $appPath = $this->appManager->getAppPath($this->appName); |
|
| 236 | + } catch (AppPathNotFoundException $e) { |
|
| 237 | + $appPath = false; |
|
| 238 | + } |
|
| 239 | 239 | |
| 240 | - if ($appPath !== false && !$isPublicPage && !$this->appManager->isEnabledForUser($this->appName)) { |
|
| 241 | - throw new AppNotEnabledException(); |
|
| 242 | - } |
|
| 243 | - } |
|
| 240 | + if ($appPath !== false && !$isPublicPage && !$this->appManager->isEnabledForUser($this->appName)) { |
|
| 241 | + throw new AppNotEnabledException(); |
|
| 242 | + } |
|
| 243 | + } |
|
| 244 | 244 | |
| 245 | - /** |
|
| 246 | - * @template T |
|
| 247 | - * |
|
| 248 | - * @param ReflectionMethod $reflectionMethod |
|
| 249 | - * @param string $annotationName |
|
| 250 | - * @param class-string<T> $attributeClass |
|
| 251 | - * @return boolean |
|
| 252 | - */ |
|
| 253 | - protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool { |
|
| 254 | - if (!empty($reflectionMethod->getAttributes($attributeClass))) { |
|
| 255 | - return true; |
|
| 256 | - } |
|
| 245 | + /** |
|
| 246 | + * @template T |
|
| 247 | + * |
|
| 248 | + * @param ReflectionMethod $reflectionMethod |
|
| 249 | + * @param string $annotationName |
|
| 250 | + * @param class-string<T> $attributeClass |
|
| 251 | + * @return boolean |
|
| 252 | + */ |
|
| 253 | + protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool { |
|
| 254 | + if (!empty($reflectionMethod->getAttributes($attributeClass))) { |
|
| 255 | + return true; |
|
| 256 | + } |
|
| 257 | 257 | |
| 258 | - if ($this->reflector->hasAnnotation($annotationName)) { |
|
| 259 | - return true; |
|
| 260 | - } |
|
| 258 | + if ($this->reflector->hasAnnotation($annotationName)) { |
|
| 259 | + return true; |
|
| 260 | + } |
|
| 261 | 261 | |
| 262 | - return false; |
|
| 263 | - } |
|
| 262 | + return false; |
|
| 263 | + } |
|
| 264 | 264 | |
| 265 | - /** |
|
| 266 | - * @param ReflectionMethod $reflectionMethod |
|
| 267 | - * @return string[] |
|
| 268 | - */ |
|
| 269 | - protected function getAuthorizedAdminSettingClasses(ReflectionMethod $reflectionMethod): array { |
|
| 270 | - $classes = []; |
|
| 271 | - if ($this->reflector->hasAnnotation('AuthorizedAdminSetting')) { |
|
| 272 | - $classes = explode(';', $this->reflector->getAnnotationParameter('AuthorizedAdminSetting', 'settings')); |
|
| 273 | - } |
|
| 265 | + /** |
|
| 266 | + * @param ReflectionMethod $reflectionMethod |
|
| 267 | + * @return string[] |
|
| 268 | + */ |
|
| 269 | + protected function getAuthorizedAdminSettingClasses(ReflectionMethod $reflectionMethod): array { |
|
| 270 | + $classes = []; |
|
| 271 | + if ($this->reflector->hasAnnotation('AuthorizedAdminSetting')) { |
|
| 272 | + $classes = explode(';', $this->reflector->getAnnotationParameter('AuthorizedAdminSetting', 'settings')); |
|
| 273 | + } |
|
| 274 | 274 | |
| 275 | - $attributes = $reflectionMethod->getAttributes(AuthorizedAdminSetting::class); |
|
| 276 | - if (!empty($attributes)) { |
|
| 277 | - foreach ($attributes as $attribute) { |
|
| 278 | - /** @var AuthorizedAdminSetting $setting */ |
|
| 279 | - $setting = $attribute->newInstance(); |
|
| 280 | - $classes[] = $setting->getSettings(); |
|
| 281 | - } |
|
| 282 | - } |
|
| 275 | + $attributes = $reflectionMethod->getAttributes(AuthorizedAdminSetting::class); |
|
| 276 | + if (!empty($attributes)) { |
|
| 277 | + foreach ($attributes as $attribute) { |
|
| 278 | + /** @var AuthorizedAdminSetting $setting */ |
|
| 279 | + $setting = $attribute->newInstance(); |
|
| 280 | + $classes[] = $setting->getSettings(); |
|
| 281 | + } |
|
| 282 | + } |
|
| 283 | 283 | |
| 284 | - return $classes; |
|
| 285 | - } |
|
| 284 | + return $classes; |
|
| 285 | + } |
|
| 286 | 286 | |
| 287 | - /** |
|
| 288 | - * If an SecurityException is being caught, ajax requests return a JSON error |
|
| 289 | - * response and non ajax requests redirect to the index |
|
| 290 | - * |
|
| 291 | - * @param Controller $controller the controller that is being called |
|
| 292 | - * @param string $methodName the name of the method that will be called on |
|
| 293 | - * the controller |
|
| 294 | - * @param \Exception $exception the thrown exception |
|
| 295 | - * @return Response a Response object or null in case that the exception could not be handled |
|
| 296 | - * @throws \Exception the passed in exception if it can't handle it |
|
| 297 | - */ |
|
| 298 | - public function afterException($controller, $methodName, \Exception $exception): Response { |
|
| 299 | - if ($exception instanceof SecurityException) { |
|
| 300 | - if ($exception instanceof StrictCookieMissingException) { |
|
| 301 | - return new RedirectResponse(\OC::$WEBROOT . '/'); |
|
| 302 | - } |
|
| 303 | - if (stripos($this->request->getHeader('Accept'), 'html') === false) { |
|
| 304 | - $response = new JSONResponse( |
|
| 305 | - ['message' => $exception->getMessage()], |
|
| 306 | - $exception->getCode() |
|
| 307 | - ); |
|
| 308 | - } else { |
|
| 309 | - if ($exception instanceof NotLoggedInException) { |
|
| 310 | - $params = []; |
|
| 311 | - if (isset($this->request->server['REQUEST_URI'])) { |
|
| 312 | - $params['redirect_url'] = $this->request->server['REQUEST_URI']; |
|
| 313 | - } |
|
| 314 | - $usernamePrefill = $this->request->getParam('user', ''); |
|
| 315 | - if ($usernamePrefill !== '') { |
|
| 316 | - $params['user'] = $usernamePrefill; |
|
| 317 | - } |
|
| 318 | - if ($this->request->getParam('direct')) { |
|
| 319 | - $params['direct'] = 1; |
|
| 320 | - } |
|
| 321 | - $url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params); |
|
| 322 | - $response = new RedirectResponse($url); |
|
| 323 | - } else { |
|
| 324 | - $response = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest'); |
|
| 325 | - $response->setStatus($exception->getCode()); |
|
| 326 | - } |
|
| 327 | - } |
|
| 287 | + /** |
|
| 288 | + * If an SecurityException is being caught, ajax requests return a JSON error |
|
| 289 | + * response and non ajax requests redirect to the index |
|
| 290 | + * |
|
| 291 | + * @param Controller $controller the controller that is being called |
|
| 292 | + * @param string $methodName the name of the method that will be called on |
|
| 293 | + * the controller |
|
| 294 | + * @param \Exception $exception the thrown exception |
|
| 295 | + * @return Response a Response object or null in case that the exception could not be handled |
|
| 296 | + * @throws \Exception the passed in exception if it can't handle it |
|
| 297 | + */ |
|
| 298 | + public function afterException($controller, $methodName, \Exception $exception): Response { |
|
| 299 | + if ($exception instanceof SecurityException) { |
|
| 300 | + if ($exception instanceof StrictCookieMissingException) { |
|
| 301 | + return new RedirectResponse(\OC::$WEBROOT . '/'); |
|
| 302 | + } |
|
| 303 | + if (stripos($this->request->getHeader('Accept'), 'html') === false) { |
|
| 304 | + $response = new JSONResponse( |
|
| 305 | + ['message' => $exception->getMessage()], |
|
| 306 | + $exception->getCode() |
|
| 307 | + ); |
|
| 308 | + } else { |
|
| 309 | + if ($exception instanceof NotLoggedInException) { |
|
| 310 | + $params = []; |
|
| 311 | + if (isset($this->request->server['REQUEST_URI'])) { |
|
| 312 | + $params['redirect_url'] = $this->request->server['REQUEST_URI']; |
|
| 313 | + } |
|
| 314 | + $usernamePrefill = $this->request->getParam('user', ''); |
|
| 315 | + if ($usernamePrefill !== '') { |
|
| 316 | + $params['user'] = $usernamePrefill; |
|
| 317 | + } |
|
| 318 | + if ($this->request->getParam('direct')) { |
|
| 319 | + $params['direct'] = 1; |
|
| 320 | + } |
|
| 321 | + $url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params); |
|
| 322 | + $response = new RedirectResponse($url); |
|
| 323 | + } else { |
|
| 324 | + $response = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest'); |
|
| 325 | + $response->setStatus($exception->getCode()); |
|
| 326 | + } |
|
| 327 | + } |
|
| 328 | 328 | |
| 329 | - $this->logger->debug($exception->getMessage(), [ |
|
| 330 | - 'exception' => $exception, |
|
| 331 | - ]); |
|
| 332 | - return $response; |
|
| 333 | - } |
|
| 329 | + $this->logger->debug($exception->getMessage(), [ |
|
| 330 | + 'exception' => $exception, |
|
| 331 | + ]); |
|
| 332 | + return $response; |
|
| 333 | + } |
|
| 334 | 334 | |
| 335 | - throw $exception; |
|
| 336 | - } |
|
| 335 | + throw $exception; |
|
| 336 | + } |
|
| 337 | 337 | } |
@@ -36,32 +36,32 @@ |
||
| 36 | 36 | * a reload but if the session variable is set we properly redirect to the login page. |
| 37 | 37 | */ |
| 38 | 38 | class ReloadExecutionMiddleware extends Middleware { |
| 39 | - /** @var ISession */ |
|
| 40 | - private $session; |
|
| 41 | - /** @var IURLGenerator */ |
|
| 42 | - private $urlGenerator; |
|
| 39 | + /** @var ISession */ |
|
| 40 | + private $session; |
|
| 41 | + /** @var IURLGenerator */ |
|
| 42 | + private $urlGenerator; |
|
| 43 | 43 | |
| 44 | - public function __construct(ISession $session, IURLGenerator $urlGenerator) { |
|
| 45 | - $this->session = $session; |
|
| 46 | - $this->urlGenerator = $urlGenerator; |
|
| 47 | - } |
|
| 44 | + public function __construct(ISession $session, IURLGenerator $urlGenerator) { |
|
| 45 | + $this->session = $session; |
|
| 46 | + $this->urlGenerator = $urlGenerator; |
|
| 47 | + } |
|
| 48 | 48 | |
| 49 | - public function beforeController($controller, $methodName) { |
|
| 50 | - if ($this->session->exists('clearingExecutionContexts')) { |
|
| 51 | - throw new ReloadExecutionException(); |
|
| 52 | - } |
|
| 53 | - } |
|
| 49 | + public function beforeController($controller, $methodName) { |
|
| 50 | + if ($this->session->exists('clearingExecutionContexts')) { |
|
| 51 | + throw new ReloadExecutionException(); |
|
| 52 | + } |
|
| 53 | + } |
|
| 54 | 54 | |
| 55 | - public function afterException($controller, $methodName, \Exception $exception) { |
|
| 56 | - if ($exception instanceof ReloadExecutionException) { |
|
| 57 | - $this->session->remove('clearingExecutionContexts'); |
|
| 55 | + public function afterException($controller, $methodName, \Exception $exception) { |
|
| 56 | + if ($exception instanceof ReloadExecutionException) { |
|
| 57 | + $this->session->remove('clearingExecutionContexts'); |
|
| 58 | 58 | |
| 59 | - return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute( |
|
| 60 | - 'core.login.showLoginForm', |
|
| 61 | - ['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers |
|
| 62 | - )); |
|
| 63 | - } |
|
| 59 | + return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute( |
|
| 60 | + 'core.login.showLoginForm', |
|
| 61 | + ['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers |
|
| 62 | + )); |
|
| 63 | + } |
|
| 64 | 64 | |
| 65 | - return parent::afterException($controller, $methodName, $exception); |
|
| 66 | - } |
|
| 65 | + return parent::afterException($controller, $methodName, $exception); |
|
| 66 | + } |
|
| 67 | 67 | } |
@@ -35,82 +35,82 @@ |
||
| 35 | 35 | use ReflectionMethod; |
| 36 | 36 | |
| 37 | 37 | class PasswordConfirmationMiddleware extends Middleware { |
| 38 | - /** @var ControllerMethodReflector */ |
|
| 39 | - private $reflector; |
|
| 40 | - /** @var ISession */ |
|
| 41 | - private $session; |
|
| 42 | - /** @var IUserSession */ |
|
| 43 | - private $userSession; |
|
| 44 | - /** @var ITimeFactory */ |
|
| 45 | - private $timeFactory; |
|
| 46 | - /** @var array */ |
|
| 47 | - private $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true]; |
|
| 38 | + /** @var ControllerMethodReflector */ |
|
| 39 | + private $reflector; |
|
| 40 | + /** @var ISession */ |
|
| 41 | + private $session; |
|
| 42 | + /** @var IUserSession */ |
|
| 43 | + private $userSession; |
|
| 44 | + /** @var ITimeFactory */ |
|
| 45 | + private $timeFactory; |
|
| 46 | + /** @var array */ |
|
| 47 | + private $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true]; |
|
| 48 | 48 | |
| 49 | - /** |
|
| 50 | - * PasswordConfirmationMiddleware constructor. |
|
| 51 | - * |
|
| 52 | - * @param ControllerMethodReflector $reflector |
|
| 53 | - * @param ISession $session |
|
| 54 | - * @param IUserSession $userSession |
|
| 55 | - * @param ITimeFactory $timeFactory |
|
| 56 | - */ |
|
| 57 | - public function __construct(ControllerMethodReflector $reflector, |
|
| 58 | - ISession $session, |
|
| 59 | - IUserSession $userSession, |
|
| 60 | - ITimeFactory $timeFactory) { |
|
| 61 | - $this->reflector = $reflector; |
|
| 62 | - $this->session = $session; |
|
| 63 | - $this->userSession = $userSession; |
|
| 64 | - $this->timeFactory = $timeFactory; |
|
| 65 | - } |
|
| 49 | + /** |
|
| 50 | + * PasswordConfirmationMiddleware constructor. |
|
| 51 | + * |
|
| 52 | + * @param ControllerMethodReflector $reflector |
|
| 53 | + * @param ISession $session |
|
| 54 | + * @param IUserSession $userSession |
|
| 55 | + * @param ITimeFactory $timeFactory |
|
| 56 | + */ |
|
| 57 | + public function __construct(ControllerMethodReflector $reflector, |
|
| 58 | + ISession $session, |
|
| 59 | + IUserSession $userSession, |
|
| 60 | + ITimeFactory $timeFactory) { |
|
| 61 | + $this->reflector = $reflector; |
|
| 62 | + $this->session = $session; |
|
| 63 | + $this->userSession = $userSession; |
|
| 64 | + $this->timeFactory = $timeFactory; |
|
| 65 | + } |
|
| 66 | 66 | |
| 67 | - /** |
|
| 68 | - * @param Controller $controller |
|
| 69 | - * @param string $methodName |
|
| 70 | - * @throws NotConfirmedException |
|
| 71 | - */ |
|
| 72 | - public function beforeController($controller, $methodName) { |
|
| 73 | - $reflectionMethod = new ReflectionMethod($controller, $methodName); |
|
| 67 | + /** |
|
| 68 | + * @param Controller $controller |
|
| 69 | + * @param string $methodName |
|
| 70 | + * @throws NotConfirmedException |
|
| 71 | + */ |
|
| 72 | + public function beforeController($controller, $methodName) { |
|
| 73 | + $reflectionMethod = new ReflectionMethod($controller, $methodName); |
|
| 74 | 74 | |
| 75 | - if ($this->hasAnnotationOrAttribute($reflectionMethod, 'PasswordConfirmationRequired', PasswordConfirmationRequired::class)) { |
|
| 76 | - $user = $this->userSession->getUser(); |
|
| 77 | - $backendClassName = ''; |
|
| 78 | - if ($user !== null) { |
|
| 79 | - $backend = $user->getBackend(); |
|
| 80 | - if ($backend instanceof IPasswordConfirmationBackend) { |
|
| 81 | - if (!$backend->canConfirmPassword($user->getUID())) { |
|
| 82 | - return; |
|
| 83 | - } |
|
| 84 | - } |
|
| 75 | + if ($this->hasAnnotationOrAttribute($reflectionMethod, 'PasswordConfirmationRequired', PasswordConfirmationRequired::class)) { |
|
| 76 | + $user = $this->userSession->getUser(); |
|
| 77 | + $backendClassName = ''; |
|
| 78 | + if ($user !== null) { |
|
| 79 | + $backend = $user->getBackend(); |
|
| 80 | + if ($backend instanceof IPasswordConfirmationBackend) { |
|
| 81 | + if (!$backend->canConfirmPassword($user->getUID())) { |
|
| 82 | + return; |
|
| 83 | + } |
|
| 84 | + } |
|
| 85 | 85 | |
| 86 | - $backendClassName = $user->getBackendClassName(); |
|
| 87 | - } |
|
| 86 | + $backendClassName = $user->getBackendClassName(); |
|
| 87 | + } |
|
| 88 | 88 | |
| 89 | - $lastConfirm = (int) $this->session->get('last-password-confirm'); |
|
| 90 | - // we can't check the password against a SAML backend, so skip password confirmation in this case |
|
| 91 | - if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay |
|
| 92 | - throw new NotConfirmedException(); |
|
| 93 | - } |
|
| 94 | - } |
|
| 95 | - } |
|
| 89 | + $lastConfirm = (int) $this->session->get('last-password-confirm'); |
|
| 90 | + // we can't check the password against a SAML backend, so skip password confirmation in this case |
|
| 91 | + if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay |
|
| 92 | + throw new NotConfirmedException(); |
|
| 93 | + } |
|
| 94 | + } |
|
| 95 | + } |
|
| 96 | 96 | |
| 97 | - /** |
|
| 98 | - * @template T |
|
| 99 | - * |
|
| 100 | - * @param ReflectionMethod $reflectionMethod |
|
| 101 | - * @param string $annotationName |
|
| 102 | - * @param class-string<T> $attributeClass |
|
| 103 | - * @return boolean |
|
| 104 | - */ |
|
| 105 | - protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool { |
|
| 106 | - if (!empty($reflectionMethod->getAttributes($attributeClass))) { |
|
| 107 | - return true; |
|
| 108 | - } |
|
| 97 | + /** |
|
| 98 | + * @template T |
|
| 99 | + * |
|
| 100 | + * @param ReflectionMethod $reflectionMethod |
|
| 101 | + * @param string $annotationName |
|
| 102 | + * @param class-string<T> $attributeClass |
|
| 103 | + * @return boolean |
|
| 104 | + */ |
|
| 105 | + protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool { |
|
| 106 | + if (!empty($reflectionMethod->getAttributes($attributeClass))) { |
|
| 107 | + return true; |
|
| 108 | + } |
|
| 109 | 109 | |
| 110 | - if ($this->reflector->hasAnnotation($annotationName)) { |
|
| 111 | - return true; |
|
| 112 | - } |
|
| 110 | + if ($this->reflector->hasAnnotation($annotationName)) { |
|
| 111 | + return true; |
|
| 112 | + } |
|
| 113 | 113 | |
| 114 | - return false; |
|
| 115 | - } |
|
| 114 | + return false; |
|
| 115 | + } |
|
| 116 | 116 | } |
@@ -48,143 +48,143 @@ |
||
| 48 | 48 | * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS |
| 49 | 49 | */ |
| 50 | 50 | class CORSMiddleware extends Middleware { |
| 51 | - /** @var IRequest */ |
|
| 52 | - private $request; |
|
| 53 | - /** @var ControllerMethodReflector */ |
|
| 54 | - private $reflector; |
|
| 55 | - /** @var Session */ |
|
| 56 | - private $session; |
|
| 57 | - /** @var Throttler */ |
|
| 58 | - private $throttler; |
|
| 51 | + /** @var IRequest */ |
|
| 52 | + private $request; |
|
| 53 | + /** @var ControllerMethodReflector */ |
|
| 54 | + private $reflector; |
|
| 55 | + /** @var Session */ |
|
| 56 | + private $session; |
|
| 57 | + /** @var Throttler */ |
|
| 58 | + private $throttler; |
|
| 59 | 59 | |
| 60 | - /** |
|
| 61 | - * @param IRequest $request |
|
| 62 | - * @param ControllerMethodReflector $reflector |
|
| 63 | - * @param Session $session |
|
| 64 | - * @param Throttler $throttler |
|
| 65 | - */ |
|
| 66 | - public function __construct(IRequest $request, |
|
| 67 | - ControllerMethodReflector $reflector, |
|
| 68 | - Session $session, |
|
| 69 | - Throttler $throttler) { |
|
| 70 | - $this->request = $request; |
|
| 71 | - $this->reflector = $reflector; |
|
| 72 | - $this->session = $session; |
|
| 73 | - $this->throttler = $throttler; |
|
| 74 | - } |
|
| 60 | + /** |
|
| 61 | + * @param IRequest $request |
|
| 62 | + * @param ControllerMethodReflector $reflector |
|
| 63 | + * @param Session $session |
|
| 64 | + * @param Throttler $throttler |
|
| 65 | + */ |
|
| 66 | + public function __construct(IRequest $request, |
|
| 67 | + ControllerMethodReflector $reflector, |
|
| 68 | + Session $session, |
|
| 69 | + Throttler $throttler) { |
|
| 70 | + $this->request = $request; |
|
| 71 | + $this->reflector = $reflector; |
|
| 72 | + $this->session = $session; |
|
| 73 | + $this->throttler = $throttler; |
|
| 74 | + } |
|
| 75 | 75 | |
| 76 | - /** |
|
| 77 | - * This is being run in normal order before the controller is being |
|
| 78 | - * called which allows several modifications and checks |
|
| 79 | - * |
|
| 80 | - * @param Controller $controller the controller that is being called |
|
| 81 | - * @param string $methodName the name of the method that will be called on |
|
| 82 | - * the controller |
|
| 83 | - * @throws SecurityException |
|
| 84 | - * @since 6.0.0 |
|
| 85 | - */ |
|
| 86 | - public function beforeController($controller, $methodName) { |
|
| 87 | - $reflectionMethod = new ReflectionMethod($controller, $methodName); |
|
| 76 | + /** |
|
| 77 | + * This is being run in normal order before the controller is being |
|
| 78 | + * called which allows several modifications and checks |
|
| 79 | + * |
|
| 80 | + * @param Controller $controller the controller that is being called |
|
| 81 | + * @param string $methodName the name of the method that will be called on |
|
| 82 | + * the controller |
|
| 83 | + * @throws SecurityException |
|
| 84 | + * @since 6.0.0 |
|
| 85 | + */ |
|
| 86 | + public function beforeController($controller, $methodName) { |
|
| 87 | + $reflectionMethod = new ReflectionMethod($controller, $methodName); |
|
| 88 | 88 | |
| 89 | - // ensure that @CORS annotated API routes are not used in conjunction |
|
| 90 | - // with session authentication since this enables CSRF attack vectors |
|
| 91 | - if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class) && |
|
| 92 | - (!$this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class) || $this->session->isLoggedIn())) { |
|
| 93 | - $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null; |
|
| 94 | - $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null; |
|
| 89 | + // ensure that @CORS annotated API routes are not used in conjunction |
|
| 90 | + // with session authentication since this enables CSRF attack vectors |
|
| 91 | + if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class) && |
|
| 92 | + (!$this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class) || $this->session->isLoggedIn())) { |
|
| 93 | + $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null; |
|
| 94 | + $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null; |
|
| 95 | 95 | |
| 96 | - // Allow to use the current session if a CSRF token is provided |
|
| 97 | - if ($this->request->passesCSRFCheck()) { |
|
| 98 | - return; |
|
| 99 | - } |
|
| 100 | - $this->session->logout(); |
|
| 101 | - try { |
|
| 102 | - if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
| 103 | - throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); |
|
| 104 | - } |
|
| 105 | - } catch (PasswordLoginForbiddenException $ex) { |
|
| 106 | - throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); |
|
| 107 | - } |
|
| 108 | - } |
|
| 109 | - } |
|
| 96 | + // Allow to use the current session if a CSRF token is provided |
|
| 97 | + if ($this->request->passesCSRFCheck()) { |
|
| 98 | + return; |
|
| 99 | + } |
|
| 100 | + $this->session->logout(); |
|
| 101 | + try { |
|
| 102 | + if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
| 103 | + throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); |
|
| 104 | + } |
|
| 105 | + } catch (PasswordLoginForbiddenException $ex) { |
|
| 106 | + throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); |
|
| 107 | + } |
|
| 108 | + } |
|
| 109 | + } |
|
| 110 | 110 | |
| 111 | - /** |
|
| 112 | - * @template T |
|
| 113 | - * |
|
| 114 | - * @param ReflectionMethod $reflectionMethod |
|
| 115 | - * @param string $annotationName |
|
| 116 | - * @param class-string<T> $attributeClass |
|
| 117 | - * @return boolean |
|
| 118 | - */ |
|
| 119 | - protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool { |
|
| 120 | - if ($this->reflector->hasAnnotation($annotationName)) { |
|
| 121 | - return true; |
|
| 122 | - } |
|
| 111 | + /** |
|
| 112 | + * @template T |
|
| 113 | + * |
|
| 114 | + * @param ReflectionMethod $reflectionMethod |
|
| 115 | + * @param string $annotationName |
|
| 116 | + * @param class-string<T> $attributeClass |
|
| 117 | + * @return boolean |
|
| 118 | + */ |
|
| 119 | + protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool { |
|
| 120 | + if ($this->reflector->hasAnnotation($annotationName)) { |
|
| 121 | + return true; |
|
| 122 | + } |
|
| 123 | 123 | |
| 124 | 124 | |
| 125 | - if (!empty($reflectionMethod->getAttributes($attributeClass))) { |
|
| 126 | - return true; |
|
| 127 | - } |
|
| 125 | + if (!empty($reflectionMethod->getAttributes($attributeClass))) { |
|
| 126 | + return true; |
|
| 127 | + } |
|
| 128 | 128 | |
| 129 | - return false; |
|
| 130 | - } |
|
| 129 | + return false; |
|
| 130 | + } |
|
| 131 | 131 | |
| 132 | - /** |
|
| 133 | - * This is being run after a successful controller method call and allows |
|
| 134 | - * the manipulation of a Response object. The middleware is run in reverse order |
|
| 135 | - * |
|
| 136 | - * @param Controller $controller the controller that is being called |
|
| 137 | - * @param string $methodName the name of the method that will be called on |
|
| 138 | - * the controller |
|
| 139 | - * @param Response $response the generated response from the controller |
|
| 140 | - * @return Response a Response object |
|
| 141 | - * @throws SecurityException |
|
| 142 | - */ |
|
| 143 | - public function afterController($controller, $methodName, Response $response) { |
|
| 144 | - // only react if it's a CORS request and if the request sends origin and |
|
| 132 | + /** |
|
| 133 | + * This is being run after a successful controller method call and allows |
|
| 134 | + * the manipulation of a Response object. The middleware is run in reverse order |
|
| 135 | + * |
|
| 136 | + * @param Controller $controller the controller that is being called |
|
| 137 | + * @param string $methodName the name of the method that will be called on |
|
| 138 | + * the controller |
|
| 139 | + * @param Response $response the generated response from the controller |
|
| 140 | + * @return Response a Response object |
|
| 141 | + * @throws SecurityException |
|
| 142 | + */ |
|
| 143 | + public function afterController($controller, $methodName, Response $response) { |
|
| 144 | + // only react if it's a CORS request and if the request sends origin and |
|
| 145 | 145 | |
| 146 | - if (isset($this->request->server['HTTP_ORIGIN'])) { |
|
| 147 | - $reflectionMethod = new ReflectionMethod($controller, $methodName); |
|
| 148 | - if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class)) { |
|
| 149 | - // allow credentials headers must not be true or CSRF is possible |
|
| 150 | - // otherwise |
|
| 151 | - foreach ($response->getHeaders() as $header => $value) { |
|
| 152 | - if (strtolower($header) === 'access-control-allow-credentials' && |
|
| 153 | - strtolower(trim($value)) === 'true') { |
|
| 154 | - $msg = 'Access-Control-Allow-Credentials must not be '. |
|
| 155 | - 'set to true in order to prevent CSRF'; |
|
| 156 | - throw new SecurityException($msg); |
|
| 157 | - } |
|
| 158 | - } |
|
| 146 | + if (isset($this->request->server['HTTP_ORIGIN'])) { |
|
| 147 | + $reflectionMethod = new ReflectionMethod($controller, $methodName); |
|
| 148 | + if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class)) { |
|
| 149 | + // allow credentials headers must not be true or CSRF is possible |
|
| 150 | + // otherwise |
|
| 151 | + foreach ($response->getHeaders() as $header => $value) { |
|
| 152 | + if (strtolower($header) === 'access-control-allow-credentials' && |
|
| 153 | + strtolower(trim($value)) === 'true') { |
|
| 154 | + $msg = 'Access-Control-Allow-Credentials must not be '. |
|
| 155 | + 'set to true in order to prevent CSRF'; |
|
| 156 | + throw new SecurityException($msg); |
|
| 157 | + } |
|
| 158 | + } |
|
| 159 | 159 | |
| 160 | - $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 161 | - $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 162 | - } |
|
| 163 | - } |
|
| 164 | - return $response; |
|
| 165 | - } |
|
| 160 | + $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 161 | + $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 162 | + } |
|
| 163 | + } |
|
| 164 | + return $response; |
|
| 165 | + } |
|
| 166 | 166 | |
| 167 | - /** |
|
| 168 | - * If an SecurityException is being caught return a JSON error response |
|
| 169 | - * |
|
| 170 | - * @param Controller $controller the controller that is being called |
|
| 171 | - * @param string $methodName the name of the method that will be called on |
|
| 172 | - * the controller |
|
| 173 | - * @param \Exception $exception the thrown exception |
|
| 174 | - * @throws \Exception the passed in exception if it can't handle it |
|
| 175 | - * @return Response a Response object or null in case that the exception could not be handled |
|
| 176 | - */ |
|
| 177 | - public function afterException($controller, $methodName, \Exception $exception) { |
|
| 178 | - if ($exception instanceof SecurityException) { |
|
| 179 | - $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 180 | - if ($exception->getCode() !== 0) { |
|
| 181 | - $response->setStatus($exception->getCode()); |
|
| 182 | - } else { |
|
| 183 | - $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
|
| 184 | - } |
|
| 185 | - return $response; |
|
| 186 | - } |
|
| 167 | + /** |
|
| 168 | + * If an SecurityException is being caught return a JSON error response |
|
| 169 | + * |
|
| 170 | + * @param Controller $controller the controller that is being called |
|
| 171 | + * @param string $methodName the name of the method that will be called on |
|
| 172 | + * the controller |
|
| 173 | + * @param \Exception $exception the thrown exception |
|
| 174 | + * @throws \Exception the passed in exception if it can't handle it |
|
| 175 | + * @return Response a Response object or null in case that the exception could not be handled |
|
| 176 | + */ |
|
| 177 | + public function afterException($controller, $methodName, \Exception $exception) { |
|
| 178 | + if ($exception instanceof SecurityException) { |
|
| 179 | + $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 180 | + if ($exception->getCode() !== 0) { |
|
| 181 | + $response->setStatus($exception->getCode()); |
|
| 182 | + } else { |
|
| 183 | + $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
|
| 184 | + } |
|
| 185 | + return $response; |
|
| 186 | + } |
|
| 187 | 187 | |
| 188 | - throw $exception; |
|
| 189 | - } |
|
| 188 | + throw $exception; |
|
| 189 | + } |
|
| 190 | 190 | } |
@@ -50,213 +50,213 @@ |
||
| 50 | 50 | * @since 14.0.0 |
| 51 | 51 | */ |
| 52 | 52 | abstract class AuthPublicShareController extends PublicShareController { |
| 53 | - /** @var IURLGenerator */ |
|
| 54 | - protected $urlGenerator; |
|
| 53 | + /** @var IURLGenerator */ |
|
| 54 | + protected $urlGenerator; |
|
| 55 | 55 | |
| 56 | - /** |
|
| 57 | - * @since 14.0.0 |
|
| 58 | - */ |
|
| 59 | - public function __construct(string $appName, |
|
| 60 | - IRequest $request, |
|
| 61 | - ISession $session, |
|
| 62 | - IURLGenerator $urlGenerator) { |
|
| 63 | - parent::__construct($appName, $request, $session); |
|
| 56 | + /** |
|
| 57 | + * @since 14.0.0 |
|
| 58 | + */ |
|
| 59 | + public function __construct(string $appName, |
|
| 60 | + IRequest $request, |
|
| 61 | + ISession $session, |
|
| 62 | + IURLGenerator $urlGenerator) { |
|
| 63 | + parent::__construct($appName, $request, $session); |
|
| 64 | 64 | |
| 65 | - $this->urlGenerator = $urlGenerator; |
|
| 66 | - } |
|
| 65 | + $this->urlGenerator = $urlGenerator; |
|
| 66 | + } |
|
| 67 | 67 | |
| 68 | - /** |
|
| 69 | - * @PublicPage |
|
| 70 | - * @NoCSRFRequired |
|
| 71 | - * |
|
| 72 | - * Show the authentication page |
|
| 73 | - * The form has to submit to the authenticate method route |
|
| 74 | - * |
|
| 75 | - * @since 14.0.0 |
|
| 76 | - */ |
|
| 77 | - #[NoCSRFRequired] |
|
| 78 | - #[PublicPage] |
|
| 79 | - public function showAuthenticate(): TemplateResponse { |
|
| 80 | - return new TemplateResponse('core', 'publicshareauth', [], 'guest'); |
|
| 81 | - } |
|
| 68 | + /** |
|
| 69 | + * @PublicPage |
|
| 70 | + * @NoCSRFRequired |
|
| 71 | + * |
|
| 72 | + * Show the authentication page |
|
| 73 | + * The form has to submit to the authenticate method route |
|
| 74 | + * |
|
| 75 | + * @since 14.0.0 |
|
| 76 | + */ |
|
| 77 | + #[NoCSRFRequired] |
|
| 78 | + #[PublicPage] |
|
| 79 | + public function showAuthenticate(): TemplateResponse { |
|
| 80 | + return new TemplateResponse('core', 'publicshareauth', [], 'guest'); |
|
| 81 | + } |
|
| 82 | 82 | |
| 83 | - /** |
|
| 84 | - * The template to show when authentication failed |
|
| 85 | - * |
|
| 86 | - * @since 14.0.0 |
|
| 87 | - */ |
|
| 88 | - protected function showAuthFailed(): TemplateResponse { |
|
| 89 | - return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest'); |
|
| 90 | - } |
|
| 83 | + /** |
|
| 84 | + * The template to show when authentication failed |
|
| 85 | + * |
|
| 86 | + * @since 14.0.0 |
|
| 87 | + */ |
|
| 88 | + protected function showAuthFailed(): TemplateResponse { |
|
| 89 | + return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest'); |
|
| 90 | + } |
|
| 91 | 91 | |
| 92 | - /** |
|
| 93 | - * The template to show after user identification |
|
| 94 | - * |
|
| 95 | - * @since 24.0.0 |
|
| 96 | - */ |
|
| 97 | - protected function showIdentificationResult(bool $success): TemplateResponse { |
|
| 98 | - return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest'); |
|
| 99 | - } |
|
| 92 | + /** |
|
| 93 | + * The template to show after user identification |
|
| 94 | + * |
|
| 95 | + * @since 24.0.0 |
|
| 96 | + */ |
|
| 97 | + protected function showIdentificationResult(bool $success): TemplateResponse { |
|
| 98 | + return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest'); |
|
| 99 | + } |
|
| 100 | 100 | |
| 101 | - /** |
|
| 102 | - * Validates that the provided identity is allowed to receive a temporary password |
|
| 103 | - * |
|
| 104 | - * @since 24.0.0 |
|
| 105 | - */ |
|
| 106 | - protected function validateIdentity(?string $identityToken = null): bool { |
|
| 107 | - return false; |
|
| 108 | - } |
|
| 101 | + /** |
|
| 102 | + * Validates that the provided identity is allowed to receive a temporary password |
|
| 103 | + * |
|
| 104 | + * @since 24.0.0 |
|
| 105 | + */ |
|
| 106 | + protected function validateIdentity(?string $identityToken = null): bool { |
|
| 107 | + return false; |
|
| 108 | + } |
|
| 109 | 109 | |
| 110 | - /** |
|
| 111 | - * Generates a password |
|
| 112 | - * |
|
| 113 | - * @since 24.0.0 |
|
| 114 | - */ |
|
| 115 | - protected function generatePassword(): void { |
|
| 116 | - } |
|
| 110 | + /** |
|
| 111 | + * Generates a password |
|
| 112 | + * |
|
| 113 | + * @since 24.0.0 |
|
| 114 | + */ |
|
| 115 | + protected function generatePassword(): void { |
|
| 116 | + } |
|
| 117 | 117 | |
| 118 | - /** |
|
| 119 | - * Verify the password |
|
| 120 | - * |
|
| 121 | - * @since 24.0.0 |
|
| 122 | - */ |
|
| 123 | - protected function verifyPassword(string $password): bool { |
|
| 124 | - return false; |
|
| 125 | - } |
|
| 118 | + /** |
|
| 119 | + * Verify the password |
|
| 120 | + * |
|
| 121 | + * @since 24.0.0 |
|
| 122 | + */ |
|
| 123 | + protected function verifyPassword(string $password): bool { |
|
| 124 | + return false; |
|
| 125 | + } |
|
| 126 | 126 | |
| 127 | - /** |
|
| 128 | - * Function called after failed authentication |
|
| 129 | - * |
|
| 130 | - * You can use this to do some logging for example |
|
| 131 | - * |
|
| 132 | - * @since 14.0.0 |
|
| 133 | - */ |
|
| 134 | - protected function authFailed() { |
|
| 135 | - } |
|
| 127 | + /** |
|
| 128 | + * Function called after failed authentication |
|
| 129 | + * |
|
| 130 | + * You can use this to do some logging for example |
|
| 131 | + * |
|
| 132 | + * @since 14.0.0 |
|
| 133 | + */ |
|
| 134 | + protected function authFailed() { |
|
| 135 | + } |
|
| 136 | 136 | |
| 137 | - /** |
|
| 138 | - * Function called after successful authentication |
|
| 139 | - * |
|
| 140 | - * You can use this to do some logging for example |
|
| 141 | - * |
|
| 142 | - * @since 14.0.0 |
|
| 143 | - */ |
|
| 144 | - protected function authSucceeded() { |
|
| 145 | - } |
|
| 137 | + /** |
|
| 138 | + * Function called after successful authentication |
|
| 139 | + * |
|
| 140 | + * You can use this to do some logging for example |
|
| 141 | + * |
|
| 142 | + * @since 14.0.0 |
|
| 143 | + */ |
|
| 144 | + protected function authSucceeded() { |
|
| 145 | + } |
|
| 146 | 146 | |
| 147 | - /** |
|
| 148 | - * @UseSession |
|
| 149 | - * @PublicPage |
|
| 150 | - * @BruteForceProtection(action=publicLinkAuth) |
|
| 151 | - * |
|
| 152 | - * Authenticate the share |
|
| 153 | - * |
|
| 154 | - * @since 14.0.0 |
|
| 155 | - */ |
|
| 156 | - #[BruteForceProtection(action: 'publicLinkAuth')] |
|
| 157 | - #[PublicPage] |
|
| 158 | - #[UseSession] |
|
| 159 | - final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') { |
|
| 160 | - // Already authenticated |
|
| 161 | - if ($this->isAuthenticated()) { |
|
| 162 | - return $this->getRedirect(); |
|
| 163 | - } |
|
| 147 | + /** |
|
| 148 | + * @UseSession |
|
| 149 | + * @PublicPage |
|
| 150 | + * @BruteForceProtection(action=publicLinkAuth) |
|
| 151 | + * |
|
| 152 | + * Authenticate the share |
|
| 153 | + * |
|
| 154 | + * @since 14.0.0 |
|
| 155 | + */ |
|
| 156 | + #[BruteForceProtection(action: 'publicLinkAuth')] |
|
| 157 | + #[PublicPage] |
|
| 158 | + #[UseSession] |
|
| 159 | + final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') { |
|
| 160 | + // Already authenticated |
|
| 161 | + if ($this->isAuthenticated()) { |
|
| 162 | + return $this->getRedirect(); |
|
| 163 | + } |
|
| 164 | 164 | |
| 165 | - // Is user requesting a temporary password? |
|
| 166 | - if ($passwordRequest == '') { |
|
| 167 | - if ($this->validateIdentity($identityToken)) { |
|
| 168 | - $this->generatePassword(); |
|
| 169 | - $response = $this->showIdentificationResult(true); |
|
| 170 | - return $response; |
|
| 171 | - } else { |
|
| 172 | - $response = $this->showIdentificationResult(false); |
|
| 173 | - $response->throttle(); |
|
| 174 | - return $response; |
|
| 175 | - } |
|
| 176 | - } |
|
| 165 | + // Is user requesting a temporary password? |
|
| 166 | + if ($passwordRequest == '') { |
|
| 167 | + if ($this->validateIdentity($identityToken)) { |
|
| 168 | + $this->generatePassword(); |
|
| 169 | + $response = $this->showIdentificationResult(true); |
|
| 170 | + return $response; |
|
| 171 | + } else { |
|
| 172 | + $response = $this->showIdentificationResult(false); |
|
| 173 | + $response->throttle(); |
|
| 174 | + return $response; |
|
| 175 | + } |
|
| 176 | + } |
|
| 177 | 177 | |
| 178 | - if (!$this->verifyPassword($password)) { |
|
| 179 | - $this->authFailed(); |
|
| 180 | - $response = $this->showAuthFailed(); |
|
| 181 | - $response->throttle(); |
|
| 182 | - return $response; |
|
| 183 | - } |
|
| 178 | + if (!$this->verifyPassword($password)) { |
|
| 179 | + $this->authFailed(); |
|
| 180 | + $response = $this->showAuthFailed(); |
|
| 181 | + $response->throttle(); |
|
| 182 | + return $response; |
|
| 183 | + } |
|
| 184 | 184 | |
| 185 | - $this->session->regenerateId(true, true); |
|
| 186 | - $response = $this->getRedirect(); |
|
| 185 | + $this->session->regenerateId(true, true); |
|
| 186 | + $response = $this->getRedirect(); |
|
| 187 | 187 | |
| 188 | - $this->session->set('public_link_authenticated_token', $this->getToken()); |
|
| 189 | - $this->session->set('public_link_authenticated_password_hash', $this->getPasswordHash()); |
|
| 188 | + $this->session->set('public_link_authenticated_token', $this->getToken()); |
|
| 189 | + $this->session->set('public_link_authenticated_password_hash', $this->getPasswordHash()); |
|
| 190 | 190 | |
| 191 | - $this->authSucceeded(); |
|
| 191 | + $this->authSucceeded(); |
|
| 192 | 192 | |
| 193 | - return $response; |
|
| 194 | - } |
|
| 193 | + return $response; |
|
| 194 | + } |
|
| 195 | 195 | |
| 196 | - /** |
|
| 197 | - * Default landing page |
|
| 198 | - * |
|
| 199 | - * @since 14.0.0 |
|
| 200 | - */ |
|
| 201 | - abstract public function showShare(): TemplateResponse; |
|
| 196 | + /** |
|
| 197 | + * Default landing page |
|
| 198 | + * |
|
| 199 | + * @since 14.0.0 |
|
| 200 | + */ |
|
| 201 | + abstract public function showShare(): TemplateResponse; |
|
| 202 | 202 | |
| 203 | - /** |
|
| 204 | - * @since 14.0.0 |
|
| 205 | - */ |
|
| 206 | - final public function getAuthenticationRedirect(string $redirect): RedirectResponse { |
|
| 207 | - return new RedirectResponse( |
|
| 208 | - $this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect]) |
|
| 209 | - ); |
|
| 210 | - } |
|
| 203 | + /** |
|
| 204 | + * @since 14.0.0 |
|
| 205 | + */ |
|
| 206 | + final public function getAuthenticationRedirect(string $redirect): RedirectResponse { |
|
| 207 | + return new RedirectResponse( |
|
| 208 | + $this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect]) |
|
| 209 | + ); |
|
| 210 | + } |
|
| 211 | 211 | |
| 212 | 212 | |
| 213 | - /** |
|
| 214 | - * @since 14.0.0 |
|
| 215 | - */ |
|
| 216 | - private function getRoute(string $function): string { |
|
| 217 | - $app = strtolower($this->appName); |
|
| 218 | - $class = (new \ReflectionClass($this))->getShortName(); |
|
| 219 | - if (substr($class, -10) === 'Controller') { |
|
| 220 | - $class = substr($class, 0, -10); |
|
| 221 | - } |
|
| 222 | - return $app .'.'. $class .'.'. $function; |
|
| 223 | - } |
|
| 213 | + /** |
|
| 214 | + * @since 14.0.0 |
|
| 215 | + */ |
|
| 216 | + private function getRoute(string $function): string { |
|
| 217 | + $app = strtolower($this->appName); |
|
| 218 | + $class = (new \ReflectionClass($this))->getShortName(); |
|
| 219 | + if (substr($class, -10) === 'Controller') { |
|
| 220 | + $class = substr($class, 0, -10); |
|
| 221 | + } |
|
| 222 | + return $app .'.'. $class .'.'. $function; |
|
| 223 | + } |
|
| 224 | 224 | |
| 225 | - /** |
|
| 226 | - * @since 14.0.0 |
|
| 227 | - */ |
|
| 228 | - private function getRedirect(): RedirectResponse { |
|
| 229 | - //Get all the stored redirect parameters: |
|
| 230 | - $params = $this->session->get('public_link_authenticate_redirect'); |
|
| 225 | + /** |
|
| 226 | + * @since 14.0.0 |
|
| 227 | + */ |
|
| 228 | + private function getRedirect(): RedirectResponse { |
|
| 229 | + //Get all the stored redirect parameters: |
|
| 230 | + $params = $this->session->get('public_link_authenticate_redirect'); |
|
| 231 | 231 | |
| 232 | - $route = $this->getRoute('showShare'); |
|
| 232 | + $route = $this->getRoute('showShare'); |
|
| 233 | 233 | |
| 234 | - if ($params === null) { |
|
| 235 | - $params = [ |
|
| 236 | - 'token' => $this->getToken(), |
|
| 237 | - ]; |
|
| 238 | - } else { |
|
| 239 | - $params = json_decode($params, true); |
|
| 240 | - if (isset($params['_route'])) { |
|
| 241 | - $route = $params['_route']; |
|
| 242 | - unset($params['_route']); |
|
| 243 | - } |
|
| 234 | + if ($params === null) { |
|
| 235 | + $params = [ |
|
| 236 | + 'token' => $this->getToken(), |
|
| 237 | + ]; |
|
| 238 | + } else { |
|
| 239 | + $params = json_decode($params, true); |
|
| 240 | + if (isset($params['_route'])) { |
|
| 241 | + $route = $params['_route']; |
|
| 242 | + unset($params['_route']); |
|
| 243 | + } |
|
| 244 | 244 | |
| 245 | - // If the token doesn't match the rest of the arguments can't be trusted either |
|
| 246 | - if (isset($params['token']) && $params['token'] !== $this->getToken()) { |
|
| 247 | - $params = [ |
|
| 248 | - 'token' => $this->getToken(), |
|
| 249 | - ]; |
|
| 250 | - } |
|
| 245 | + // If the token doesn't match the rest of the arguments can't be trusted either |
|
| 246 | + if (isset($params['token']) && $params['token'] !== $this->getToken()) { |
|
| 247 | + $params = [ |
|
| 248 | + 'token' => $this->getToken(), |
|
| 249 | + ]; |
|
| 250 | + } |
|
| 251 | 251 | |
| 252 | - // We need a token |
|
| 253 | - if (!isset($params['token'])) { |
|
| 254 | - $params = [ |
|
| 255 | - 'token' => $this->getToken(), |
|
| 256 | - ]; |
|
| 257 | - } |
|
| 258 | - } |
|
| 252 | + // We need a token |
|
| 253 | + if (!isset($params['token'])) { |
|
| 254 | + $params = [ |
|
| 255 | + 'token' => $this->getToken(), |
|
| 256 | + ]; |
|
| 257 | + } |
|
| 258 | + } |
|
| 259 | 259 | |
| 260 | - return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params)); |
|
| 261 | - } |
|
| 260 | + return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params)); |
|
| 261 | + } |
|
| 262 | 262 | } |
@@ -36,21 +36,21 @@ |
||
| 36 | 36 | */ |
| 37 | 37 | #[Attribute(Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)] |
| 38 | 38 | class AuthorizedAdminSetting { |
| 39 | - /** |
|
| 40 | - * @param class-string<IDelegatedSettings> $settings A settings section the user needs to be able to access |
|
| 41 | - * @since 27.0.0 |
|
| 42 | - */ |
|
| 43 | - public function __construct( |
|
| 44 | - protected string $settings |
|
| 45 | - ) { |
|
| 46 | - } |
|
| 39 | + /** |
|
| 40 | + * @param class-string<IDelegatedSettings> $settings A settings section the user needs to be able to access |
|
| 41 | + * @since 27.0.0 |
|
| 42 | + */ |
|
| 43 | + public function __construct( |
|
| 44 | + protected string $settings |
|
| 45 | + ) { |
|
| 46 | + } |
|
| 47 | 47 | |
| 48 | - /** |
|
| 49 | - * |
|
| 50 | - * @return class-string<IDelegatedSettings> |
|
| 51 | - * @since 27.0.0 |
|
| 52 | - */ |
|
| 53 | - public function getSettings(): string { |
|
| 54 | - return $this->settings; |
|
| 55 | - } |
|
| 48 | + /** |
|
| 49 | + * |
|
| 50 | + * @return class-string<IDelegatedSettings> |
|
| 51 | + * @since 27.0.0 |
|
| 52 | + */ |
|
| 53 | + public function getSettings(): string { |
|
| 54 | + return $this->settings; |
|
| 55 | + } |
|
| 56 | 56 | } |
@@ -33,60 +33,60 @@ |
||
| 33 | 33 | * @since 7.0.0 |
| 34 | 34 | */ |
| 35 | 35 | abstract class ApiController extends Controller { |
| 36 | - private $corsMethods; |
|
| 37 | - private $corsAllowedHeaders; |
|
| 38 | - private $corsMaxAge; |
|
| 36 | + private $corsMethods; |
|
| 37 | + private $corsAllowedHeaders; |
|
| 38 | + private $corsMaxAge; |
|
| 39 | 39 | |
| 40 | - /** |
|
| 41 | - * constructor of the controller |
|
| 42 | - * @param string $appName the name of the app |
|
| 43 | - * @param IRequest $request an instance of the request |
|
| 44 | - * @param string $corsMethods comma separated string of HTTP verbs which |
|
| 45 | - * should be allowed for websites or webapps when calling your API, defaults to |
|
| 46 | - * 'PUT, POST, GET, DELETE, PATCH' |
|
| 47 | - * @param string $corsAllowedHeaders comma separated string of HTTP headers |
|
| 48 | - * which should be allowed for websites or webapps when calling your API, |
|
| 49 | - * defaults to 'Authorization, Content-Type, Accept' |
|
| 50 | - * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS |
|
| 51 | - * request should be cached, defaults to 1728000 seconds |
|
| 52 | - * @since 7.0.0 |
|
| 53 | - */ |
|
| 54 | - public function __construct($appName, |
|
| 55 | - IRequest $request, |
|
| 56 | - $corsMethods = 'PUT, POST, GET, DELETE, PATCH', |
|
| 57 | - $corsAllowedHeaders = 'Authorization, Content-Type, Accept', |
|
| 58 | - $corsMaxAge = 1728000) { |
|
| 59 | - parent::__construct($appName, $request); |
|
| 60 | - $this->corsMethods = $corsMethods; |
|
| 61 | - $this->corsAllowedHeaders = $corsAllowedHeaders; |
|
| 62 | - $this->corsMaxAge = $corsMaxAge; |
|
| 63 | - } |
|
| 40 | + /** |
|
| 41 | + * constructor of the controller |
|
| 42 | + * @param string $appName the name of the app |
|
| 43 | + * @param IRequest $request an instance of the request |
|
| 44 | + * @param string $corsMethods comma separated string of HTTP verbs which |
|
| 45 | + * should be allowed for websites or webapps when calling your API, defaults to |
|
| 46 | + * 'PUT, POST, GET, DELETE, PATCH' |
|
| 47 | + * @param string $corsAllowedHeaders comma separated string of HTTP headers |
|
| 48 | + * which should be allowed for websites or webapps when calling your API, |
|
| 49 | + * defaults to 'Authorization, Content-Type, Accept' |
|
| 50 | + * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS |
|
| 51 | + * request should be cached, defaults to 1728000 seconds |
|
| 52 | + * @since 7.0.0 |
|
| 53 | + */ |
|
| 54 | + public function __construct($appName, |
|
| 55 | + IRequest $request, |
|
| 56 | + $corsMethods = 'PUT, POST, GET, DELETE, PATCH', |
|
| 57 | + $corsAllowedHeaders = 'Authorization, Content-Type, Accept', |
|
| 58 | + $corsMaxAge = 1728000) { |
|
| 59 | + parent::__construct($appName, $request); |
|
| 60 | + $this->corsMethods = $corsMethods; |
|
| 61 | + $this->corsAllowedHeaders = $corsAllowedHeaders; |
|
| 62 | + $this->corsMaxAge = $corsMaxAge; |
|
| 63 | + } |
|
| 64 | 64 | |
| 65 | 65 | |
| 66 | - /** |
|
| 67 | - * This method implements a preflighted cors response for you that you can |
|
| 68 | - * link to for the options request |
|
| 69 | - * |
|
| 70 | - * @NoAdminRequired |
|
| 71 | - * @NoCSRFRequired |
|
| 72 | - * @PublicPage |
|
| 73 | - * @since 7.0.0 |
|
| 74 | - */ |
|
| 75 | - #[NoCSRFRequired] |
|
| 76 | - #[PublicPage] |
|
| 77 | - public function preflightedCors() { |
|
| 78 | - if (isset($this->request->server['HTTP_ORIGIN'])) { |
|
| 79 | - $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 80 | - } else { |
|
| 81 | - $origin = '*'; |
|
| 82 | - } |
|
| 66 | + /** |
|
| 67 | + * This method implements a preflighted cors response for you that you can |
|
| 68 | + * link to for the options request |
|
| 69 | + * |
|
| 70 | + * @NoAdminRequired |
|
| 71 | + * @NoCSRFRequired |
|
| 72 | + * @PublicPage |
|
| 73 | + * @since 7.0.0 |
|
| 74 | + */ |
|
| 75 | + #[NoCSRFRequired] |
|
| 76 | + #[PublicPage] |
|
| 77 | + public function preflightedCors() { |
|
| 78 | + if (isset($this->request->server['HTTP_ORIGIN'])) { |
|
| 79 | + $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 80 | + } else { |
|
| 81 | + $origin = '*'; |
|
| 82 | + } |
|
| 83 | 83 | |
| 84 | - $response = new Response(); |
|
| 85 | - $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 86 | - $response->addHeader('Access-Control-Allow-Methods', $this->corsMethods); |
|
| 87 | - $response->addHeader('Access-Control-Max-Age', (string)$this->corsMaxAge); |
|
| 88 | - $response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders); |
|
| 89 | - $response->addHeader('Access-Control-Allow-Credentials', 'false'); |
|
| 90 | - return $response; |
|
| 91 | - } |
|
| 84 | + $response = new Response(); |
|
| 85 | + $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 86 | + $response->addHeader('Access-Control-Allow-Methods', $this->corsMethods); |
|
| 87 | + $response->addHeader('Access-Control-Max-Age', (string)$this->corsMaxAge); |
|
| 88 | + $response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders); |
|
| 89 | + $response->addHeader('Access-Control-Allow-Credentials', 'false'); |
|
| 90 | + return $response; |
|
| 91 | + } |
|
| 92 | 92 | } |
