nextcloud / server

lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php

Indentation +231 added lines, -231 removed lines

@@ -76,138 +76,138 @@ 
  * check fails
  */
 class SecurityMiddleware extends Middleware {
-	/** @var INavigationManager */
-	private $navigationManager;
-	/** @var IRequest */
-	private $request;
-	/** @var ControllerMethodReflector */
-	private $reflector;
-	/** @var string */
-	private $appName;
-	/** @var IURLGenerator */
-	private $urlGenerator;
-	/** @var LoggerInterface */
-	private $logger;
-	/** @var bool */
-	private $isLoggedIn;
-	/** @var bool */
-	private $isAdminUser;
-	/** @var bool */
-	private $isSubAdmin;
-	/** @var IAppManager */
-	private $appManager;
-	/** @var IL10N */
-	private $l10n;
-	/** @var AuthorizedGroupMapper */
-	private $groupAuthorizationMapper;
-	/** @var IUserSession */
-	private $userSession;
+    /** @var INavigationManager */
+    private $navigationManager;
+    /** @var IRequest */
+    private $request;
+    /** @var ControllerMethodReflector */
+    private $reflector;
+    /** @var string */
+    private $appName;
+    /** @var IURLGenerator */
+    private $urlGenerator;
+    /** @var LoggerInterface */
+    private $logger;
+    /** @var bool */
+    private $isLoggedIn;
+    /** @var bool */
+    private $isAdminUser;
+    /** @var bool */
+    private $isSubAdmin;
+    /** @var IAppManager */
+    private $appManager;
+    /** @var IL10N */
+    private $l10n;
+    /** @var AuthorizedGroupMapper */
+    private $groupAuthorizationMapper;
+    /** @var IUserSession */
+    private $userSession;
 
-	public function __construct(IRequest $request,
-								ControllerMethodReflector $reflector,
-								INavigationManager $navigationManager,
-								IURLGenerator $urlGenerator,
-								LoggerInterface $logger,
-								string $appName,
-								bool $isLoggedIn,
-								bool $isAdminUser,
-								bool $isSubAdmin,
-								IAppManager $appManager,
-								IL10N $l10n,
-								AuthorizedGroupMapper $mapper,
-								IUserSession $userSession
-	) {
-		$this->navigationManager = $navigationManager;
-		$this->request = $request;
-		$this->reflector = $reflector;
-		$this->appName = $appName;
-		$this->urlGenerator = $urlGenerator;
-		$this->logger = $logger;
-		$this->isLoggedIn = $isLoggedIn;
-		$this->isAdminUser = $isAdminUser;
-		$this->isSubAdmin = $isSubAdmin;
-		$this->appManager = $appManager;
-		$this->l10n = $l10n;
-		$this->groupAuthorizationMapper = $mapper;
-		$this->userSession = $userSession;
-	}
+    public function __construct(IRequest $request,
+                                ControllerMethodReflector $reflector,
+                                INavigationManager $navigationManager,
+                                IURLGenerator $urlGenerator,
+                                LoggerInterface $logger,
+                                string $appName,
+                                bool $isLoggedIn,
+                                bool $isAdminUser,
+                                bool $isSubAdmin,
+                                IAppManager $appManager,
+                                IL10N $l10n,
+                                AuthorizedGroupMapper $mapper,
+                                IUserSession $userSession
+    ) {
+        $this->navigationManager = $navigationManager;
+        $this->request = $request;
+        $this->reflector = $reflector;
+        $this->appName = $appName;
+        $this->urlGenerator = $urlGenerator;
+        $this->logger = $logger;
+        $this->isLoggedIn = $isLoggedIn;
+        $this->isAdminUser = $isAdminUser;
+        $this->isSubAdmin = $isSubAdmin;
+        $this->appManager = $appManager;
+        $this->l10n = $l10n;
+        $this->groupAuthorizationMapper = $mapper;
+        $this->userSession = $userSession;
+    }
 
-	/**
-	 * This runs all the security checks before a method call. The
-	 * security checks are determined by inspecting the controller method
-	 * annotations
-	 *
-	 * @param Controller $controller the controller
-	 * @param string $methodName the name of the method
-	 * @throws SecurityException when a security check fails
-	 *
-	 * @suppress PhanUndeclaredClassConstant
-	 */
-	public function beforeController($controller, $methodName) {
-		// this will set the current navigation entry of the app, use this only
-		// for normal HTML requests and not for AJAX requests
-		$this->navigationManager->setActiveEntry($this->appName);
+    /**
+     * This runs all the security checks before a method call. The
+     * security checks are determined by inspecting the controller method
+     * annotations
+     *
+     * @param Controller $controller the controller
+     * @param string $methodName the name of the method
+     * @throws SecurityException when a security check fails
+     *
+     * @suppress PhanUndeclaredClassConstant
+     */
+    public function beforeController($controller, $methodName) {
+        // this will set the current navigation entry of the app, use this only
+        // for normal HTML requests and not for AJAX requests
+        $this->navigationManager->setActiveEntry($this->appName);
 
-		if (get_class($controller) === \OCA\Talk\Controller\PageController::class && $methodName === 'showCall') {
-			$this->navigationManager->setActiveEntry('spreed');
-		}
+        if (get_class($controller) === \OCA\Talk\Controller\PageController::class && $methodName === 'showCall') {
+            $this->navigationManager->setActiveEntry('spreed');
+        }
 
-		$reflectionMethod = new ReflectionMethod($controller, $methodName);
+        $reflectionMethod = new ReflectionMethod($controller, $methodName);
 
-		// security checks
-		$isPublicPage = $this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class);
-		if (!$isPublicPage) {
-			if (!$this->isLoggedIn) {
-				throw new NotLoggedInException();
-			}
-			$authorized = false;
-			if ($this->hasAnnotationOrAttribute($reflectionMethod, 'AuthorizedAdminSetting', AuthorizedAdminSetting::class)) {
-				$authorized = $this->isAdminUser;
+        // security checks
+        $isPublicPage = $this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class);
+        if (!$isPublicPage) {
+            if (!$this->isLoggedIn) {
+                throw new NotLoggedInException();
+            }
+            $authorized = false;
+            if ($this->hasAnnotationOrAttribute($reflectionMethod, 'AuthorizedAdminSetting', AuthorizedAdminSetting::class)) {
+                $authorized = $this->isAdminUser;
 
-				if (!$authorized && $this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)) {
-					$authorized = $this->isSubAdmin;
-				}
+                if (!$authorized && $this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)) {
+                    $authorized = $this->isSubAdmin;
+                }
 
-				if (!$authorized) {
-					$settingClasses = $this->getAuthorizedAdminSettingClasses($reflectionMethod);
-					$authorizedClasses = $this->groupAuthorizationMapper->findAllClassesForUser($this->userSession->getUser());
-					foreach ($settingClasses as $settingClass) {
-						$authorized = in_array($settingClass, $authorizedClasses, true);
+                if (!$authorized) {
+                    $settingClasses = $this->getAuthorizedAdminSettingClasses($reflectionMethod);
+                    $authorizedClasses = $this->groupAuthorizationMapper->findAllClassesForUser($this->userSession->getUser());
+                    foreach ($settingClasses as $settingClass) {
+                        $authorized = in_array($settingClass, $authorizedClasses, true);
 
-						if ($authorized) {
-							break;
-						}
-					}
-				}
-				if (!$authorized) {
-					throw new NotAdminException($this->l10n->t('Logged in user must be an admin, a sub admin or gotten special right to access this setting'));
-				}
-			}
-			if ($this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
-				&& !$this->isSubAdmin
-				&& !$this->isAdminUser
-				&& !$authorized) {
-				throw new NotAdminException($this->l10n->t('Logged in user must be an admin or sub admin'));
-			}
-			if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
-				&& !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoAdminRequired', NoAdminRequired::class)
-				&& !$this->isAdminUser
-				&& !$authorized) {
-				throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
-			}
-		}
+                        if ($authorized) {
+                            break;
+                        }
+                    }
+                }
+                if (!$authorized) {
+                    throw new NotAdminException($this->l10n->t('Logged in user must be an admin, a sub admin or gotten special right to access this setting'));
+                }
+            }
+            if ($this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
+                && !$this->isSubAdmin
+                && !$this->isAdminUser
+                && !$authorized) {
+                throw new NotAdminException($this->l10n->t('Logged in user must be an admin or sub admin'));
+            }
+            if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'SubAdminRequired', SubAdminRequired::class)
+                && !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoAdminRequired', NoAdminRequired::class)
+                && !$this->isAdminUser
+                && !$authorized) {
+                throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
+            }
+        }
 
-		// Check for strict cookie requirement
-		if ($this->hasAnnotationOrAttribute($reflectionMethod, 'StrictCookieRequired', StrictCookiesRequired::class) ||
-			!$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) {
-			if (!$this->request->passesStrictCookieCheck()) {
-				throw new StrictCookieMissingException();
-			}
-		}
-		// CSRF check - also registers the CSRF token since the session may be closed later
-		Util::callRegister();
-		if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) {
-			/*
+        // Check for strict cookie requirement
+        if ($this->hasAnnotationOrAttribute($reflectionMethod, 'StrictCookieRequired', StrictCookiesRequired::class) ||
+            !$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) {
+            if (!$this->request->passesStrictCookieCheck()) {
+                throw new StrictCookieMissingException();
+            }
+        }
+        // CSRF check - also registers the CSRF token since the session may be closed later
+        Util::callRegister();
+        if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) {
+            /*
 			 * Only allow the CSRF check to fail on OCS Requests. This kind of
 			 * hacks around that we have no full token auth in place yet and we
 			 * do want to offer CSRF checks for web requests.
@@ -215,123 +215,123 @@ 
 			 * Additionally we allow Bearer authenticated requests to pass on OCS routes.
 			 * This allows oauth apps (e.g. moodle) to use the OCS endpoints
 			 */
-			if (!$this->request->passesCSRFCheck() && !(
-				$controller instanceof OCSController && (
-					$this->request->getHeader('OCS-APIREQUEST') === 'true' ||
-					strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
-				)
-			)) {
-				throw new CrossSiteRequestForgeryException();
-			}
-		}
+            if (!$this->request->passesCSRFCheck() && !(
+                $controller instanceof OCSController && (
+                    $this->request->getHeader('OCS-APIREQUEST') === 'true' ||
+                    strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
+                )
+            )) {
+                throw new CrossSiteRequestForgeryException();
+            }
+        }
 
-		/**
-		 * Checks if app is enabled (also includes a check whether user is allowed to access the resource)
-		 * The getAppPath() check is here since components such as settings also use the AppFramework and
-		 * therefore won't pass this check.
-		 * If page is public, app does not need to be enabled for current user/visitor
-		 */
-		try {
-			$appPath = $this->appManager->getAppPath($this->appName);
-		} catch (AppPathNotFoundException $e) {
-			$appPath = false;
-		}
+        /**
+         * Checks if app is enabled (also includes a check whether user is allowed to access the resource)
+         * The getAppPath() check is here since components such as settings also use the AppFramework and
+         * therefore won't pass this check.
+         * If page is public, app does not need to be enabled for current user/visitor
+         */
+        try {
+            $appPath = $this->appManager->getAppPath($this->appName);
+        } catch (AppPathNotFoundException $e) {
+            $appPath = false;
+        }
 
-		if ($appPath !== false && !$isPublicPage && !$this->appManager->isEnabledForUser($this->appName)) {
-			throw new AppNotEnabledException();
-		}
-	}
+        if ($appPath !== false && !$isPublicPage && !$this->appManager->isEnabledForUser($this->appName)) {
+            throw new AppNotEnabledException();
+        }
+    }
 
-	/**
-	 * @template T
-	 *
-	 * @param ReflectionMethod $reflectionMethod
-	 * @param string $annotationName
-	 * @param class-string<T> $attributeClass
-	 * @return boolean
-	 */
-	protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
-		if (!empty($reflectionMethod->getAttributes($attributeClass))) {
-			return true;
-		}
+    /**
+     * @template T
+     *
+     * @param ReflectionMethod $reflectionMethod
+     * @param string $annotationName
+     * @param class-string<T> $attributeClass
+     * @return boolean
+     */
+    protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
+        if (!empty($reflectionMethod->getAttributes($attributeClass))) {
+            return true;
+        }
 
-		if ($this->reflector->hasAnnotation($annotationName)) {
-			return true;
-		}
+        if ($this->reflector->hasAnnotation($annotationName)) {
+            return true;
+        }
 
-		return false;
-	}
+        return false;
+    }
 
-	/**
-	 * @param ReflectionMethod $reflectionMethod
-	 * @return string[]
-	 */
-	protected function getAuthorizedAdminSettingClasses(ReflectionMethod $reflectionMethod): array {
-		$classes = [];
-		if ($this->reflector->hasAnnotation('AuthorizedAdminSetting')) {
-			$classes = explode(';', $this->reflector->getAnnotationParameter('AuthorizedAdminSetting', 'settings'));
-		}
+    /**
+     * @param ReflectionMethod $reflectionMethod
+     * @return string[]
+     */
+    protected function getAuthorizedAdminSettingClasses(ReflectionMethod $reflectionMethod): array {
+        $classes = [];
+        if ($this->reflector->hasAnnotation('AuthorizedAdminSetting')) {
+            $classes = explode(';', $this->reflector->getAnnotationParameter('AuthorizedAdminSetting', 'settings'));
+        }
 
-		$attributes = $reflectionMethod->getAttributes(AuthorizedAdminSetting::class);
-		if (!empty($attributes)) {
-			foreach ($attributes as $attribute) {
-				/** @var AuthorizedAdminSetting $setting */
-				$setting = $attribute->newInstance();
-				$classes[] = $setting->getSettings();
-			}
-		}
+        $attributes = $reflectionMethod->getAttributes(AuthorizedAdminSetting::class);
+        if (!empty($attributes)) {
+            foreach ($attributes as $attribute) {
+                /** @var AuthorizedAdminSetting $setting */
+                $setting = $attribute->newInstance();
+                $classes[] = $setting->getSettings();
+            }
+        }
 
-		return $classes;
-	}
+        return $classes;
+    }
 
-	/**
-	 * If an SecurityException is being caught, ajax requests return a JSON error
-	 * response and non ajax requests redirect to the index
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @param \Exception $exception the thrown exception
-	 * @return Response a Response object or null in case that the exception could not be handled
-	 * @throws \Exception the passed in exception if it can't handle it
-	 */
-	public function afterException($controller, $methodName, \Exception $exception): Response {
-		if ($exception instanceof SecurityException) {
-			if ($exception instanceof StrictCookieMissingException) {
-				return new RedirectResponse(\OC::$WEBROOT . '/');
-			}
-			if (stripos($this->request->getHeader('Accept'), 'html') === false) {
-				$response = new JSONResponse(
-					['message' => $exception->getMessage()],
-					$exception->getCode()
-				);
-			} else {
-				if ($exception instanceof NotLoggedInException) {
-					$params = [];
-					if (isset($this->request->server['REQUEST_URI'])) {
-						$params['redirect_url'] = $this->request->server['REQUEST_URI'];
-					}
-					$usernamePrefill = $this->request->getParam('user', '');
-					if ($usernamePrefill !== '') {
-						$params['user'] = $usernamePrefill;
-					}
-					if ($this->request->getParam('direct')) {
-						$params['direct'] = 1;
-					}
-					$url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params);
-					$response = new RedirectResponse($url);
-				} else {
-					$response = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest');
-					$response->setStatus($exception->getCode());
-				}
-			}
+    /**
+     * If an SecurityException is being caught, ajax requests return a JSON error
+     * response and non ajax requests redirect to the index
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @param \Exception $exception the thrown exception
+     * @return Response a Response object or null in case that the exception could not be handled
+     * @throws \Exception the passed in exception if it can't handle it
+     */
+    public function afterException($controller, $methodName, \Exception $exception): Response {
+        if ($exception instanceof SecurityException) {
+            if ($exception instanceof StrictCookieMissingException) {
+                return new RedirectResponse(\OC::$WEBROOT . '/');
+            }
+            if (stripos($this->request->getHeader('Accept'), 'html') === false) {
+                $response = new JSONResponse(
+                    ['message' => $exception->getMessage()],
+                    $exception->getCode()
+                );
+            } else {
+                if ($exception instanceof NotLoggedInException) {
+                    $params = [];
+                    if (isset($this->request->server['REQUEST_URI'])) {
+                        $params['redirect_url'] = $this->request->server['REQUEST_URI'];
+                    }
+                    $usernamePrefill = $this->request->getParam('user', '');
+                    if ($usernamePrefill !== '') {
+                        $params['user'] = $usernamePrefill;
+                    }
+                    if ($this->request->getParam('direct')) {
+                        $params['direct'] = 1;
+                    }
+                    $url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params);
+                    $response = new RedirectResponse($url);
+                } else {
+                    $response = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest');
+                    $response->setStatus($exception->getCode());
+                }
+            }
 
-			$this->logger->debug($exception->getMessage(), [
-				'exception' => $exception,
-			]);
-			return $response;
-		}
+            $this->logger->debug($exception->getMessage(), [
+                'exception' => $exception,
+            ]);
+            return $response;
+        }
 
-		throw $exception;
-	}
+        throw $exception;
+    }
 }

lib/private/AppFramework/Middleware/Security/ReloadExecutionMiddleware.php

Indentation +23 added lines, -23 removed lines

@@ -36,32 +36,32 @@
  * a reload but if the session variable is set we properly redirect to the login page.
  */
 class ReloadExecutionMiddleware extends Middleware {
-	/** @var ISession */
-	private $session;
-	/** @var IURLGenerator */
-	private $urlGenerator;
+    /** @var ISession */
+    private $session;
+    /** @var IURLGenerator */
+    private $urlGenerator;
 
-	public function __construct(ISession $session, IURLGenerator $urlGenerator) {
-		$this->session = $session;
-		$this->urlGenerator = $urlGenerator;
-	}
+    public function __construct(ISession $session, IURLGenerator $urlGenerator) {
+        $this->session = $session;
+        $this->urlGenerator = $urlGenerator;
+    }
 
-	public function beforeController($controller, $methodName) {
-		if ($this->session->exists('clearingExecutionContexts')) {
-			throw new ReloadExecutionException();
-		}
-	}
+    public function beforeController($controller, $methodName) {
+        if ($this->session->exists('clearingExecutionContexts')) {
+            throw new ReloadExecutionException();
+        }
+    }
 
-	public function afterException($controller, $methodName, \Exception $exception) {
-		if ($exception instanceof ReloadExecutionException) {
-			$this->session->remove('clearingExecutionContexts');
+    public function afterException($controller, $methodName, \Exception $exception) {
+        if ($exception instanceof ReloadExecutionException) {
+            $this->session->remove('clearingExecutionContexts');
 
-			return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute(
-				'core.login.showLoginForm',
-				['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
-			));
-		}
+            return new RedirectResponse($this->urlGenerator->linkToRouteAbsolute(
+                'core.login.showLoginForm',
+                ['clear' => true] // this param the code in login.js may be removed when the "Clear-Site-Data" is working in the browsers
+            ));
+        }
 
-		return parent::afterException($controller, $methodName, $exception);
-	}
+        return parent::afterException($controller, $methodName, $exception);
+    }
 }

lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php

Indentation +70 added lines, -70 removed lines

@@ -35,82 +35,82 @@
 use ReflectionMethod;
 
 class PasswordConfirmationMiddleware extends Middleware {
-	/** @var ControllerMethodReflector */
-	private $reflector;
-	/** @var ISession */
-	private $session;
-	/** @var IUserSession */
-	private $userSession;
-	/** @var ITimeFactory */
-	private $timeFactory;
-	/** @var array */
-	private $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];
+    /** @var ControllerMethodReflector */
+    private $reflector;
+    /** @var ISession */
+    private $session;
+    /** @var IUserSession */
+    private $userSession;
+    /** @var ITimeFactory */
+    private $timeFactory;
+    /** @var array */
+    private $excludedUserBackEnds = ['user_saml' => true, 'user_globalsiteselector' => true];
 
-	/**
-	 * PasswordConfirmationMiddleware constructor.
-	 *
-	 * @param ControllerMethodReflector $reflector
-	 * @param ISession $session
-	 * @param IUserSession $userSession
-	 * @param ITimeFactory $timeFactory
-	 */
-	public function __construct(ControllerMethodReflector $reflector,
-								ISession $session,
-								IUserSession $userSession,
-								ITimeFactory $timeFactory) {
-		$this->reflector = $reflector;
-		$this->session = $session;
-		$this->userSession = $userSession;
-		$this->timeFactory = $timeFactory;
-	}
+    /**
+     * PasswordConfirmationMiddleware constructor.
+     *
+     * @param ControllerMethodReflector $reflector
+     * @param ISession $session
+     * @param IUserSession $userSession
+     * @param ITimeFactory $timeFactory
+     */
+    public function __construct(ControllerMethodReflector $reflector,
+                                ISession $session,
+                                IUserSession $userSession,
+                                ITimeFactory $timeFactory) {
+        $this->reflector = $reflector;
+        $this->session = $session;
+        $this->userSession = $userSession;
+        $this->timeFactory = $timeFactory;
+    }
 
-	/**
-	 * @param Controller $controller
-	 * @param string $methodName
-	 * @throws NotConfirmedException
-	 */
-	public function beforeController($controller, $methodName) {
-		$reflectionMethod = new ReflectionMethod($controller, $methodName);
+    /**
+     * @param Controller $controller
+     * @param string $methodName
+     * @throws NotConfirmedException
+     */
+    public function beforeController($controller, $methodName) {
+        $reflectionMethod = new ReflectionMethod($controller, $methodName);
 
-		if ($this->hasAnnotationOrAttribute($reflectionMethod, 'PasswordConfirmationRequired', PasswordConfirmationRequired::class)) {
-			$user = $this->userSession->getUser();
-			$backendClassName = '';
-			if ($user !== null) {
-				$backend = $user->getBackend();
-				if ($backend instanceof IPasswordConfirmationBackend) {
-					if (!$backend->canConfirmPassword($user->getUID())) {
-						return;
-					}
-				}
+        if ($this->hasAnnotationOrAttribute($reflectionMethod, 'PasswordConfirmationRequired', PasswordConfirmationRequired::class)) {
+            $user = $this->userSession->getUser();
+            $backendClassName = '';
+            if ($user !== null) {
+                $backend = $user->getBackend();
+                if ($backend instanceof IPasswordConfirmationBackend) {
+                    if (!$backend->canConfirmPassword($user->getUID())) {
+                        return;
+                    }
+                }
 
-				$backendClassName = $user->getBackendClassName();
-			}
+                $backendClassName = $user->getBackendClassName();
+            }
 
-			$lastConfirm = (int) $this->session->get('last-password-confirm');
-			// we can't check the password against a SAML backend, so skip password confirmation in this case
-			if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
-				throw new NotConfirmedException();
-			}
-		}
-	}
+            $lastConfirm = (int) $this->session->get('last-password-confirm');
+            // we can't check the password against a SAML backend, so skip password confirmation in this case
+            if (!isset($this->excludedUserBackEnds[$backendClassName]) && $lastConfirm < ($this->timeFactory->getTime() - (30 * 60 + 15))) { // allow 15 seconds delay
+                throw new NotConfirmedException();
+            }
+        }
+    }
 
-	/**
-	 * @template T
-	 *
-	 * @param ReflectionMethod $reflectionMethod
-	 * @param string $annotationName
-	 * @param class-string<T> $attributeClass
-	 * @return boolean
-	 */
-	protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
-		if (!empty($reflectionMethod->getAttributes($attributeClass))) {
-			return true;
-		}
+    /**
+     * @template T
+     *
+     * @param ReflectionMethod $reflectionMethod
+     * @param string $annotationName
+     * @param class-string<T> $attributeClass
+     * @return boolean
+     */
+    protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
+        if (!empty($reflectionMethod->getAttributes($attributeClass))) {
+            return true;
+        }
 
-		if ($this->reflector->hasAnnotation($annotationName)) {
-			return true;
-		}
+        if ($this->reflector->hasAnnotation($annotationName)) {
+            return true;
+        }
 
-		return false;
-	}
+        return false;
+    }
 }

lib/private/AppFramework/Middleware/Security/CORSMiddleware.php

Indentation +126 added lines, -126 removed lines

@@ -48,143 +48,143 @@
  * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
  */
 class CORSMiddleware extends Middleware {
-	/** @var IRequest  */
-	private $request;
-	/** @var ControllerMethodReflector */
-	private $reflector;
-	/** @var Session */
-	private $session;
-	/** @var Throttler */
-	private $throttler;
+    /** @var IRequest  */
+    private $request;
+    /** @var ControllerMethodReflector */
+    private $reflector;
+    /** @var Session */
+    private $session;
+    /** @var Throttler */
+    private $throttler;
 
-	/**
-	 * @param IRequest $request
-	 * @param ControllerMethodReflector $reflector
-	 * @param Session $session
-	 * @param Throttler $throttler
-	 */
-	public function __construct(IRequest $request,
-								ControllerMethodReflector $reflector,
-								Session $session,
-								Throttler $throttler) {
-		$this->request = $request;
-		$this->reflector = $reflector;
-		$this->session = $session;
-		$this->throttler = $throttler;
-	}
+    /**
+     * @param IRequest $request
+     * @param ControllerMethodReflector $reflector
+     * @param Session $session
+     * @param Throttler $throttler
+     */
+    public function __construct(IRequest $request,
+                                ControllerMethodReflector $reflector,
+                                Session $session,
+                                Throttler $throttler) {
+        $this->request = $request;
+        $this->reflector = $reflector;
+        $this->session = $session;
+        $this->throttler = $throttler;
+    }
 
-	/**
-	 * This is being run in normal order before the controller is being
-	 * called which allows several modifications and checks
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @throws SecurityException
-	 * @since 6.0.0
-	 */
-	public function beforeController($controller, $methodName) {
-		$reflectionMethod = new ReflectionMethod($controller, $methodName);
+    /**
+     * This is being run in normal order before the controller is being
+     * called which allows several modifications and checks
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @throws SecurityException
+     * @since 6.0.0
+     */
+    public function beforeController($controller, $methodName) {
+        $reflectionMethod = new ReflectionMethod($controller, $methodName);
 
-		// ensure that @CORS annotated API routes are not used in conjunction
-		// with session authentication since this enables CSRF attack vectors
-		if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class) &&
-			(!$this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class) || $this->session->isLoggedIn())) {
-			$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
-			$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
+        // ensure that @CORS annotated API routes are not used in conjunction
+        // with session authentication since this enables CSRF attack vectors
+        if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class) &&
+            (!$this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class) || $this->session->isLoggedIn())) {
+            $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
+            $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
 
-			// Allow to use the current session if a CSRF token is provided
-			if ($this->request->passesCSRFCheck()) {
-				return;
-			}
-			$this->session->logout();
-			try {
-				if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
-					throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
-			}
-		}
-	}
+            // Allow to use the current session if a CSRF token is provided
+            if ($this->request->passesCSRFCheck()) {
+                return;
+            }
+            $this->session->logout();
+            try {
+                if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
+                    throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
+                }
+            } catch (PasswordLoginForbiddenException $ex) {
+                throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
+            }
+        }
+    }
 
-	/**
-	 * @template T
-	 *
-	 * @param ReflectionMethod $reflectionMethod
-	 * @param string $annotationName
-	 * @param class-string<T> $attributeClass
-	 * @return boolean
-	 */
-	protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
-		if ($this->reflector->hasAnnotation($annotationName)) {
-			return true;
-		}
+    /**
+     * @template T
+     *
+     * @param ReflectionMethod $reflectionMethod
+     * @param string $annotationName
+     * @param class-string<T> $attributeClass
+     * @return boolean
+     */
+    protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
+        if ($this->reflector->hasAnnotation($annotationName)) {
+            return true;
+        }
 
 
-		if (!empty($reflectionMethod->getAttributes($attributeClass))) {
-			return true;
-		}
+        if (!empty($reflectionMethod->getAttributes($attributeClass))) {
+            return true;
+        }
 
-		return false;
-	}
+        return false;
+    }
 
-	/**
-	 * This is being run after a successful controller method call and allows
-	 * the manipulation of a Response object. The middleware is run in reverse order
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @param Response $response the generated response from the controller
-	 * @return Response a Response object
-	 * @throws SecurityException
-	 */
-	public function afterController($controller, $methodName, Response $response) {
-		// only react if it's a CORS request and if the request sends origin and
+    /**
+     * This is being run after a successful controller method call and allows
+     * the manipulation of a Response object. The middleware is run in reverse order
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @param Response $response the generated response from the controller
+     * @return Response a Response object
+     * @throws SecurityException
+     */
+    public function afterController($controller, $methodName, Response $response) {
+        // only react if it's a CORS request and if the request sends origin and
 
-		if (isset($this->request->server['HTTP_ORIGIN'])) {
-			$reflectionMethod = new ReflectionMethod($controller, $methodName);
-			if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class)) {
-				// allow credentials headers must not be true or CSRF is possible
-				// otherwise
-				foreach ($response->getHeaders() as $header => $value) {
-					if (strtolower($header) === 'access-control-allow-credentials' &&
-					   strtolower(trim($value)) === 'true') {
-						$msg = 'Access-Control-Allow-Credentials must not be '.
-							   'set to true in order to prevent CSRF';
-						throw new SecurityException($msg);
-					}
-				}
+        if (isset($this->request->server['HTTP_ORIGIN'])) {
+            $reflectionMethod = new ReflectionMethod($controller, $methodName);
+            if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class)) {
+                // allow credentials headers must not be true or CSRF is possible
+                // otherwise
+                foreach ($response->getHeaders() as $header => $value) {
+                    if (strtolower($header) === 'access-control-allow-credentials' &&
+                       strtolower(trim($value)) === 'true') {
+                        $msg = 'Access-Control-Allow-Credentials must not be '.
+                                'set to true in order to prevent CSRF';
+                        throw new SecurityException($msg);
+                    }
+                }
 
-				$origin = $this->request->server['HTTP_ORIGIN'];
-				$response->addHeader('Access-Control-Allow-Origin', $origin);
-			}
-		}
-		return $response;
-	}
+                $origin = $this->request->server['HTTP_ORIGIN'];
+                $response->addHeader('Access-Control-Allow-Origin', $origin);
+            }
+        }
+        return $response;
+    }
 
-	/**
-	 * If an SecurityException is being caught return a JSON error response
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @param \Exception $exception the thrown exception
-	 * @throws \Exception the passed in exception if it can't handle it
-	 * @return Response a Response object or null in case that the exception could not be handled
-	 */
-	public function afterException($controller, $methodName, \Exception $exception) {
-		if ($exception instanceof SecurityException) {
-			$response = new JSONResponse(['message' => $exception->getMessage()]);
-			if ($exception->getCode() !== 0) {
-				$response->setStatus($exception->getCode());
-			} else {
-				$response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
-			}
-			return $response;
-		}
+    /**
+     * If an SecurityException is being caught return a JSON error response
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @param \Exception $exception the thrown exception
+     * @throws \Exception the passed in exception if it can't handle it
+     * @return Response a Response object or null in case that the exception could not be handled
+     */
+    public function afterException($controller, $methodName, \Exception $exception) {
+        if ($exception instanceof SecurityException) {
+            $response = new JSONResponse(['message' => $exception->getMessage()]);
+            if ($exception->getCode() !== 0) {
+                $response->setStatus($exception->getCode());
+            } else {
+                $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
+            }
+            return $response;
+        }
 
-		throw $exception;
-	}
+        throw $exception;
+    }
 }

lib/public/AppFramework/AuthPublicShareController.php

Indentation +182 added lines, -182 removed lines

@@ -50,213 +50,213 @@
  * @since 14.0.0
  */
 abstract class AuthPublicShareController extends PublicShareController {
-	/** @var IURLGenerator */
-	protected $urlGenerator;
+    /** @var IURLGenerator */
+    protected $urlGenerator;
 
-	/**
-	 * @since 14.0.0
-	 */
-	public function __construct(string $appName,
-								IRequest $request,
-								ISession $session,
-								IURLGenerator $urlGenerator) {
-		parent::__construct($appName, $request, $session);
+    /**
+     * @since 14.0.0
+     */
+    public function __construct(string $appName,
+                                IRequest $request,
+                                ISession $session,
+                                IURLGenerator $urlGenerator) {
+        parent::__construct($appName, $request, $session);
 
-		$this->urlGenerator = $urlGenerator;
-	}
+        $this->urlGenerator = $urlGenerator;
+    }
 
-	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 *
-	 * Show the authentication page
-	 * The form has to submit to the authenticate method route
-	 *
-	 * @since 14.0.0
-	 */
-	#[NoCSRFRequired]
-	#[PublicPage]
-	public function showAuthenticate(): TemplateResponse {
-		return new TemplateResponse('core', 'publicshareauth', [], 'guest');
-	}
+    /**
+     * @PublicPage
+     * @NoCSRFRequired
+     *
+     * Show the authentication page
+     * The form has to submit to the authenticate method route
+     *
+     * @since 14.0.0
+     */
+    #[NoCSRFRequired]
+    #[PublicPage]
+    public function showAuthenticate(): TemplateResponse {
+        return new TemplateResponse('core', 'publicshareauth', [], 'guest');
+    }
 
-	/**
-	 * The template to show when authentication failed
-	 *
-	 * @since 14.0.0
-	 */
-	protected function showAuthFailed(): TemplateResponse {
-		return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
-	}
+    /**
+     * The template to show when authentication failed
+     *
+     * @since 14.0.0
+     */
+    protected function showAuthFailed(): TemplateResponse {
+        return new TemplateResponse('core', 'publicshareauth', ['wrongpw' => true], 'guest');
+    }
 
-	/**
-	 * The template to show after user identification
-	 *
-	 * @since 24.0.0
-	 */
-	protected function showIdentificationResult(bool $success): TemplateResponse {
-		return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest');
-	}
+    /**
+     * The template to show after user identification
+     *
+     * @since 24.0.0
+     */
+    protected function showIdentificationResult(bool $success): TemplateResponse {
+        return new TemplateResponse('core', 'publicshareauth', ['identityOk' => $success], 'guest');
+    }
 
-	/**
-	 * Validates that the provided identity is allowed to receive a temporary password
-	 *
-	 * @since 24.0.0
-	 */
-	protected function validateIdentity(?string $identityToken = null): bool {
-		return false;
-	}
+    /**
+     * Validates that the provided identity is allowed to receive a temporary password
+     *
+     * @since 24.0.0
+     */
+    protected function validateIdentity(?string $identityToken = null): bool {
+        return false;
+    }
 
-	/**
-	 * Generates a password
-	 *
-	 * @since 24.0.0
-	 */
-	protected function generatePassword(): void {
-	}
+    /**
+     * Generates a password
+     *
+     * @since 24.0.0
+     */
+    protected function generatePassword(): void {
+    }
 
-	/**
-	 * Verify the password
-	 *
-	 * @since 24.0.0
-	 */
-	protected function verifyPassword(string $password): bool {
-		return false;
-	}
+    /**
+     * Verify the password
+     *
+     * @since 24.0.0
+     */
+    protected function verifyPassword(string $password): bool {
+        return false;
+    }
 
-	/**
-	 * Function called after failed authentication
-	 *
-	 * You can use this to do some logging for example
-	 *
-	 * @since 14.0.0
-	 */
-	protected function authFailed() {
-	}
+    /**
+     * Function called after failed authentication
+     *
+     * You can use this to do some logging for example
+     *
+     * @since 14.0.0
+     */
+    protected function authFailed() {
+    }
 
-	/**
-	 * Function called after successful authentication
-	 *
-	 * You can use this to do some logging for example
-	 *
-	 * @since 14.0.0
-	 */
-	protected function authSucceeded() {
-	}
+    /**
+     * Function called after successful authentication
+     *
+     * You can use this to do some logging for example
+     *
+     * @since 14.0.0
+     */
+    protected function authSucceeded() {
+    }
 
-	/**
-	 * @UseSession
-	 * @PublicPage
-	 * @BruteForceProtection(action=publicLinkAuth)
-	 *
-	 * Authenticate the share
-	 *
-	 * @since 14.0.0
-	 */
-	#[BruteForceProtection(action: 'publicLinkAuth')]
-	#[PublicPage]
-	#[UseSession]
-	final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') {
-		// Already authenticated
-		if ($this->isAuthenticated()) {
-			return $this->getRedirect();
-		}
+    /**
+     * @UseSession
+     * @PublicPage
+     * @BruteForceProtection(action=publicLinkAuth)
+     *
+     * Authenticate the share
+     *
+     * @since 14.0.0
+     */
+    #[BruteForceProtection(action: 'publicLinkAuth')]
+    #[PublicPage]
+    #[UseSession]
+    final public function authenticate(string $password = '', string $passwordRequest = 'no', string $identityToken = '') {
+        // Already authenticated
+        if ($this->isAuthenticated()) {
+            return $this->getRedirect();
+        }
 
-		// Is user requesting a temporary password?
-		if ($passwordRequest == '') {
-			if ($this->validateIdentity($identityToken)) {
-				$this->generatePassword();
-				$response = $this->showIdentificationResult(true);
-				return $response;
-			} else {
-				$response = $this->showIdentificationResult(false);
-				$response->throttle();
-				return $response;
-			}
-		}
+        // Is user requesting a temporary password?
+        if ($passwordRequest == '') {
+            if ($this->validateIdentity($identityToken)) {
+                $this->generatePassword();
+                $response = $this->showIdentificationResult(true);
+                return $response;
+            } else {
+                $response = $this->showIdentificationResult(false);
+                $response->throttle();
+                return $response;
+            }
+        }
 
-		if (!$this->verifyPassword($password)) {
-			$this->authFailed();
-			$response = $this->showAuthFailed();
-			$response->throttle();
-			return $response;
-		}
+        if (!$this->verifyPassword($password)) {
+            $this->authFailed();
+            $response = $this->showAuthFailed();
+            $response->throttle();
+            return $response;
+        }
 
-		$this->session->regenerateId(true, true);
-		$response = $this->getRedirect();
+        $this->session->regenerateId(true, true);
+        $response = $this->getRedirect();
 
-		$this->session->set('public_link_authenticated_token', $this->getToken());
-		$this->session->set('public_link_authenticated_password_hash', $this->getPasswordHash());
+        $this->session->set('public_link_authenticated_token', $this->getToken());
+        $this->session->set('public_link_authenticated_password_hash', $this->getPasswordHash());
 
-		$this->authSucceeded();
+        $this->authSucceeded();
 
-		return $response;
-	}
+        return $response;
+    }
 
-	/**
-	 * Default landing page
-	 *
-	 * @since 14.0.0
-	 */
-	abstract public function showShare(): TemplateResponse;
+    /**
+     * Default landing page
+     *
+     * @since 14.0.0
+     */
+    abstract public function showShare(): TemplateResponse;
 
-	/**
-	 * @since 14.0.0
-	 */
-	final public function getAuthenticationRedirect(string $redirect): RedirectResponse {
-		return new RedirectResponse(
-			$this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect])
-		);
-	}
+    /**
+     * @since 14.0.0
+     */
+    final public function getAuthenticationRedirect(string $redirect): RedirectResponse {
+        return new RedirectResponse(
+            $this->urlGenerator->linkToRoute($this->getRoute('showAuthenticate'), ['token' => $this->getToken(), 'redirect' => $redirect])
+        );
+    }
 
 
-	/**
-	 * @since 14.0.0
-	 */
-	private function getRoute(string $function): string {
-		$app = strtolower($this->appName);
-		$class = (new \ReflectionClass($this))->getShortName();
-		if (substr($class, -10) === 'Controller') {
-			$class = substr($class, 0, -10);
-		}
-		return $app .'.'. $class .'.'. $function;
-	}
+    /**
+     * @since 14.0.0
+     */
+    private function getRoute(string $function): string {
+        $app = strtolower($this->appName);
+        $class = (new \ReflectionClass($this))->getShortName();
+        if (substr($class, -10) === 'Controller') {
+            $class = substr($class, 0, -10);
+        }
+        return $app .'.'. $class .'.'. $function;
+    }
 
-	/**
-	 * @since 14.0.0
-	 */
-	private function getRedirect(): RedirectResponse {
-		//Get all the stored redirect parameters:
-		$params = $this->session->get('public_link_authenticate_redirect');
+    /**
+     * @since 14.0.0
+     */
+    private function getRedirect(): RedirectResponse {
+        //Get all the stored redirect parameters:
+        $params = $this->session->get('public_link_authenticate_redirect');
 
-		$route = $this->getRoute('showShare');
+        $route = $this->getRoute('showShare');
 
-		if ($params === null) {
-			$params = [
-				'token' => $this->getToken(),
-			];
-		} else {
-			$params = json_decode($params, true);
-			if (isset($params['_route'])) {
-				$route = $params['_route'];
-				unset($params['_route']);
-			}
+        if ($params === null) {
+            $params = [
+                'token' => $this->getToken(),
+            ];
+        } else {
+            $params = json_decode($params, true);
+            if (isset($params['_route'])) {
+                $route = $params['_route'];
+                unset($params['_route']);
+            }
 
-			// If the token doesn't match the rest of the arguments can't be trusted either
-			if (isset($params['token']) && $params['token'] !== $this->getToken()) {
-				$params = [
-					'token' => $this->getToken(),
-				];
-			}
+            // If the token doesn't match the rest of the arguments can't be trusted either
+            if (isset($params['token']) && $params['token'] !== $this->getToken()) {
+                $params = [
+                    'token' => $this->getToken(),
+                ];
+            }
 
-			// We need a token
-			if (!isset($params['token'])) {
-				$params = [
-					'token' => $this->getToken(),
-				];
-			}
-		}
+            // We need a token
+            if (!isset($params['token'])) {
+                $params = [
+                    'token' => $this->getToken(),
+                ];
+            }
+        }
 
-		return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params));
-	}
+        return new RedirectResponse($this->urlGenerator->linkToRoute($route, $params));
+    }
 }

lib/public/AppFramework/Http/Attribute/AuthorizedAdminSetting.php

Indentation +16 added lines, -16 removed lines

@@ -36,21 +36,21 @@
  */
 #[Attribute(Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)]
 class AuthorizedAdminSetting {
-	/**
-	 * @param class-string<IDelegatedSettings> $settings A settings section the user needs to be able to access
-	 * @since 27.0.0
-	 */
-	public function __construct(
-		protected string $settings
-	) {
-	}
+    /**
+     * @param class-string<IDelegatedSettings> $settings A settings section the user needs to be able to access
+     * @since 27.0.0
+     */
+    public function __construct(
+        protected string $settings
+    ) {
+    }
 
-	/**
-	 *
-	 * @return class-string<IDelegatedSettings>
-	 * @since 27.0.0
-	 */
-	public function getSettings(): string {
-		return $this->settings;
-	}
+    /**
+     *
+     * @return class-string<IDelegatedSettings>
+     * @since 27.0.0
+     */
+    public function getSettings(): string {
+        return $this->settings;
+    }
 }

lib/public/AppFramework/ApiController.php

Indentation +52 added lines, -52 removed lines

@@ -33,60 +33,60 @@
  * @since 7.0.0
  */
 abstract class ApiController extends Controller {
-	private $corsMethods;
-	private $corsAllowedHeaders;
-	private $corsMaxAge;
+    private $corsMethods;
+    private $corsAllowedHeaders;
+    private $corsMaxAge;
 
-	/**
-	 * constructor of the controller
-	 * @param string $appName the name of the app
-	 * @param IRequest $request an instance of the request
-	 * @param string $corsMethods comma separated string of HTTP verbs which
-	 * should be allowed for websites or webapps when calling your API, defaults to
-	 * 'PUT, POST, GET, DELETE, PATCH'
-	 * @param string $corsAllowedHeaders comma separated string of HTTP headers
-	 * which should be allowed for websites or webapps when calling your API,
-	 * defaults to 'Authorization, Content-Type, Accept'
-	 * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS
-	 * request should be cached, defaults to 1728000 seconds
-	 * @since 7.0.0
-	 */
-	public function __construct($appName,
-								IRequest $request,
-								$corsMethods = 'PUT, POST, GET, DELETE, PATCH',
-								$corsAllowedHeaders = 'Authorization, Content-Type, Accept',
-								$corsMaxAge = 1728000) {
-		parent::__construct($appName, $request);
-		$this->corsMethods = $corsMethods;
-		$this->corsAllowedHeaders = $corsAllowedHeaders;
-		$this->corsMaxAge = $corsMaxAge;
-	}
+    /**
+     * constructor of the controller
+     * @param string $appName the name of the app
+     * @param IRequest $request an instance of the request
+     * @param string $corsMethods comma separated string of HTTP verbs which
+     * should be allowed for websites or webapps when calling your API, defaults to
+     * 'PUT, POST, GET, DELETE, PATCH'
+     * @param string $corsAllowedHeaders comma separated string of HTTP headers
+     * which should be allowed for websites or webapps when calling your API,
+     * defaults to 'Authorization, Content-Type, Accept'
+     * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS
+     * request should be cached, defaults to 1728000 seconds
+     * @since 7.0.0
+     */
+    public function __construct($appName,
+                                IRequest $request,
+                                $corsMethods = 'PUT, POST, GET, DELETE, PATCH',
+                                $corsAllowedHeaders = 'Authorization, Content-Type, Accept',
+                                $corsMaxAge = 1728000) {
+        parent::__construct($appName, $request);
+        $this->corsMethods = $corsMethods;
+        $this->corsAllowedHeaders = $corsAllowedHeaders;
+        $this->corsMaxAge = $corsMaxAge;
+    }
 
 
-	/**
-	 * This method implements a preflighted cors response for you that you can
-	 * link to for the options request
-	 *
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 * @since 7.0.0
-	 */
-	#[NoCSRFRequired]
-	#[PublicPage]
-	public function preflightedCors() {
-		if (isset($this->request->server['HTTP_ORIGIN'])) {
-			$origin = $this->request->server['HTTP_ORIGIN'];
-		} else {
-			$origin = '*';
-		}
+    /**
+     * This method implements a preflighted cors response for you that you can
+     * link to for the options request
+     *
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @PublicPage
+     * @since 7.0.0
+     */
+    #[NoCSRFRequired]
+    #[PublicPage]
+    public function preflightedCors() {
+        if (isset($this->request->server['HTTP_ORIGIN'])) {
+            $origin = $this->request->server['HTTP_ORIGIN'];
+        } else {
+            $origin = '*';
+        }
 
-		$response = new Response();
-		$response->addHeader('Access-Control-Allow-Origin', $origin);
-		$response->addHeader('Access-Control-Allow-Methods', $this->corsMethods);
-		$response->addHeader('Access-Control-Max-Age', (string)$this->corsMaxAge);
-		$response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders);
-		$response->addHeader('Access-Control-Allow-Credentials', 'false');
-		return $response;
-	}
+        $response = new Response();
+        $response->addHeader('Access-Control-Allow-Origin', $origin);
+        $response->addHeader('Access-Control-Allow-Methods', $this->corsMethods);
+        $response->addHeader('Access-Control-Max-Age', (string)$this->corsMaxAge);
+        $response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders);
+        $response->addHeader('Access-Control-Allow-Credentials', 'false');
+        return $response;
+    }
 }