nextcloud / server

lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php

Indentation +167 added lines, -167 removed lines

@@ -67,103 +67,103 @@ 
  * check fails
  */
 class SecurityMiddleware extends Middleware {
-	/** @var INavigationManager */
-	private $navigationManager;
-	/** @var IRequest */
-	private $request;
-	/** @var ControllerMethodReflector */
-	private $reflector;
-	/** @var string */
-	private $appName;
-	/** @var IURLGenerator */
-	private $urlGenerator;
-	/** @var ILogger */
-	private $logger;
-	/** @var bool */
-	private $isLoggedIn;
-	/** @var bool */
-	private $isAdminUser;
-	/** @var bool */
-	private $isSubAdmin;
-	/** @var IAppManager */
-	private $appManager;
-	/** @var IL10N */
-	private $l10n;
-
-	public function __construct(IRequest $request,
-								ControllerMethodReflector $reflector,
-								INavigationManager $navigationManager,
-								IURLGenerator $urlGenerator,
-								ILogger $logger,
-								string $appName,
-								bool $isLoggedIn,
-								bool $isAdminUser,
-								bool $isSubAdmin,
-								IAppManager $appManager,
-								IL10N $l10n
-	) {
-		$this->navigationManager = $navigationManager;
-		$this->request = $request;
-		$this->reflector = $reflector;
-		$this->appName = $appName;
-		$this->urlGenerator = $urlGenerator;
-		$this->logger = $logger;
-		$this->isLoggedIn = $isLoggedIn;
-		$this->isAdminUser = $isAdminUser;
-		$this->isSubAdmin = $isSubAdmin;
-		$this->appManager = $appManager;
-		$this->l10n = $l10n;
-	}
-
-	/**
-	 * This runs all the security checks before a method call. The
-	 * security checks are determined by inspecting the controller method
-	 * annotations
-	 * @param Controller $controller the controller
-	 * @param string $methodName the name of the method
-	 * @throws SecurityException when a security check fails
-	 *
-	 * @suppress PhanUndeclaredClassConstant
-	 */
-	public function beforeController($controller, $methodName) {
-
-		// this will set the current navigation entry of the app, use this only
-		// for normal HTML requests and not for AJAX requests
-		$this->navigationManager->setActiveEntry($this->appName);
-
-		if (get_class($controller) === \OCA\Talk\Controller\PageController::class && $methodName === 'showCall') {
-			$this->navigationManager->setActiveEntry('spreed');
-		}
-
-		// security checks
-		$isPublicPage = $this->reflector->hasAnnotation('PublicPage');
-		if (!$isPublicPage) {
-			if (!$this->isLoggedIn) {
-				throw new NotLoggedInException();
-			}
-
-			if ($this->reflector->hasAnnotation('SubAdminRequired')
-				&& !$this->isSubAdmin
-				&& !$this->isAdminUser) {
-				throw new NotAdminException($this->l10n->t('Logged in user must be an admin or sub admin'));
-			}
-			if (!$this->reflector->hasAnnotation('SubAdminRequired')
-				&& !$this->reflector->hasAnnotation('NoAdminRequired')
-				&& !$this->isAdminUser) {
-				throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
-			}
-		}
-
-		// Check for strict cookie requirement
-		if ($this->reflector->hasAnnotation('StrictCookieRequired') || !$this->reflector->hasAnnotation('NoCSRFRequired')) {
-			if (!$this->request->passesStrictCookieCheck()) {
-				throw new StrictCookieMissingException();
-			}
-		}
-		// CSRF check - also registers the CSRF token since the session may be closed later
-		Util::callRegister();
-		if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {
-			/*
+    /** @var INavigationManager */
+    private $navigationManager;
+    /** @var IRequest */
+    private $request;
+    /** @var ControllerMethodReflector */
+    private $reflector;
+    /** @var string */
+    private $appName;
+    /** @var IURLGenerator */
+    private $urlGenerator;
+    /** @var ILogger */
+    private $logger;
+    /** @var bool */
+    private $isLoggedIn;
+    /** @var bool */
+    private $isAdminUser;
+    /** @var bool */
+    private $isSubAdmin;
+    /** @var IAppManager */
+    private $appManager;
+    /** @var IL10N */
+    private $l10n;
+
+    public function __construct(IRequest $request,
+                                ControllerMethodReflector $reflector,
+                                INavigationManager $navigationManager,
+                                IURLGenerator $urlGenerator,
+                                ILogger $logger,
+                                string $appName,
+                                bool $isLoggedIn,
+                                bool $isAdminUser,
+                                bool $isSubAdmin,
+                                IAppManager $appManager,
+                                IL10N $l10n
+    ) {
+        $this->navigationManager = $navigationManager;
+        $this->request = $request;
+        $this->reflector = $reflector;
+        $this->appName = $appName;
+        $this->urlGenerator = $urlGenerator;
+        $this->logger = $logger;
+        $this->isLoggedIn = $isLoggedIn;
+        $this->isAdminUser = $isAdminUser;
+        $this->isSubAdmin = $isSubAdmin;
+        $this->appManager = $appManager;
+        $this->l10n = $l10n;
+    }
+
+    /**
+     * This runs all the security checks before a method call. The
+     * security checks are determined by inspecting the controller method
+     * annotations
+     * @param Controller $controller the controller
+     * @param string $methodName the name of the method
+     * @throws SecurityException when a security check fails
+     *
+     * @suppress PhanUndeclaredClassConstant
+     */
+    public function beforeController($controller, $methodName) {
+
+        // this will set the current navigation entry of the app, use this only
+        // for normal HTML requests and not for AJAX requests
+        $this->navigationManager->setActiveEntry($this->appName);
+
+        if (get_class($controller) === \OCA\Talk\Controller\PageController::class && $methodName === 'showCall') {
+            $this->navigationManager->setActiveEntry('spreed');
+        }
+
+        // security checks
+        $isPublicPage = $this->reflector->hasAnnotation('PublicPage');
+        if (!$isPublicPage) {
+            if (!$this->isLoggedIn) {
+                throw new NotLoggedInException();
+            }
+
+            if ($this->reflector->hasAnnotation('SubAdminRequired')
+                && !$this->isSubAdmin
+                && !$this->isAdminUser) {
+                throw new NotAdminException($this->l10n->t('Logged in user must be an admin or sub admin'));
+            }
+            if (!$this->reflector->hasAnnotation('SubAdminRequired')
+                && !$this->reflector->hasAnnotation('NoAdminRequired')
+                && !$this->isAdminUser) {
+                throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
+            }
+        }
+
+        // Check for strict cookie requirement
+        if ($this->reflector->hasAnnotation('StrictCookieRequired') || !$this->reflector->hasAnnotation('NoCSRFRequired')) {
+            if (!$this->request->passesStrictCookieCheck()) {
+                throw new StrictCookieMissingException();
+            }
+        }
+        // CSRF check - also registers the CSRF token since the session may be closed later
+        Util::callRegister();
+        if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {
+            /*
 			 * Only allow the CSRF check to fail on OCS Requests. This kind of
 			 * hacks around that we have no full token auth in place yet and we
 			 * do want to offer CSRF checks for web requests.
@@ -171,74 +171,74 @@ 
 			 * Additionally we allow Bearer authenticated requests to pass on OCS routes.
 			 * This allows oauth apps (e.g. moodle) to use the OCS endpoints
 			 */
-			if (!$this->request->passesCSRFCheck() && !(
-					$controller instanceof OCSController && (
-						$this->request->getHeader('OCS-APIREQUEST') === 'true' ||
-						strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
-					)
-				)) {
-				throw new CrossSiteRequestForgeryException();
-			}
-		}
-
-		/**
-		 * Checks if app is enabled (also includes a check whether user is allowed to access the resource)
-		 * The getAppPath() check is here since components such as settings also use the AppFramework and
-		 * therefore won't pass this check.
-		 * If page is public, app does not need to be enabled for current user/visitor
-		 */
-		try {
-			$appPath = $this->appManager->getAppPath($this->appName);
-		} catch (AppPathNotFoundException $e) {
-			$appPath = false;
-		}
-
-		if ($appPath !== false && !$isPublicPage && !$this->appManager->isEnabledForUser($this->appName)) {
-			throw new AppNotEnabledException();
-		}
-	}
-
-	/**
-	 * If an SecurityException is being caught, ajax requests return a JSON error
-	 * response and non ajax requests redirect to the index
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @param \Exception $exception the thrown exception
-	 * @throws \Exception the passed in exception if it can't handle it
-	 * @return Response a Response object or null in case that the exception could not be handled
-	 */
-	public function afterException($controller, $methodName, \Exception $exception): Response {
-		if ($exception instanceof SecurityException) {
-			if ($exception instanceof StrictCookieMissingException) {
-				return new RedirectResponse(\OC::$WEBROOT . '/');
-			}
-			if (stripos($this->request->getHeader('Accept'),'html') === false) {
-				$response = new JSONResponse(
-					['message' => $exception->getMessage()],
-					$exception->getCode()
-				);
-			} else {
-				if ($exception instanceof NotLoggedInException) {
-					$params = [];
-					if (isset($this->request->server['REQUEST_URI'])) {
-						$params['redirect_url'] = $this->request->server['REQUEST_URI'];
-					}
-					$url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params);
-					$response = new RedirectResponse($url);
-				} else {
-					$response = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest');
-					$response->setStatus($exception->getCode());
-				}
-			}
-
-			$this->logger->logException($exception, [
-				'level' => ILogger::DEBUG,
-				'app' => 'core',
-			]);
-			return $response;
-		}
-
-		throw $exception;
-	}
+            if (!$this->request->passesCSRFCheck() && !(
+                    $controller instanceof OCSController && (
+                        $this->request->getHeader('OCS-APIREQUEST') === 'true' ||
+                        strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
+                    )
+                )) {
+                throw new CrossSiteRequestForgeryException();
+            }
+        }
+
+        /**
+         * Checks if app is enabled (also includes a check whether user is allowed to access the resource)
+         * The getAppPath() check is here since components such as settings also use the AppFramework and
+         * therefore won't pass this check.
+         * If page is public, app does not need to be enabled for current user/visitor
+         */
+        try {
+            $appPath = $this->appManager->getAppPath($this->appName);
+        } catch (AppPathNotFoundException $e) {
+            $appPath = false;
+        }
+
+        if ($appPath !== false && !$isPublicPage && !$this->appManager->isEnabledForUser($this->appName)) {
+            throw new AppNotEnabledException();
+        }
+    }
+
+    /**
+     * If an SecurityException is being caught, ajax requests return a JSON error
+     * response and non ajax requests redirect to the index
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @param \Exception $exception the thrown exception
+     * @throws \Exception the passed in exception if it can't handle it
+     * @return Response a Response object or null in case that the exception could not be handled
+     */
+    public function afterException($controller, $methodName, \Exception $exception): Response {
+        if ($exception instanceof SecurityException) {
+            if ($exception instanceof StrictCookieMissingException) {
+                return new RedirectResponse(\OC::$WEBROOT . '/');
+            }
+            if (stripos($this->request->getHeader('Accept'),'html') === false) {
+                $response = new JSONResponse(
+                    ['message' => $exception->getMessage()],
+                    $exception->getCode()
+                );
+            } else {
+                if ($exception instanceof NotLoggedInException) {
+                    $params = [];
+                    if (isset($this->request->server['REQUEST_URI'])) {
+                        $params['redirect_url'] = $this->request->server['REQUEST_URI'];
+                    }
+                    $url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params);
+                    $response = new RedirectResponse($url);
+                } else {
+                    $response = new TemplateResponse('core', '403', ['message' => $exception->getMessage()], 'guest');
+                    $response->setStatus($exception->getCode());
+                }
+            }
+
+            $this->logger->logException($exception, [
+                'level' => ILogger::DEBUG,
+                'app' => 'core',
+            ]);
+            return $response;
+        }
+
+        throw $exception;
+    }
 }

Spacing +2 added lines, -2 removed lines

@@ -211,9 +211,9 @@
 	public function afterException($controller, $methodName, \Exception $exception): Response {
 		if ($exception instanceof SecurityException) {
 			if ($exception instanceof StrictCookieMissingException) {
-				return new RedirectResponse(\OC::$WEBROOT . '/');
+				return new RedirectResponse(\OC::$WEBROOT.'/');
 			}
-			if (stripos($this->request->getHeader('Accept'),'html') === false) {
+			if (stripos($this->request->getHeader('Accept'), 'html') === false) {
 				$response = new JSONResponse(
 					['message' => $exception->getMessage()],
 					$exception->getCode()