nextcloud /
server
@@ -43,69 +43,69 @@ |
||
| 43 | 43 | abstract class Middleware { |
| 44 | 44 | |
| 45 | 45 | |
| 46 | - /** |
|
| 47 | - * This is being run in normal order before the controller is being |
|
| 48 | - * called which allows several modifications and checks |
|
| 49 | - * |
|
| 50 | - * @param Controller $controller the controller that is being called |
|
| 51 | - * @param string $methodName the name of the method that will be called on |
|
| 52 | - * the controller |
|
| 53 | - * @since 6.0.0 |
|
| 54 | - */ |
|
| 55 | - public function beforeController(Controller $controller, $methodName){ |
|
| 46 | + /** |
|
| 47 | + * This is being run in normal order before the controller is being |
|
| 48 | + * called which allows several modifications and checks |
|
| 49 | + * |
|
| 50 | + * @param Controller $controller the controller that is being called |
|
| 51 | + * @param string $methodName the name of the method that will be called on |
|
| 52 | + * the controller |
|
| 53 | + * @since 6.0.0 |
|
| 54 | + */ |
|
| 55 | + public function beforeController(Controller $controller, $methodName){ |
|
| 56 | 56 | |
| 57 | - } |
|
| 57 | + } |
|
| 58 | 58 | |
| 59 | 59 | |
| 60 | - /** |
|
| 61 | - * This is being run when either the beforeController method or the |
|
| 62 | - * controller method itself is throwing an exception. The middleware is |
|
| 63 | - * asked in reverse order to handle the exception and to return a response. |
|
| 64 | - * If the response is null, it is assumed that the exception could not be |
|
| 65 | - * handled and the error will be thrown again |
|
| 66 | - * |
|
| 67 | - * @param Controller $controller the controller that is being called |
|
| 68 | - * @param string $methodName the name of the method that will be called on |
|
| 69 | - * the controller |
|
| 70 | - * @param \Exception $exception the thrown exception |
|
| 71 | - * @throws \Exception the passed in exception if it can't handle it |
|
| 72 | - * @return Response a Response object in case that the exception was handled |
|
| 73 | - * @since 6.0.0 |
|
| 74 | - */ |
|
| 75 | - public function afterException(Controller $controller, $methodName, \Exception $exception){ |
|
| 76 | - throw $exception; |
|
| 77 | - } |
|
| 60 | + /** |
|
| 61 | + * This is being run when either the beforeController method or the |
|
| 62 | + * controller method itself is throwing an exception. The middleware is |
|
| 63 | + * asked in reverse order to handle the exception and to return a response. |
|
| 64 | + * If the response is null, it is assumed that the exception could not be |
|
| 65 | + * handled and the error will be thrown again |
|
| 66 | + * |
|
| 67 | + * @param Controller $controller the controller that is being called |
|
| 68 | + * @param string $methodName the name of the method that will be called on |
|
| 69 | + * the controller |
|
| 70 | + * @param \Exception $exception the thrown exception |
|
| 71 | + * @throws \Exception the passed in exception if it can't handle it |
|
| 72 | + * @return Response a Response object in case that the exception was handled |
|
| 73 | + * @since 6.0.0 |
|
| 74 | + */ |
|
| 75 | + public function afterException(Controller $controller, $methodName, \Exception $exception){ |
|
| 76 | + throw $exception; |
|
| 77 | + } |
|
| 78 | 78 | |
| 79 | 79 | |
| 80 | - /** |
|
| 81 | - * This is being run after a successful controllermethod call and allows |
|
| 82 | - * the manipulation of a Response object. The middleware is run in reverse order |
|
| 83 | - * |
|
| 84 | - * @param Controller $controller the controller that is being called |
|
| 85 | - * @param string $methodName the name of the method that will be called on |
|
| 86 | - * the controller |
|
| 87 | - * @param Response $response the generated response from the controller |
|
| 88 | - * @return Response a Response object |
|
| 89 | - * @since 6.0.0 |
|
| 90 | - */ |
|
| 91 | - public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 92 | - return $response; |
|
| 93 | - } |
|
| 80 | + /** |
|
| 81 | + * This is being run after a successful controllermethod call and allows |
|
| 82 | + * the manipulation of a Response object. The middleware is run in reverse order |
|
| 83 | + * |
|
| 84 | + * @param Controller $controller the controller that is being called |
|
| 85 | + * @param string $methodName the name of the method that will be called on |
|
| 86 | + * the controller |
|
| 87 | + * @param Response $response the generated response from the controller |
|
| 88 | + * @return Response a Response object |
|
| 89 | + * @since 6.0.0 |
|
| 90 | + */ |
|
| 91 | + public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 92 | + return $response; |
|
| 93 | + } |
|
| 94 | 94 | |
| 95 | 95 | |
| 96 | - /** |
|
| 97 | - * This is being run after the response object has been rendered and |
|
| 98 | - * allows the manipulation of the output. The middleware is run in reverse order |
|
| 99 | - * |
|
| 100 | - * @param Controller $controller the controller that is being called |
|
| 101 | - * @param string $methodName the name of the method that will be called on |
|
| 102 | - * the controller |
|
| 103 | - * @param string $output the generated output from a response |
|
| 104 | - * @return string the output that should be printed |
|
| 105 | - * @since 6.0.0 |
|
| 106 | - */ |
|
| 107 | - public function beforeOutput(Controller $controller, $methodName, $output){ |
|
| 108 | - return $output; |
|
| 109 | - } |
|
| 96 | + /** |
|
| 97 | + * This is being run after the response object has been rendered and |
|
| 98 | + * allows the manipulation of the output. The middleware is run in reverse order |
|
| 99 | + * |
|
| 100 | + * @param Controller $controller the controller that is being called |
|
| 101 | + * @param string $methodName the name of the method that will be called on |
|
| 102 | + * the controller |
|
| 103 | + * @param string $output the generated output from a response |
|
| 104 | + * @return string the output that should be printed |
|
| 105 | + * @since 6.0.0 |
|
| 106 | + */ |
|
| 107 | + public function beforeOutput(Controller $controller, $methodName, $output){ |
|
| 108 | + return $output; |
|
| 109 | + } |
|
| 110 | 110 | |
| 111 | 111 | } |
@@ -52,7 +52,7 @@ discard block |
||
| 52 | 52 | * the controller |
| 53 | 53 | * @since 6.0.0 |
| 54 | 54 | */ |
| 55 | - public function beforeController(Controller $controller, $methodName){ |
|
| 55 | + public function beforeController(Controller $controller, $methodName) { |
|
| 56 | 56 | |
| 57 | 57 | } |
| 58 | 58 | |
@@ -72,7 +72,7 @@ discard block |
||
| 72 | 72 | * @return Response a Response object in case that the exception was handled |
| 73 | 73 | * @since 6.0.0 |
| 74 | 74 | */ |
| 75 | - public function afterException(Controller $controller, $methodName, \Exception $exception){ |
|
| 75 | + public function afterException(Controller $controller, $methodName, \Exception $exception) { |
|
| 76 | 76 | throw $exception; |
| 77 | 77 | } |
| 78 | 78 | |
@@ -88,7 +88,7 @@ discard block |
||
| 88 | 88 | * @return Response a Response object |
| 89 | 89 | * @since 6.0.0 |
| 90 | 90 | */ |
| 91 | - public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 91 | + public function afterController(Controller $controller, $methodName, Response $response) { |
|
| 92 | 92 | return $response; |
| 93 | 93 | } |
| 94 | 94 | |
@@ -104,7 +104,7 @@ discard block |
||
| 104 | 104 | * @return string the output that should be printed |
| 105 | 105 | * @since 6.0.0 |
| 106 | 106 | */ |
| 107 | - public function beforeOutput(Controller $controller, $methodName, $output){ |
|
| 107 | + public function beforeOutput(Controller $controller, $methodName, $output) { |
|
| 108 | 108 | return $output; |
| 109 | 109 | } |
| 110 | 110 | |
@@ -104,6 +104,9 @@ |
||
| 104 | 104 | // TODO: dont check/enforce 2FA if a auth token is used |
| 105 | 105 | } |
| 106 | 106 | |
| 107 | + /** |
|
| 108 | + * @param string $methodName |
|
| 109 | + */ |
|
| 107 | 110 | private function checkTwoFactor(Controller $controller, $methodName, IUser $user) { |
| 108 | 111 | // If two-factor auth is in progress disallow access to any controllers |
| 109 | 112 | // defined within "LoginController". |
@@ -41,100 +41,100 @@ |
||
| 41 | 41 | |
| 42 | 42 | class TwoFactorMiddleware extends Middleware { |
| 43 | 43 | |
| 44 | - /** @var Manager */ |
|
| 45 | - private $twoFactorManager; |
|
| 46 | - |
|
| 47 | - /** @var Session */ |
|
| 48 | - private $userSession; |
|
| 49 | - |
|
| 50 | - /** @var ISession */ |
|
| 51 | - private $session; |
|
| 52 | - |
|
| 53 | - /** @var IURLGenerator */ |
|
| 54 | - private $urlGenerator; |
|
| 55 | - |
|
| 56 | - /** @var IControllerMethodReflector */ |
|
| 57 | - private $reflector; |
|
| 58 | - |
|
| 59 | - /** @var IRequest */ |
|
| 60 | - private $request; |
|
| 61 | - |
|
| 62 | - /** |
|
| 63 | - * @param Manager $twoFactorManager |
|
| 64 | - * @param Session $userSession |
|
| 65 | - * @param ISession $session |
|
| 66 | - * @param IURLGenerator $urlGenerator |
|
| 67 | - */ |
|
| 68 | - public function __construct(Manager $twoFactorManager, Session $userSession, ISession $session, |
|
| 69 | - IURLGenerator $urlGenerator, IControllerMethodReflector $reflector, IRequest $request) { |
|
| 70 | - $this->twoFactorManager = $twoFactorManager; |
|
| 71 | - $this->userSession = $userSession; |
|
| 72 | - $this->session = $session; |
|
| 73 | - $this->urlGenerator = $urlGenerator; |
|
| 74 | - $this->reflector = $reflector; |
|
| 75 | - $this->request = $request; |
|
| 76 | - } |
|
| 77 | - |
|
| 78 | - /** |
|
| 79 | - * @param Controller $controller |
|
| 80 | - * @param string $methodName |
|
| 81 | - */ |
|
| 82 | - public function beforeController(Controller $controller, $methodName) { |
|
| 83 | - if ($this->reflector->hasAnnotation('PublicPage')) { |
|
| 84 | - // Don't block public pages |
|
| 85 | - return; |
|
| 86 | - } |
|
| 87 | - |
|
| 88 | - if ($controller instanceof LoginController && $methodName === 'logout') { |
|
| 89 | - // Don't block the logout page, to allow canceling the 2FA |
|
| 90 | - return; |
|
| 91 | - } |
|
| 92 | - |
|
| 93 | - if ($this->userSession->isLoggedIn()) { |
|
| 94 | - $user = $this->userSession->getUser(); |
|
| 95 | - |
|
| 96 | - if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) { |
|
| 97 | - $this->checkTwoFactor($controller, $methodName, $user); |
|
| 98 | - } else if ($controller instanceof TwoFactorChallengeController) { |
|
| 99 | - // Allow access to the two-factor controllers only if two-factor authentication |
|
| 100 | - // is in progress. |
|
| 101 | - throw new UserAlreadyLoggedInException(); |
|
| 102 | - } |
|
| 103 | - } |
|
| 104 | - // TODO: dont check/enforce 2FA if a auth token is used |
|
| 105 | - } |
|
| 106 | - |
|
| 107 | - private function checkTwoFactor(Controller $controller, $methodName, IUser $user) { |
|
| 108 | - // If two-factor auth is in progress disallow access to any controllers |
|
| 109 | - // defined within "LoginController". |
|
| 110 | - $needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user); |
|
| 111 | - $twoFactor = $controller instanceof TwoFactorChallengeController; |
|
| 112 | - |
|
| 113 | - // Disallow access to any controller if 2FA needs to be checked |
|
| 114 | - if ($needsSecondFactor && !$twoFactor) { |
|
| 115 | - throw new TwoFactorAuthRequiredException(); |
|
| 116 | - } |
|
| 117 | - |
|
| 118 | - // Allow access to the two-factor controllers only if two-factor authentication |
|
| 119 | - // is in progress. |
|
| 120 | - if (!$needsSecondFactor && $twoFactor) { |
|
| 121 | - throw new UserAlreadyLoggedInException(); |
|
| 122 | - } |
|
| 123 | - } |
|
| 124 | - |
|
| 125 | - public function afterException(Controller $controller, $methodName, Exception $exception) { |
|
| 126 | - if ($exception instanceof TwoFactorAuthRequiredException) { |
|
| 127 | - $params = []; |
|
| 128 | - if (isset($this->request->server['REQUEST_URI'])) { |
|
| 129 | - $params['redirect_url'] = $this->request->server['REQUEST_URI']; |
|
| 130 | - } |
|
| 131 | - return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params)); |
|
| 132 | - } |
|
| 133 | - if ($exception instanceof UserAlreadyLoggedInException) { |
|
| 134 | - return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); |
|
| 135 | - } |
|
| 136 | - |
|
| 137 | - throw $exception; |
|
| 138 | - } |
|
| 44 | + /** @var Manager */ |
|
| 45 | + private $twoFactorManager; |
|
| 46 | + |
|
| 47 | + /** @var Session */ |
|
| 48 | + private $userSession; |
|
| 49 | + |
|
| 50 | + /** @var ISession */ |
|
| 51 | + private $session; |
|
| 52 | + |
|
| 53 | + /** @var IURLGenerator */ |
|
| 54 | + private $urlGenerator; |
|
| 55 | + |
|
| 56 | + /** @var IControllerMethodReflector */ |
|
| 57 | + private $reflector; |
|
| 58 | + |
|
| 59 | + /** @var IRequest */ |
|
| 60 | + private $request; |
|
| 61 | + |
|
| 62 | + /** |
|
| 63 | + * @param Manager $twoFactorManager |
|
| 64 | + * @param Session $userSession |
|
| 65 | + * @param ISession $session |
|
| 66 | + * @param IURLGenerator $urlGenerator |
|
| 67 | + */ |
|
| 68 | + public function __construct(Manager $twoFactorManager, Session $userSession, ISession $session, |
|
| 69 | + IURLGenerator $urlGenerator, IControllerMethodReflector $reflector, IRequest $request) { |
|
| 70 | + $this->twoFactorManager = $twoFactorManager; |
|
| 71 | + $this->userSession = $userSession; |
|
| 72 | + $this->session = $session; |
|
| 73 | + $this->urlGenerator = $urlGenerator; |
|
| 74 | + $this->reflector = $reflector; |
|
| 75 | + $this->request = $request; |
|
| 76 | + } |
|
| 77 | + |
|
| 78 | + /** |
|
| 79 | + * @param Controller $controller |
|
| 80 | + * @param string $methodName |
|
| 81 | + */ |
|
| 82 | + public function beforeController(Controller $controller, $methodName) { |
|
| 83 | + if ($this->reflector->hasAnnotation('PublicPage')) { |
|
| 84 | + // Don't block public pages |
|
| 85 | + return; |
|
| 86 | + } |
|
| 87 | + |
|
| 88 | + if ($controller instanceof LoginController && $methodName === 'logout') { |
|
| 89 | + // Don't block the logout page, to allow canceling the 2FA |
|
| 90 | + return; |
|
| 91 | + } |
|
| 92 | + |
|
| 93 | + if ($this->userSession->isLoggedIn()) { |
|
| 94 | + $user = $this->userSession->getUser(); |
|
| 95 | + |
|
| 96 | + if ($this->twoFactorManager->isTwoFactorAuthenticated($user)) { |
|
| 97 | + $this->checkTwoFactor($controller, $methodName, $user); |
|
| 98 | + } else if ($controller instanceof TwoFactorChallengeController) { |
|
| 99 | + // Allow access to the two-factor controllers only if two-factor authentication |
|
| 100 | + // is in progress. |
|
| 101 | + throw new UserAlreadyLoggedInException(); |
|
| 102 | + } |
|
| 103 | + } |
|
| 104 | + // TODO: dont check/enforce 2FA if a auth token is used |
|
| 105 | + } |
|
| 106 | + |
|
| 107 | + private function checkTwoFactor(Controller $controller, $methodName, IUser $user) { |
|
| 108 | + // If two-factor auth is in progress disallow access to any controllers |
|
| 109 | + // defined within "LoginController". |
|
| 110 | + $needsSecondFactor = $this->twoFactorManager->needsSecondFactor($user); |
|
| 111 | + $twoFactor = $controller instanceof TwoFactorChallengeController; |
|
| 112 | + |
|
| 113 | + // Disallow access to any controller if 2FA needs to be checked |
|
| 114 | + if ($needsSecondFactor && !$twoFactor) { |
|
| 115 | + throw new TwoFactorAuthRequiredException(); |
|
| 116 | + } |
|
| 117 | + |
|
| 118 | + // Allow access to the two-factor controllers only if two-factor authentication |
|
| 119 | + // is in progress. |
|
| 120 | + if (!$needsSecondFactor && $twoFactor) { |
|
| 121 | + throw new UserAlreadyLoggedInException(); |
|
| 122 | + } |
|
| 123 | + } |
|
| 124 | + |
|
| 125 | + public function afterException(Controller $controller, $methodName, Exception $exception) { |
|
| 126 | + if ($exception instanceof TwoFactorAuthRequiredException) { |
|
| 127 | + $params = []; |
|
| 128 | + if (isset($this->request->server['REQUEST_URI'])) { |
|
| 129 | + $params['redirect_url'] = $this->request->server['REQUEST_URI']; |
|
| 130 | + } |
|
| 131 | + return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params)); |
|
| 132 | + } |
|
| 133 | + if ($exception instanceof UserAlreadyLoggedInException) { |
|
| 134 | + return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); |
|
| 135 | + } |
|
| 136 | + |
|
| 137 | + throw $exception; |
|
| 138 | + } |
|
| 139 | 139 | |
| 140 | 140 | } |
@@ -47,20 +47,20 @@ discard block |
||
| 47 | 47 | */ |
| 48 | 48 | class SharingCheckMiddleware extends Middleware { |
| 49 | 49 | |
| 50 | - /** @var string */ |
|
| 51 | - protected $appName; |
|
| 52 | - /** @var IConfig */ |
|
| 53 | - protected $config; |
|
| 54 | - /** @var IAppManager */ |
|
| 55 | - protected $appManager; |
|
| 56 | - /** @var IControllerMethodReflector */ |
|
| 57 | - protected $reflector; |
|
| 58 | - /** @var IManager */ |
|
| 59 | - protected $shareManager; |
|
| 60 | - /** @var IRequest */ |
|
| 61 | - protected $request; |
|
| 62 | - |
|
| 63 | - /*** |
|
| 50 | + /** @var string */ |
|
| 51 | + protected $appName; |
|
| 52 | + /** @var IConfig */ |
|
| 53 | + protected $config; |
|
| 54 | + /** @var IAppManager */ |
|
| 55 | + protected $appManager; |
|
| 56 | + /** @var IControllerMethodReflector */ |
|
| 57 | + protected $reflector; |
|
| 58 | + /** @var IManager */ |
|
| 59 | + protected $shareManager; |
|
| 60 | + /** @var IRequest */ |
|
| 61 | + protected $request; |
|
| 62 | + |
|
| 63 | + /*** |
|
| 64 | 64 | * @param string $appName |
| 65 | 65 | * @param IConfig $config |
| 66 | 66 | * @param IAppManager $appManager |
@@ -68,118 +68,118 @@ discard block |
||
| 68 | 68 | * @param IManager $shareManager |
| 69 | 69 | * @param IRequest $request |
| 70 | 70 | */ |
| 71 | - public function __construct($appName, |
|
| 72 | - IConfig $config, |
|
| 73 | - IAppManager $appManager, |
|
| 74 | - IControllerMethodReflector $reflector, |
|
| 75 | - IManager $shareManager, |
|
| 76 | - IRequest $request |
|
| 77 | - ) { |
|
| 78 | - $this->appName = $appName; |
|
| 79 | - $this->config = $config; |
|
| 80 | - $this->appManager = $appManager; |
|
| 81 | - $this->reflector = $reflector; |
|
| 82 | - $this->shareManager = $shareManager; |
|
| 83 | - $this->request = $request; |
|
| 84 | - } |
|
| 85 | - |
|
| 86 | - /** |
|
| 87 | - * Check if sharing is enabled before the controllers is executed |
|
| 88 | - * |
|
| 89 | - * @param Controller $controller |
|
| 90 | - * @param string $methodName |
|
| 91 | - * @throws NotFoundException |
|
| 92 | - * @throws S2SException |
|
| 93 | - * @throws ShareNotFound |
|
| 94 | - */ |
|
| 95 | - public function beforeController(Controller $controller, $methodName) { |
|
| 96 | - if(!$this->isSharingEnabled()) { |
|
| 97 | - throw new NotFoundException('Sharing is disabled.'); |
|
| 98 | - } |
|
| 99 | - |
|
| 100 | - if ($controller instanceof ExternalSharesController && |
|
| 101 | - !$this->externalSharesChecks()) { |
|
| 102 | - throw new S2SException('Federated sharing not allowed'); |
|
| 103 | - } else if ($controller instanceof ShareController) { |
|
| 104 | - $token = $this->request->getParam('token'); |
|
| 105 | - $share = $this->shareManager->getShareByToken($token); |
|
| 106 | - if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK |
|
| 107 | - && !$this->isLinkSharingEnabled()) { |
|
| 108 | - throw new NotFoundException('Link sharing is disabled'); |
|
| 109 | - } |
|
| 110 | - } |
|
| 111 | - } |
|
| 112 | - |
|
| 113 | - /** |
|
| 114 | - * Return 404 page in case of a not found exception |
|
| 115 | - * |
|
| 116 | - * @param Controller $controller |
|
| 117 | - * @param string $methodName |
|
| 118 | - * @param \Exception $exception |
|
| 119 | - * @return NotFoundResponse |
|
| 120 | - * @throws \Exception |
|
| 121 | - */ |
|
| 122 | - public function afterException(Controller $controller, $methodName, \Exception $exception) { |
|
| 123 | - if(is_a($exception, '\OCP\Files\NotFoundException')) { |
|
| 124 | - return new NotFoundResponse(); |
|
| 125 | - } |
|
| 126 | - |
|
| 127 | - if (is_a($exception, '\OCA\Files_Sharing\Exceptions\S2SException')) { |
|
| 128 | - return new JSONResponse($exception->getMessage(), 405); |
|
| 129 | - } |
|
| 130 | - |
|
| 131 | - throw $exception; |
|
| 132 | - } |
|
| 133 | - |
|
| 134 | - /** |
|
| 135 | - * Checks for externalshares controller |
|
| 136 | - * @return bool |
|
| 137 | - */ |
|
| 138 | - private function externalSharesChecks() { |
|
| 139 | - |
|
| 140 | - if (!$this->reflector->hasAnnotation('NoIncomingFederatedSharingRequired') && |
|
| 141 | - $this->config->getAppValue('files_sharing', 'incoming_server2server_share_enabled', 'yes') !== 'yes') { |
|
| 142 | - return false; |
|
| 143 | - } |
|
| 144 | - |
|
| 145 | - if (!$this->reflector->hasAnnotation('NoOutgoingFederatedSharingRequired') && |
|
| 146 | - $this->config->getAppValue('files_sharing', 'outgoing_server2server_share_enabled', 'yes') !== 'yes') { |
|
| 147 | - return false; |
|
| 148 | - } |
|
| 149 | - |
|
| 150 | - return true; |
|
| 151 | - } |
|
| 152 | - |
|
| 153 | - /** |
|
| 154 | - * Check whether sharing is enabled |
|
| 155 | - * @return bool |
|
| 156 | - */ |
|
| 157 | - private function isSharingEnabled() { |
|
| 158 | - // FIXME: This check is done here since the route is globally defined and not inside the files_sharing app |
|
| 159 | - // Check whether the sharing application is enabled |
|
| 160 | - if(!$this->appManager->isEnabledForUser($this->appName)) { |
|
| 161 | - return false; |
|
| 162 | - } |
|
| 163 | - |
|
| 164 | - return true; |
|
| 165 | - } |
|
| 166 | - |
|
| 167 | - /** |
|
| 168 | - * Check if link sharing is allowed |
|
| 169 | - * @return bool |
|
| 170 | - */ |
|
| 171 | - private function isLinkSharingEnabled() { |
|
| 172 | - // Check if the shareAPI is enabled |
|
| 173 | - if ($this->config->getAppValue('core', 'shareapi_enabled', 'yes') !== 'yes') { |
|
| 174 | - return false; |
|
| 175 | - } |
|
| 176 | - |
|
| 177 | - // Check whether public sharing is enabled |
|
| 178 | - if($this->config->getAppValue('core', 'shareapi_allow_links', 'yes') !== 'yes') { |
|
| 179 | - return false; |
|
| 180 | - } |
|
| 181 | - |
|
| 182 | - return true; |
|
| 183 | - } |
|
| 71 | + public function __construct($appName, |
|
| 72 | + IConfig $config, |
|
| 73 | + IAppManager $appManager, |
|
| 74 | + IControllerMethodReflector $reflector, |
|
| 75 | + IManager $shareManager, |
|
| 76 | + IRequest $request |
|
| 77 | + ) { |
|
| 78 | + $this->appName = $appName; |
|
| 79 | + $this->config = $config; |
|
| 80 | + $this->appManager = $appManager; |
|
| 81 | + $this->reflector = $reflector; |
|
| 82 | + $this->shareManager = $shareManager; |
|
| 83 | + $this->request = $request; |
|
| 84 | + } |
|
| 85 | + |
|
| 86 | + /** |
|
| 87 | + * Check if sharing is enabled before the controllers is executed |
|
| 88 | + * |
|
| 89 | + * @param Controller $controller |
|
| 90 | + * @param string $methodName |
|
| 91 | + * @throws NotFoundException |
|
| 92 | + * @throws S2SException |
|
| 93 | + * @throws ShareNotFound |
|
| 94 | + */ |
|
| 95 | + public function beforeController(Controller $controller, $methodName) { |
|
| 96 | + if(!$this->isSharingEnabled()) { |
|
| 97 | + throw new NotFoundException('Sharing is disabled.'); |
|
| 98 | + } |
|
| 99 | + |
|
| 100 | + if ($controller instanceof ExternalSharesController && |
|
| 101 | + !$this->externalSharesChecks()) { |
|
| 102 | + throw new S2SException('Federated sharing not allowed'); |
|
| 103 | + } else if ($controller instanceof ShareController) { |
|
| 104 | + $token = $this->request->getParam('token'); |
|
| 105 | + $share = $this->shareManager->getShareByToken($token); |
|
| 106 | + if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK |
|
| 107 | + && !$this->isLinkSharingEnabled()) { |
|
| 108 | + throw new NotFoundException('Link sharing is disabled'); |
|
| 109 | + } |
|
| 110 | + } |
|
| 111 | + } |
|
| 112 | + |
|
| 113 | + /** |
|
| 114 | + * Return 404 page in case of a not found exception |
|
| 115 | + * |
|
| 116 | + * @param Controller $controller |
|
| 117 | + * @param string $methodName |
|
| 118 | + * @param \Exception $exception |
|
| 119 | + * @return NotFoundResponse |
|
| 120 | + * @throws \Exception |
|
| 121 | + */ |
|
| 122 | + public function afterException(Controller $controller, $methodName, \Exception $exception) { |
|
| 123 | + if(is_a($exception, '\OCP\Files\NotFoundException')) { |
|
| 124 | + return new NotFoundResponse(); |
|
| 125 | + } |
|
| 126 | + |
|
| 127 | + if (is_a($exception, '\OCA\Files_Sharing\Exceptions\S2SException')) { |
|
| 128 | + return new JSONResponse($exception->getMessage(), 405); |
|
| 129 | + } |
|
| 130 | + |
|
| 131 | + throw $exception; |
|
| 132 | + } |
|
| 133 | + |
|
| 134 | + /** |
|
| 135 | + * Checks for externalshares controller |
|
| 136 | + * @return bool |
|
| 137 | + */ |
|
| 138 | + private function externalSharesChecks() { |
|
| 139 | + |
|
| 140 | + if (!$this->reflector->hasAnnotation('NoIncomingFederatedSharingRequired') && |
|
| 141 | + $this->config->getAppValue('files_sharing', 'incoming_server2server_share_enabled', 'yes') !== 'yes') { |
|
| 142 | + return false; |
|
| 143 | + } |
|
| 144 | + |
|
| 145 | + if (!$this->reflector->hasAnnotation('NoOutgoingFederatedSharingRequired') && |
|
| 146 | + $this->config->getAppValue('files_sharing', 'outgoing_server2server_share_enabled', 'yes') !== 'yes') { |
|
| 147 | + return false; |
|
| 148 | + } |
|
| 149 | + |
|
| 150 | + return true; |
|
| 151 | + } |
|
| 152 | + |
|
| 153 | + /** |
|
| 154 | + * Check whether sharing is enabled |
|
| 155 | + * @return bool |
|
| 156 | + */ |
|
| 157 | + private function isSharingEnabled() { |
|
| 158 | + // FIXME: This check is done here since the route is globally defined and not inside the files_sharing app |
|
| 159 | + // Check whether the sharing application is enabled |
|
| 160 | + if(!$this->appManager->isEnabledForUser($this->appName)) { |
|
| 161 | + return false; |
|
| 162 | + } |
|
| 163 | + |
|
| 164 | + return true; |
|
| 165 | + } |
|
| 166 | + |
|
| 167 | + /** |
|
| 168 | + * Check if link sharing is allowed |
|
| 169 | + * @return bool |
|
| 170 | + */ |
|
| 171 | + private function isLinkSharingEnabled() { |
|
| 172 | + // Check if the shareAPI is enabled |
|
| 173 | + if ($this->config->getAppValue('core', 'shareapi_enabled', 'yes') !== 'yes') { |
|
| 174 | + return false; |
|
| 175 | + } |
|
| 176 | + |
|
| 177 | + // Check whether public sharing is enabled |
|
| 178 | + if($this->config->getAppValue('core', 'shareapi_allow_links', 'yes') !== 'yes') { |
|
| 179 | + return false; |
|
| 180 | + } |
|
| 181 | + |
|
| 182 | + return true; |
|
| 183 | + } |
|
| 184 | 184 | |
| 185 | 185 | } |
@@ -93,7 +93,7 @@ discard block |
||
| 93 | 93 | * @throws ShareNotFound |
| 94 | 94 | */ |
| 95 | 95 | public function beforeController(Controller $controller, $methodName) { |
| 96 | - if(!$this->isSharingEnabled()) { |
|
| 96 | + if (!$this->isSharingEnabled()) { |
|
| 97 | 97 | throw new NotFoundException('Sharing is disabled.'); |
| 98 | 98 | } |
| 99 | 99 | |
@@ -120,7 +120,7 @@ discard block |
||
| 120 | 120 | * @throws \Exception |
| 121 | 121 | */ |
| 122 | 122 | public function afterException(Controller $controller, $methodName, \Exception $exception) { |
| 123 | - if(is_a($exception, '\OCP\Files\NotFoundException')) { |
|
| 123 | + if (is_a($exception, '\OCP\Files\NotFoundException')) { |
|
| 124 | 124 | return new NotFoundResponse(); |
| 125 | 125 | } |
| 126 | 126 | |
@@ -157,7 +157,7 @@ discard block |
||
| 157 | 157 | private function isSharingEnabled() { |
| 158 | 158 | // FIXME: This check is done here since the route is globally defined and not inside the files_sharing app |
| 159 | 159 | // Check whether the sharing application is enabled |
| 160 | - if(!$this->appManager->isEnabledForUser($this->appName)) { |
|
| 160 | + if (!$this->appManager->isEnabledForUser($this->appName)) { |
|
| 161 | 161 | return false; |
| 162 | 162 | } |
| 163 | 163 | |
@@ -175,7 +175,7 @@ discard block |
||
| 175 | 175 | } |
| 176 | 176 | |
| 177 | 177 | // Check whether public sharing is enabled |
| 178 | - if($this->config->getAppValue('core', 'shareapi_allow_links', 'yes') !== 'yes') { |
|
| 178 | + if ($this->config->getAppValue('core', 'shareapi_allow_links', 'yes') !== 'yes') { |
|
| 179 | 179 | return false; |
| 180 | 180 | } |
| 181 | 181 | |
@@ -11,43 +11,43 @@ |
||
| 11 | 11 | use OCP\Share\IManager; |
| 12 | 12 | |
| 13 | 13 | class OCSShareAPIMiddleware extends Middleware { |
| 14 | - /** @var IManager */ |
|
| 15 | - private $shareManager; |
|
| 16 | - /** @var IL10N */ |
|
| 17 | - private $l; |
|
| 14 | + /** @var IManager */ |
|
| 15 | + private $shareManager; |
|
| 16 | + /** @var IL10N */ |
|
| 17 | + private $l; |
|
| 18 | 18 | |
| 19 | - public function __construct(IManager $shareManager, |
|
| 20 | - IL10N $l) { |
|
| 21 | - $this->shareManager = $shareManager; |
|
| 22 | - $this->l = $l; |
|
| 23 | - } |
|
| 19 | + public function __construct(IManager $shareManager, |
|
| 20 | + IL10N $l) { |
|
| 21 | + $this->shareManager = $shareManager; |
|
| 22 | + $this->l = $l; |
|
| 23 | + } |
|
| 24 | 24 | |
| 25 | - /** |
|
| 26 | - * @param Controller $controller |
|
| 27 | - * @param string $methodName |
|
| 28 | - * |
|
| 29 | - * @throws OCSNotFoundException |
|
| 30 | - */ |
|
| 31 | - public function beforeController(Controller $controller, $methodName) { |
|
| 32 | - if ($controller instanceof ShareAPIController) { |
|
| 33 | - if (!$this->shareManager->shareApiEnabled()) { |
|
| 34 | - throw new OCSNotFoundException($this->l->t('Share API is disabled')); |
|
| 35 | - } |
|
| 36 | - } |
|
| 37 | - } |
|
| 25 | + /** |
|
| 26 | + * @param Controller $controller |
|
| 27 | + * @param string $methodName |
|
| 28 | + * |
|
| 29 | + * @throws OCSNotFoundException |
|
| 30 | + */ |
|
| 31 | + public function beforeController(Controller $controller, $methodName) { |
|
| 32 | + if ($controller instanceof ShareAPIController) { |
|
| 33 | + if (!$this->shareManager->shareApiEnabled()) { |
|
| 34 | + throw new OCSNotFoundException($this->l->t('Share API is disabled')); |
|
| 35 | + } |
|
| 36 | + } |
|
| 37 | + } |
|
| 38 | 38 | |
| 39 | - /** |
|
| 40 | - * @param Controller $controller |
|
| 41 | - * @param string $methodName |
|
| 42 | - * @param Response $response |
|
| 43 | - * @return Response |
|
| 44 | - */ |
|
| 45 | - public function afterController(Controller $controller, $methodName, Response $response) { |
|
| 46 | - if ($controller instanceof ShareAPIController) { |
|
| 47 | - /** @var ShareAPIController $controller */ |
|
| 48 | - $controller->cleanup(); |
|
| 49 | - } |
|
| 39 | + /** |
|
| 40 | + * @param Controller $controller |
|
| 41 | + * @param string $methodName |
|
| 42 | + * @param Response $response |
|
| 43 | + * @return Response |
|
| 44 | + */ |
|
| 45 | + public function afterController(Controller $controller, $methodName, Response $response) { |
|
| 46 | + if ($controller instanceof ShareAPIController) { |
|
| 47 | + /** @var ShareAPIController $controller */ |
|
| 48 | + $controller->cleanup(); |
|
| 49 | + } |
|
| 50 | 50 | |
| 51 | - return $response; |
|
| 52 | - } |
|
| 51 | + return $response; |
|
| 52 | + } |
|
| 53 | 53 | } |
@@ -11,55 +11,55 @@ |
||
| 11 | 11 | |
| 12 | 12 | class ProvisioningApiMiddleware extends Middleware { |
| 13 | 13 | |
| 14 | - /** @var IControllerMethodReflector */ |
|
| 15 | - private $reflector; |
|
| 14 | + /** @var IControllerMethodReflector */ |
|
| 15 | + private $reflector; |
|
| 16 | 16 | |
| 17 | - /** @var bool */ |
|
| 18 | - private $isAdmin; |
|
| 17 | + /** @var bool */ |
|
| 18 | + private $isAdmin; |
|
| 19 | 19 | |
| 20 | - /** @var bool */ |
|
| 21 | - private $isSubAdmin; |
|
| 20 | + /** @var bool */ |
|
| 21 | + private $isSubAdmin; |
|
| 22 | 22 | |
| 23 | - /** |
|
| 24 | - * ProvisioningApiMiddleware constructor. |
|
| 25 | - * |
|
| 26 | - * @param IControllerMethodReflector $reflector |
|
| 27 | - * @param bool $isAdmin |
|
| 28 | - * @param bool $isSubAdmin |
|
| 29 | - */ |
|
| 30 | - public function __construct( |
|
| 31 | - IControllerMethodReflector $reflector, |
|
| 32 | - $isAdmin, |
|
| 33 | - $isSubAdmin) { |
|
| 34 | - $this->reflector = $reflector; |
|
| 35 | - $this->isAdmin = $isAdmin; |
|
| 36 | - $this->isSubAdmin = $isSubAdmin; |
|
| 37 | - } |
|
| 23 | + /** |
|
| 24 | + * ProvisioningApiMiddleware constructor. |
|
| 25 | + * |
|
| 26 | + * @param IControllerMethodReflector $reflector |
|
| 27 | + * @param bool $isAdmin |
|
| 28 | + * @param bool $isSubAdmin |
|
| 29 | + */ |
|
| 30 | + public function __construct( |
|
| 31 | + IControllerMethodReflector $reflector, |
|
| 32 | + $isAdmin, |
|
| 33 | + $isSubAdmin) { |
|
| 34 | + $this->reflector = $reflector; |
|
| 35 | + $this->isAdmin = $isAdmin; |
|
| 36 | + $this->isSubAdmin = $isSubAdmin; |
|
| 37 | + } |
|
| 38 | 38 | |
| 39 | - /** |
|
| 40 | - * @param Controller $controller |
|
| 41 | - * @param string $methodName |
|
| 42 | - * |
|
| 43 | - * @throws NotSubAdminException |
|
| 44 | - */ |
|
| 45 | - public function beforeController(Controller $controller, $methodName) { |
|
| 46 | - if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin) { |
|
| 47 | - throw new NotSubAdminException(); |
|
| 48 | - } |
|
| 49 | - } |
|
| 39 | + /** |
|
| 40 | + * @param Controller $controller |
|
| 41 | + * @param string $methodName |
|
| 42 | + * |
|
| 43 | + * @throws NotSubAdminException |
|
| 44 | + */ |
|
| 45 | + public function beforeController(Controller $controller, $methodName) { |
|
| 46 | + if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin) { |
|
| 47 | + throw new NotSubAdminException(); |
|
| 48 | + } |
|
| 49 | + } |
|
| 50 | 50 | |
| 51 | - /** |
|
| 52 | - * @param Controller $controller |
|
| 53 | - * @param string $methodName |
|
| 54 | - * @param \Exception $exception |
|
| 55 | - * @throws \Exception |
|
| 56 | - * @return Response |
|
| 57 | - */ |
|
| 58 | - public function afterException(Controller $controller, $methodName, \Exception $exception) { |
|
| 59 | - if ($exception instanceof NotSubAdminException) { |
|
| 60 | - throw new OCSException($exception->getMessage(), \OCP\API::RESPOND_UNAUTHORISED); |
|
| 61 | - } |
|
| 51 | + /** |
|
| 52 | + * @param Controller $controller |
|
| 53 | + * @param string $methodName |
|
| 54 | + * @param \Exception $exception |
|
| 55 | + * @throws \Exception |
|
| 56 | + * @return Response |
|
| 57 | + */ |
|
| 58 | + public function afterException(Controller $controller, $methodName, \Exception $exception) { |
|
| 59 | + if ($exception instanceof NotSubAdminException) { |
|
| 60 | + throw new OCSException($exception->getMessage(), \OCP\API::RESPOND_UNAUTHORISED); |
|
| 61 | + } |
|
| 62 | 62 | |
| 63 | - throw $exception; |
|
| 64 | - } |
|
| 63 | + throw $exception; |
|
| 64 | + } |
|
| 65 | 65 | } |
@@ -32,52 +32,52 @@ |
||
| 32 | 32 | |
| 33 | 33 | class SessionMiddleware extends Middleware { |
| 34 | 34 | |
| 35 | - /** |
|
| 36 | - * @var IRequest |
|
| 37 | - */ |
|
| 38 | - private $request; |
|
| 35 | + /** |
|
| 36 | + * @var IRequest |
|
| 37 | + */ |
|
| 38 | + private $request; |
|
| 39 | 39 | |
| 40 | - /** |
|
| 41 | - * @var ControllerMethodReflector |
|
| 42 | - */ |
|
| 43 | - private $reflector; |
|
| 40 | + /** |
|
| 41 | + * @var ControllerMethodReflector |
|
| 42 | + */ |
|
| 43 | + private $reflector; |
|
| 44 | 44 | |
| 45 | - /** |
|
| 46 | - * @param IRequest $request |
|
| 47 | - * @param ControllerMethodReflector $reflector |
|
| 48 | - */ |
|
| 49 | - public function __construct(IRequest $request, |
|
| 50 | - ControllerMethodReflector $reflector, |
|
| 51 | - ISession $session |
|
| 45 | + /** |
|
| 46 | + * @param IRequest $request |
|
| 47 | + * @param ControllerMethodReflector $reflector |
|
| 48 | + */ |
|
| 49 | + public function __construct(IRequest $request, |
|
| 50 | + ControllerMethodReflector $reflector, |
|
| 51 | + ISession $session |
|
| 52 | 52 | ) { |
| 53 | - $this->request = $request; |
|
| 54 | - $this->reflector = $reflector; |
|
| 55 | - $this->session = $session; |
|
| 56 | - } |
|
| 53 | + $this->request = $request; |
|
| 54 | + $this->reflector = $reflector; |
|
| 55 | + $this->session = $session; |
|
| 56 | + } |
|
| 57 | 57 | |
| 58 | - /** |
|
| 59 | - * @param Controller $controller |
|
| 60 | - * @param string $methodName |
|
| 61 | - */ |
|
| 62 | - public function beforeController(Controller $controller, $methodName) { |
|
| 63 | - $useSession = $this->reflector->hasAnnotation('UseSession'); |
|
| 64 | - if (!$useSession) { |
|
| 65 | - $this->session->close(); |
|
| 66 | - } |
|
| 67 | - } |
|
| 58 | + /** |
|
| 59 | + * @param Controller $controller |
|
| 60 | + * @param string $methodName |
|
| 61 | + */ |
|
| 62 | + public function beforeController(Controller $controller, $methodName) { |
|
| 63 | + $useSession = $this->reflector->hasAnnotation('UseSession'); |
|
| 64 | + if (!$useSession) { |
|
| 65 | + $this->session->close(); |
|
| 66 | + } |
|
| 67 | + } |
|
| 68 | 68 | |
| 69 | - /** |
|
| 70 | - * @param Controller $controller |
|
| 71 | - * @param string $methodName |
|
| 72 | - * @param Response $response |
|
| 73 | - * @return Response |
|
| 74 | - */ |
|
| 75 | - public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 76 | - $useSession = $this->reflector->hasAnnotation('UseSession'); |
|
| 77 | - if ($useSession) { |
|
| 78 | - $this->session->close(); |
|
| 79 | - } |
|
| 80 | - return $response; |
|
| 81 | - } |
|
| 69 | + /** |
|
| 70 | + * @param Controller $controller |
|
| 71 | + * @param string $methodName |
|
| 72 | + * @param Response $response |
|
| 73 | + * @return Response |
|
| 74 | + */ |
|
| 75 | + public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 76 | + $useSession = $this->reflector->hasAnnotation('UseSession'); |
|
| 77 | + if ($useSession) { |
|
| 78 | + $this->session->close(); |
|
| 79 | + } |
|
| 80 | + return $response; |
|
| 81 | + } |
|
| 82 | 82 | |
| 83 | 83 | } |
@@ -72,7 +72,7 @@ |
||
| 72 | 72 | * @param Response $response |
| 73 | 73 | * @return Response |
| 74 | 74 | */ |
| 75 | - public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 75 | + public function afterController(Controller $controller, $methodName, Response $response) { |
|
| 76 | 76 | $useSession = $this->reflector->hasAnnotation('UseSession'); |
| 77 | 77 | if ($useSession) { |
| 78 | 78 | $this->session->close(); |
@@ -36,49 +36,49 @@ |
||
| 36 | 36 | * @package OC\AppFramework\Middleware\Security |
| 37 | 37 | */ |
| 38 | 38 | class BruteForceMiddleware extends Middleware { |
| 39 | - /** @var ControllerMethodReflector */ |
|
| 40 | - private $reflector; |
|
| 41 | - /** @var Throttler */ |
|
| 42 | - private $throttler; |
|
| 43 | - /** @var IRequest */ |
|
| 44 | - private $request; |
|
| 39 | + /** @var ControllerMethodReflector */ |
|
| 40 | + private $reflector; |
|
| 41 | + /** @var Throttler */ |
|
| 42 | + private $throttler; |
|
| 43 | + /** @var IRequest */ |
|
| 44 | + private $request; |
|
| 45 | 45 | |
| 46 | - /** |
|
| 47 | - * @param ControllerMethodReflector $controllerMethodReflector |
|
| 48 | - * @param Throttler $throttler |
|
| 49 | - * @param IRequest $request |
|
| 50 | - */ |
|
| 51 | - public function __construct(ControllerMethodReflector $controllerMethodReflector, |
|
| 52 | - Throttler $throttler, |
|
| 53 | - IRequest $request) { |
|
| 54 | - $this->reflector = $controllerMethodReflector; |
|
| 55 | - $this->throttler = $throttler; |
|
| 56 | - $this->request = $request; |
|
| 57 | - } |
|
| 46 | + /** |
|
| 47 | + * @param ControllerMethodReflector $controllerMethodReflector |
|
| 48 | + * @param Throttler $throttler |
|
| 49 | + * @param IRequest $request |
|
| 50 | + */ |
|
| 51 | + public function __construct(ControllerMethodReflector $controllerMethodReflector, |
|
| 52 | + Throttler $throttler, |
|
| 53 | + IRequest $request) { |
|
| 54 | + $this->reflector = $controllerMethodReflector; |
|
| 55 | + $this->throttler = $throttler; |
|
| 56 | + $this->request = $request; |
|
| 57 | + } |
|
| 58 | 58 | |
| 59 | - /** |
|
| 60 | - * {@inheritDoc} |
|
| 61 | - */ |
|
| 62 | - public function beforeController(Controller $controller, $methodName) { |
|
| 63 | - parent::beforeController($controller, $methodName); |
|
| 59 | + /** |
|
| 60 | + * {@inheritDoc} |
|
| 61 | + */ |
|
| 62 | + public function beforeController(Controller $controller, $methodName) { |
|
| 63 | + parent::beforeController($controller, $methodName); |
|
| 64 | 64 | |
| 65 | - if($this->reflector->hasAnnotation('BruteForceProtection')) { |
|
| 66 | - $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); |
|
| 67 | - $this->throttler->sleepDelay($this->request->getRemoteAddress(), $action); |
|
| 68 | - } |
|
| 69 | - } |
|
| 65 | + if($this->reflector->hasAnnotation('BruteForceProtection')) { |
|
| 66 | + $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); |
|
| 67 | + $this->throttler->sleepDelay($this->request->getRemoteAddress(), $action); |
|
| 68 | + } |
|
| 69 | + } |
|
| 70 | 70 | |
| 71 | - /** |
|
| 72 | - * {@inheritDoc} |
|
| 73 | - */ |
|
| 74 | - public function afterController(Controller $controller, $methodName, Response $response) { |
|
| 75 | - if($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) { |
|
| 76 | - $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); |
|
| 77 | - $ip = $this->request->getRemoteAddress(); |
|
| 78 | - $this->throttler->sleepDelay($ip, $action); |
|
| 79 | - $this->throttler->registerAttempt($action, $ip); |
|
| 80 | - } |
|
| 71 | + /** |
|
| 72 | + * {@inheritDoc} |
|
| 73 | + */ |
|
| 74 | + public function afterController(Controller $controller, $methodName, Response $response) { |
|
| 75 | + if($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) { |
|
| 76 | + $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); |
|
| 77 | + $ip = $this->request->getRemoteAddress(); |
|
| 78 | + $this->throttler->sleepDelay($ip, $action); |
|
| 79 | + $this->throttler->registerAttempt($action, $ip); |
|
| 80 | + } |
|
| 81 | 81 | |
| 82 | - return parent::afterController($controller, $methodName, $response); |
|
| 83 | - } |
|
| 82 | + return parent::afterController($controller, $methodName, $response); |
|
| 83 | + } |
|
| 84 | 84 | } |
@@ -62,7 +62,7 @@ discard block |
||
| 62 | 62 | public function beforeController(Controller $controller, $methodName) { |
| 63 | 63 | parent::beforeController($controller, $methodName); |
| 64 | 64 | |
| 65 | - if($this->reflector->hasAnnotation('BruteForceProtection')) { |
|
| 65 | + if ($this->reflector->hasAnnotation('BruteForceProtection')) { |
|
| 66 | 66 | $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); |
| 67 | 67 | $this->throttler->sleepDelay($this->request->getRemoteAddress(), $action); |
| 68 | 68 | } |
@@ -72,7 +72,7 @@ discard block |
||
| 72 | 72 | * {@inheritDoc} |
| 73 | 73 | */ |
| 74 | 74 | public function afterController(Controller $controller, $methodName, Response $response) { |
| 75 | - if($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) { |
|
| 75 | + if ($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) { |
|
| 76 | 76 | $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); |
| 77 | 77 | $ip = $this->request->getRemoteAddress(); |
| 78 | 78 | $this->throttler->sleepDelay($ip, $action); |
@@ -48,87 +48,87 @@ |
||
| 48 | 48 | * @package OC\AppFramework\Middleware\Security |
| 49 | 49 | */ |
| 50 | 50 | class RateLimitingMiddleware extends Middleware { |
| 51 | - /** @var IRequest $request */ |
|
| 52 | - private $request; |
|
| 53 | - /** @var IUserSession */ |
|
| 54 | - private $userSession; |
|
| 55 | - /** @var ControllerMethodReflector */ |
|
| 56 | - private $reflector; |
|
| 57 | - /** @var Limiter */ |
|
| 58 | - private $limiter; |
|
| 51 | + /** @var IRequest $request */ |
|
| 52 | + private $request; |
|
| 53 | + /** @var IUserSession */ |
|
| 54 | + private $userSession; |
|
| 55 | + /** @var ControllerMethodReflector */ |
|
| 56 | + private $reflector; |
|
| 57 | + /** @var Limiter */ |
|
| 58 | + private $limiter; |
|
| 59 | 59 | |
| 60 | - /** |
|
| 61 | - * @param IRequest $request |
|
| 62 | - * @param IUserSession $userSession |
|
| 63 | - * @param ControllerMethodReflector $reflector |
|
| 64 | - * @param Limiter $limiter |
|
| 65 | - */ |
|
| 66 | - public function __construct(IRequest $request, |
|
| 67 | - IUserSession $userSession, |
|
| 68 | - ControllerMethodReflector $reflector, |
|
| 69 | - Limiter $limiter) { |
|
| 70 | - $this->request = $request; |
|
| 71 | - $this->userSession = $userSession; |
|
| 72 | - $this->reflector = $reflector; |
|
| 73 | - $this->limiter = $limiter; |
|
| 74 | - } |
|
| 60 | + /** |
|
| 61 | + * @param IRequest $request |
|
| 62 | + * @param IUserSession $userSession |
|
| 63 | + * @param ControllerMethodReflector $reflector |
|
| 64 | + * @param Limiter $limiter |
|
| 65 | + */ |
|
| 66 | + public function __construct(IRequest $request, |
|
| 67 | + IUserSession $userSession, |
|
| 68 | + ControllerMethodReflector $reflector, |
|
| 69 | + Limiter $limiter) { |
|
| 70 | + $this->request = $request; |
|
| 71 | + $this->userSession = $userSession; |
|
| 72 | + $this->reflector = $reflector; |
|
| 73 | + $this->limiter = $limiter; |
|
| 74 | + } |
|
| 75 | 75 | |
| 76 | - /** |
|
| 77 | - * {@inheritDoc} |
|
| 78 | - * @throws RateLimitExceededException |
|
| 79 | - */ |
|
| 80 | - public function beforeController(Controller $controller, $methodName) { |
|
| 81 | - parent::beforeController($controller, $methodName); |
|
| 76 | + /** |
|
| 77 | + * {@inheritDoc} |
|
| 78 | + * @throws RateLimitExceededException |
|
| 79 | + */ |
|
| 80 | + public function beforeController(Controller $controller, $methodName) { |
|
| 81 | + parent::beforeController($controller, $methodName); |
|
| 82 | 82 | |
| 83 | - $anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit'); |
|
| 84 | - $anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period'); |
|
| 85 | - $userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit'); |
|
| 86 | - $userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period'); |
|
| 87 | - $rateLimitIdentifier = get_class($controller) . '::' . $methodName; |
|
| 88 | - if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) { |
|
| 89 | - $this->limiter->registerUserRequest( |
|
| 90 | - $rateLimitIdentifier, |
|
| 91 | - $userLimit, |
|
| 92 | - $userPeriod, |
|
| 93 | - $this->userSession->getUser() |
|
| 94 | - ); |
|
| 95 | - } elseif ($anonLimit !== '' && $anonPeriod !== '') { |
|
| 96 | - $this->limiter->registerAnonRequest( |
|
| 97 | - $rateLimitIdentifier, |
|
| 98 | - $anonLimit, |
|
| 99 | - $anonPeriod, |
|
| 100 | - $this->request->getRemoteAddress() |
|
| 101 | - ); |
|
| 102 | - } |
|
| 103 | - } |
|
| 83 | + $anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit'); |
|
| 84 | + $anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period'); |
|
| 85 | + $userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit'); |
|
| 86 | + $userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period'); |
|
| 87 | + $rateLimitIdentifier = get_class($controller) . '::' . $methodName; |
|
| 88 | + if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) { |
|
| 89 | + $this->limiter->registerUserRequest( |
|
| 90 | + $rateLimitIdentifier, |
|
| 91 | + $userLimit, |
|
| 92 | + $userPeriod, |
|
| 93 | + $this->userSession->getUser() |
|
| 94 | + ); |
|
| 95 | + } elseif ($anonLimit !== '' && $anonPeriod !== '') { |
|
| 96 | + $this->limiter->registerAnonRequest( |
|
| 97 | + $rateLimitIdentifier, |
|
| 98 | + $anonLimit, |
|
| 99 | + $anonPeriod, |
|
| 100 | + $this->request->getRemoteAddress() |
|
| 101 | + ); |
|
| 102 | + } |
|
| 103 | + } |
|
| 104 | 104 | |
| 105 | - /** |
|
| 106 | - * {@inheritDoc} |
|
| 107 | - */ |
|
| 108 | - public function afterException(Controller $controller, $methodName, \Exception $exception) { |
|
| 109 | - if($exception instanceof RateLimitExceededException) { |
|
| 110 | - if (stripos($this->request->getHeader('Accept'),'html') === false) { |
|
| 111 | - $response = new JSONResponse( |
|
| 112 | - [ |
|
| 113 | - 'message' => $exception->getMessage(), |
|
| 114 | - ], |
|
| 115 | - $exception->getCode() |
|
| 116 | - ); |
|
| 117 | - } else { |
|
| 118 | - $response = new TemplateResponse( |
|
| 119 | - 'core', |
|
| 120 | - '403', |
|
| 121 | - [ |
|
| 122 | - 'file' => $exception->getMessage() |
|
| 123 | - ], |
|
| 124 | - 'guest' |
|
| 125 | - ); |
|
| 126 | - $response->setStatus($exception->getCode()); |
|
| 127 | - } |
|
| 105 | + /** |
|
| 106 | + * {@inheritDoc} |
|
| 107 | + */ |
|
| 108 | + public function afterException(Controller $controller, $methodName, \Exception $exception) { |
|
| 109 | + if($exception instanceof RateLimitExceededException) { |
|
| 110 | + if (stripos($this->request->getHeader('Accept'),'html') === false) { |
|
| 111 | + $response = new JSONResponse( |
|
| 112 | + [ |
|
| 113 | + 'message' => $exception->getMessage(), |
|
| 114 | + ], |
|
| 115 | + $exception->getCode() |
|
| 116 | + ); |
|
| 117 | + } else { |
|
| 118 | + $response = new TemplateResponse( |
|
| 119 | + 'core', |
|
| 120 | + '403', |
|
| 121 | + [ |
|
| 122 | + 'file' => $exception->getMessage() |
|
| 123 | + ], |
|
| 124 | + 'guest' |
|
| 125 | + ); |
|
| 126 | + $response->setStatus($exception->getCode()); |
|
| 127 | + } |
|
| 128 | 128 | |
| 129 | - return $response; |
|
| 130 | - } |
|
| 129 | + return $response; |
|
| 130 | + } |
|
| 131 | 131 | |
| 132 | - throw $exception; |
|
| 133 | - } |
|
| 132 | + throw $exception; |
|
| 133 | + } |
|
| 134 | 134 | } |
@@ -84,8 +84,8 @@ discard block |
||
| 84 | 84 | $anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period'); |
| 85 | 85 | $userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit'); |
| 86 | 86 | $userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period'); |
| 87 | - $rateLimitIdentifier = get_class($controller) . '::' . $methodName; |
|
| 88 | - if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) { |
|
| 87 | + $rateLimitIdentifier = get_class($controller).'::'.$methodName; |
|
| 88 | + if ($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) { |
|
| 89 | 89 | $this->limiter->registerUserRequest( |
| 90 | 90 | $rateLimitIdentifier, |
| 91 | 91 | $userLimit, |
@@ -106,8 +106,8 @@ discard block |
||
| 106 | 106 | * {@inheritDoc} |
| 107 | 107 | */ |
| 108 | 108 | public function afterException(Controller $controller, $methodName, \Exception $exception) { |
| 109 | - if($exception instanceof RateLimitExceededException) { |
|
| 110 | - if (stripos($this->request->getHeader('Accept'),'html') === false) { |
|
| 109 | + if ($exception instanceof RateLimitExceededException) { |
|
| 110 | + if (stripos($this->request->getHeader('Accept'), 'html') === false) { |
|
| 111 | 111 | $response = new JSONResponse( |
| 112 | 112 | [ |
| 113 | 113 | 'message' => $exception->getMessage(), |
@@ -45,116 +45,116 @@ |
||
| 45 | 45 | * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS |
| 46 | 46 | */ |
| 47 | 47 | class CORSMiddleware extends Middleware { |
| 48 | - /** @var IRequest */ |
|
| 49 | - private $request; |
|
| 50 | - /** @var ControllerMethodReflector */ |
|
| 51 | - private $reflector; |
|
| 52 | - /** @var Session */ |
|
| 53 | - private $session; |
|
| 54 | - /** @var Throttler */ |
|
| 55 | - private $throttler; |
|
| 48 | + /** @var IRequest */ |
|
| 49 | + private $request; |
|
| 50 | + /** @var ControllerMethodReflector */ |
|
| 51 | + private $reflector; |
|
| 52 | + /** @var Session */ |
|
| 53 | + private $session; |
|
| 54 | + /** @var Throttler */ |
|
| 55 | + private $throttler; |
|
| 56 | 56 | |
| 57 | - /** |
|
| 58 | - * @param IRequest $request |
|
| 59 | - * @param ControllerMethodReflector $reflector |
|
| 60 | - * @param Session $session |
|
| 61 | - * @param Throttler $throttler |
|
| 62 | - */ |
|
| 63 | - public function __construct(IRequest $request, |
|
| 64 | - ControllerMethodReflector $reflector, |
|
| 65 | - Session $session, |
|
| 66 | - Throttler $throttler) { |
|
| 67 | - $this->request = $request; |
|
| 68 | - $this->reflector = $reflector; |
|
| 69 | - $this->session = $session; |
|
| 70 | - $this->throttler = $throttler; |
|
| 71 | - } |
|
| 57 | + /** |
|
| 58 | + * @param IRequest $request |
|
| 59 | + * @param ControllerMethodReflector $reflector |
|
| 60 | + * @param Session $session |
|
| 61 | + * @param Throttler $throttler |
|
| 62 | + */ |
|
| 63 | + public function __construct(IRequest $request, |
|
| 64 | + ControllerMethodReflector $reflector, |
|
| 65 | + Session $session, |
|
| 66 | + Throttler $throttler) { |
|
| 67 | + $this->request = $request; |
|
| 68 | + $this->reflector = $reflector; |
|
| 69 | + $this->session = $session; |
|
| 70 | + $this->throttler = $throttler; |
|
| 71 | + } |
|
| 72 | 72 | |
| 73 | - /** |
|
| 74 | - * This is being run in normal order before the controller is being |
|
| 75 | - * called which allows several modifications and checks |
|
| 76 | - * |
|
| 77 | - * @param Controller $controller the controller that is being called |
|
| 78 | - * @param string $methodName the name of the method that will be called on |
|
| 79 | - * the controller |
|
| 80 | - * @throws SecurityException |
|
| 81 | - * @since 6.0.0 |
|
| 82 | - */ |
|
| 83 | - public function beforeController(Controller $controller, $methodName){ |
|
| 84 | - // ensure that @CORS annotated API routes are not used in conjunction |
|
| 85 | - // with session authentication since this enables CSRF attack vectors |
|
| 86 | - if ($this->reflector->hasAnnotation('CORS') && |
|
| 87 | - !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 88 | - $user = $this->request->server['PHP_AUTH_USER']; |
|
| 89 | - $pass = $this->request->server['PHP_AUTH_PW']; |
|
| 73 | + /** |
|
| 74 | + * This is being run in normal order before the controller is being |
|
| 75 | + * called which allows several modifications and checks |
|
| 76 | + * |
|
| 77 | + * @param Controller $controller the controller that is being called |
|
| 78 | + * @param string $methodName the name of the method that will be called on |
|
| 79 | + * the controller |
|
| 80 | + * @throws SecurityException |
|
| 81 | + * @since 6.0.0 |
|
| 82 | + */ |
|
| 83 | + public function beforeController(Controller $controller, $methodName){ |
|
| 84 | + // ensure that @CORS annotated API routes are not used in conjunction |
|
| 85 | + // with session authentication since this enables CSRF attack vectors |
|
| 86 | + if ($this->reflector->hasAnnotation('CORS') && |
|
| 87 | + !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 88 | + $user = $this->request->server['PHP_AUTH_USER']; |
|
| 89 | + $pass = $this->request->server['PHP_AUTH_PW']; |
|
| 90 | 90 | |
| 91 | - $this->session->logout(); |
|
| 92 | - try { |
|
| 93 | - if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
| 94 | - throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); |
|
| 95 | - } |
|
| 96 | - } catch (PasswordLoginForbiddenException $ex) { |
|
| 97 | - throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); |
|
| 98 | - } |
|
| 99 | - } |
|
| 100 | - } |
|
| 91 | + $this->session->logout(); |
|
| 92 | + try { |
|
| 93 | + if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
| 94 | + throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); |
|
| 95 | + } |
|
| 96 | + } catch (PasswordLoginForbiddenException $ex) { |
|
| 97 | + throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); |
|
| 98 | + } |
|
| 99 | + } |
|
| 100 | + } |
|
| 101 | 101 | |
| 102 | - /** |
|
| 103 | - * This is being run after a successful controllermethod call and allows |
|
| 104 | - * the manipulation of a Response object. The middleware is run in reverse order |
|
| 105 | - * |
|
| 106 | - * @param Controller $controller the controller that is being called |
|
| 107 | - * @param string $methodName the name of the method that will be called on |
|
| 108 | - * the controller |
|
| 109 | - * @param Response $response the generated response from the controller |
|
| 110 | - * @return Response a Response object |
|
| 111 | - * @throws SecurityException |
|
| 112 | - */ |
|
| 113 | - public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 114 | - // only react if its a CORS request and if the request sends origin and |
|
| 102 | + /** |
|
| 103 | + * This is being run after a successful controllermethod call and allows |
|
| 104 | + * the manipulation of a Response object. The middleware is run in reverse order |
|
| 105 | + * |
|
| 106 | + * @param Controller $controller the controller that is being called |
|
| 107 | + * @param string $methodName the name of the method that will be called on |
|
| 108 | + * the controller |
|
| 109 | + * @param Response $response the generated response from the controller |
|
| 110 | + * @return Response a Response object |
|
| 111 | + * @throws SecurityException |
|
| 112 | + */ |
|
| 113 | + public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 114 | + // only react if its a CORS request and if the request sends origin and |
|
| 115 | 115 | |
| 116 | - if(isset($this->request->server['HTTP_ORIGIN']) && |
|
| 117 | - $this->reflector->hasAnnotation('CORS')) { |
|
| 116 | + if(isset($this->request->server['HTTP_ORIGIN']) && |
|
| 117 | + $this->reflector->hasAnnotation('CORS')) { |
|
| 118 | 118 | |
| 119 | - // allow credentials headers must not be true or CSRF is possible |
|
| 120 | - // otherwise |
|
| 121 | - foreach($response->getHeaders() as $header => $value) { |
|
| 122 | - if(strtolower($header) === 'access-control-allow-credentials' && |
|
| 123 | - strtolower(trim($value)) === 'true') { |
|
| 124 | - $msg = 'Access-Control-Allow-Credentials must not be '. |
|
| 125 | - 'set to true in order to prevent CSRF'; |
|
| 126 | - throw new SecurityException($msg); |
|
| 127 | - } |
|
| 128 | - } |
|
| 119 | + // allow credentials headers must not be true or CSRF is possible |
|
| 120 | + // otherwise |
|
| 121 | + foreach($response->getHeaders() as $header => $value) { |
|
| 122 | + if(strtolower($header) === 'access-control-allow-credentials' && |
|
| 123 | + strtolower(trim($value)) === 'true') { |
|
| 124 | + $msg = 'Access-Control-Allow-Credentials must not be '. |
|
| 125 | + 'set to true in order to prevent CSRF'; |
|
| 126 | + throw new SecurityException($msg); |
|
| 127 | + } |
|
| 128 | + } |
|
| 129 | 129 | |
| 130 | - $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 131 | - $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 132 | - } |
|
| 133 | - return $response; |
|
| 134 | - } |
|
| 130 | + $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 131 | + $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 132 | + } |
|
| 133 | + return $response; |
|
| 134 | + } |
|
| 135 | 135 | |
| 136 | - /** |
|
| 137 | - * If an SecurityException is being caught return a JSON error response |
|
| 138 | - * |
|
| 139 | - * @param Controller $controller the controller that is being called |
|
| 140 | - * @param string $methodName the name of the method that will be called on |
|
| 141 | - * the controller |
|
| 142 | - * @param \Exception $exception the thrown exception |
|
| 143 | - * @throws \Exception the passed in exception if it can't handle it |
|
| 144 | - * @return Response a Response object or null in case that the exception could not be handled |
|
| 145 | - */ |
|
| 146 | - public function afterException(Controller $controller, $methodName, \Exception $exception){ |
|
| 147 | - if($exception instanceof SecurityException){ |
|
| 148 | - $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 149 | - if($exception->getCode() !== 0) { |
|
| 150 | - $response->setStatus($exception->getCode()); |
|
| 151 | - } else { |
|
| 152 | - $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
|
| 153 | - } |
|
| 154 | - return $response; |
|
| 155 | - } |
|
| 136 | + /** |
|
| 137 | + * If an SecurityException is being caught return a JSON error response |
|
| 138 | + * |
|
| 139 | + * @param Controller $controller the controller that is being called |
|
| 140 | + * @param string $methodName the name of the method that will be called on |
|
| 141 | + * the controller |
|
| 142 | + * @param \Exception $exception the thrown exception |
|
| 143 | + * @throws \Exception the passed in exception if it can't handle it |
|
| 144 | + * @return Response a Response object or null in case that the exception could not be handled |
|
| 145 | + */ |
|
| 146 | + public function afterException(Controller $controller, $methodName, \Exception $exception){ |
|
| 147 | + if($exception instanceof SecurityException){ |
|
| 148 | + $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 149 | + if($exception->getCode() !== 0) { |
|
| 150 | + $response->setStatus($exception->getCode()); |
|
| 151 | + } else { |
|
| 152 | + $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
|
| 153 | + } |
|
| 154 | + return $response; |
|
| 155 | + } |
|
| 156 | 156 | |
| 157 | - throw $exception; |
|
| 158 | - } |
|
| 157 | + throw $exception; |
|
| 158 | + } |
|
| 159 | 159 | |
| 160 | 160 | } |
@@ -80,11 +80,11 @@ discard block |
||
| 80 | 80 | * @throws SecurityException |
| 81 | 81 | * @since 6.0.0 |
| 82 | 82 | */ |
| 83 | - public function beforeController(Controller $controller, $methodName){ |
|
| 83 | + public function beforeController(Controller $controller, $methodName) { |
|
| 84 | 84 | // ensure that @CORS annotated API routes are not used in conjunction |
| 85 | 85 | // with session authentication since this enables CSRF attack vectors |
| 86 | 86 | if ($this->reflector->hasAnnotation('CORS') && |
| 87 | - !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 87 | + !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 88 | 88 | $user = $this->request->server['PHP_AUTH_USER']; |
| 89 | 89 | $pass = $this->request->server['PHP_AUTH_PW']; |
| 90 | 90 | |
@@ -110,16 +110,16 @@ discard block |
||
| 110 | 110 | * @return Response a Response object |
| 111 | 111 | * @throws SecurityException |
| 112 | 112 | */ |
| 113 | - public function afterController(Controller $controller, $methodName, Response $response){ |
|
| 113 | + public function afterController(Controller $controller, $methodName, Response $response) { |
|
| 114 | 114 | // only react if its a CORS request and if the request sends origin and |
| 115 | 115 | |
| 116 | - if(isset($this->request->server['HTTP_ORIGIN']) && |
|
| 116 | + if (isset($this->request->server['HTTP_ORIGIN']) && |
|
| 117 | 117 | $this->reflector->hasAnnotation('CORS')) { |
| 118 | 118 | |
| 119 | 119 | // allow credentials headers must not be true or CSRF is possible |
| 120 | 120 | // otherwise |
| 121 | - foreach($response->getHeaders() as $header => $value) { |
|
| 122 | - if(strtolower($header) === 'access-control-allow-credentials' && |
|
| 121 | + foreach ($response->getHeaders() as $header => $value) { |
|
| 122 | + if (strtolower($header) === 'access-control-allow-credentials' && |
|
| 123 | 123 | strtolower(trim($value)) === 'true') { |
| 124 | 124 | $msg = 'Access-Control-Allow-Credentials must not be '. |
| 125 | 125 | 'set to true in order to prevent CSRF'; |
@@ -143,10 +143,10 @@ discard block |
||
| 143 | 143 | * @throws \Exception the passed in exception if it can't handle it |
| 144 | 144 | * @return Response a Response object or null in case that the exception could not be handled |
| 145 | 145 | */ |
| 146 | - public function afterException(Controller $controller, $methodName, \Exception $exception){ |
|
| 147 | - if($exception instanceof SecurityException){ |
|
| 148 | - $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 149 | - if($exception->getCode() !== 0) { |
|
| 146 | + public function afterException(Controller $controller, $methodName, \Exception $exception) { |
|
| 147 | + if ($exception instanceof SecurityException) { |
|
| 148 | + $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 149 | + if ($exception->getCode() !== 0) { |
|
| 150 | 150 | $response->setStatus($exception->getCode()); |
| 151 | 151 | } else { |
| 152 | 152 | $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
