nextcloud /
server
@@ -45,116 +45,116 @@ |
||
| 45 | 45 | * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS |
| 46 | 46 | */ |
| 47 | 47 | class CORSMiddleware extends Middleware { |
| 48 | - /** @var IRequest */ |
|
| 49 | - private $request; |
|
| 50 | - /** @var ControllerMethodReflector */ |
|
| 51 | - private $reflector; |
|
| 52 | - /** @var Session */ |
|
| 53 | - private $session; |
|
| 54 | - /** @var Throttler */ |
|
| 55 | - private $throttler; |
|
| 48 | + /** @var IRequest */ |
|
| 49 | + private $request; |
|
| 50 | + /** @var ControllerMethodReflector */ |
|
| 51 | + private $reflector; |
|
| 52 | + /** @var Session */ |
|
| 53 | + private $session; |
|
| 54 | + /** @var Throttler */ |
|
| 55 | + private $throttler; |
|
| 56 | 56 | |
| 57 | - /** |
|
| 58 | - * @param IRequest $request |
|
| 59 | - * @param ControllerMethodReflector $reflector |
|
| 60 | - * @param Session $session |
|
| 61 | - * @param Throttler $throttler |
|
| 62 | - */ |
|
| 63 | - public function __construct(IRequest $request, |
|
| 64 | - ControllerMethodReflector $reflector, |
|
| 65 | - Session $session, |
|
| 66 | - Throttler $throttler) { |
|
| 67 | - $this->request = $request; |
|
| 68 | - $this->reflector = $reflector; |
|
| 69 | - $this->session = $session; |
|
| 70 | - $this->throttler = $throttler; |
|
| 71 | - } |
|
| 57 | + /** |
|
| 58 | + * @param IRequest $request |
|
| 59 | + * @param ControllerMethodReflector $reflector |
|
| 60 | + * @param Session $session |
|
| 61 | + * @param Throttler $throttler |
|
| 62 | + */ |
|
| 63 | + public function __construct(IRequest $request, |
|
| 64 | + ControllerMethodReflector $reflector, |
|
| 65 | + Session $session, |
|
| 66 | + Throttler $throttler) { |
|
| 67 | + $this->request = $request; |
|
| 68 | + $this->reflector = $reflector; |
|
| 69 | + $this->session = $session; |
|
| 70 | + $this->throttler = $throttler; |
|
| 71 | + } |
|
| 72 | 72 | |
| 73 | - /** |
|
| 74 | - * This is being run in normal order before the controller is being |
|
| 75 | - * called which allows several modifications and checks |
|
| 76 | - * |
|
| 77 | - * @param Controller $controller the controller that is being called |
|
| 78 | - * @param string $methodName the name of the method that will be called on |
|
| 79 | - * the controller |
|
| 80 | - * @throws SecurityException |
|
| 81 | - * @since 6.0.0 |
|
| 82 | - */ |
|
| 83 | - public function beforeController($controller, $methodName){ |
|
| 84 | - // ensure that @CORS annotated API routes are not used in conjunction |
|
| 85 | - // with session authentication since this enables CSRF attack vectors |
|
| 86 | - if ($this->reflector->hasAnnotation('CORS') && |
|
| 87 | - !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 88 | - $user = $this->request->server['PHP_AUTH_USER']; |
|
| 89 | - $pass = $this->request->server['PHP_AUTH_PW']; |
|
| 73 | + /** |
|
| 74 | + * This is being run in normal order before the controller is being |
|
| 75 | + * called which allows several modifications and checks |
|
| 76 | + * |
|
| 77 | + * @param Controller $controller the controller that is being called |
|
| 78 | + * @param string $methodName the name of the method that will be called on |
|
| 79 | + * the controller |
|
| 80 | + * @throws SecurityException |
|
| 81 | + * @since 6.0.0 |
|
| 82 | + */ |
|
| 83 | + public function beforeController($controller, $methodName){ |
|
| 84 | + // ensure that @CORS annotated API routes are not used in conjunction |
|
| 85 | + // with session authentication since this enables CSRF attack vectors |
|
| 86 | + if ($this->reflector->hasAnnotation('CORS') && |
|
| 87 | + !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 88 | + $user = $this->request->server['PHP_AUTH_USER']; |
|
| 89 | + $pass = $this->request->server['PHP_AUTH_PW']; |
|
| 90 | 90 | |
| 91 | - $this->session->logout(); |
|
| 92 | - try { |
|
| 93 | - if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
| 94 | - throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); |
|
| 95 | - } |
|
| 96 | - } catch (PasswordLoginForbiddenException $ex) { |
|
| 97 | - throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); |
|
| 98 | - } |
|
| 99 | - } |
|
| 100 | - } |
|
| 91 | + $this->session->logout(); |
|
| 92 | + try { |
|
| 93 | + if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
| 94 | + throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); |
|
| 95 | + } |
|
| 96 | + } catch (PasswordLoginForbiddenException $ex) { |
|
| 97 | + throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); |
|
| 98 | + } |
|
| 99 | + } |
|
| 100 | + } |
|
| 101 | 101 | |
| 102 | - /** |
|
| 103 | - * This is being run after a successful controllermethod call and allows |
|
| 104 | - * the manipulation of a Response object. The middleware is run in reverse order |
|
| 105 | - * |
|
| 106 | - * @param Controller $controller the controller that is being called |
|
| 107 | - * @param string $methodName the name of the method that will be called on |
|
| 108 | - * the controller |
|
| 109 | - * @param Response $response the generated response from the controller |
|
| 110 | - * @return Response a Response object |
|
| 111 | - * @throws SecurityException |
|
| 112 | - */ |
|
| 113 | - public function afterController($controller, $methodName, Response $response){ |
|
| 114 | - // only react if its a CORS request and if the request sends origin and |
|
| 102 | + /** |
|
| 103 | + * This is being run after a successful controllermethod call and allows |
|
| 104 | + * the manipulation of a Response object. The middleware is run in reverse order |
|
| 105 | + * |
|
| 106 | + * @param Controller $controller the controller that is being called |
|
| 107 | + * @param string $methodName the name of the method that will be called on |
|
| 108 | + * the controller |
|
| 109 | + * @param Response $response the generated response from the controller |
|
| 110 | + * @return Response a Response object |
|
| 111 | + * @throws SecurityException |
|
| 112 | + */ |
|
| 113 | + public function afterController($controller, $methodName, Response $response){ |
|
| 114 | + // only react if its a CORS request and if the request sends origin and |
|
| 115 | 115 | |
| 116 | - if(isset($this->request->server['HTTP_ORIGIN']) && |
|
| 117 | - $this->reflector->hasAnnotation('CORS')) { |
|
| 116 | + if(isset($this->request->server['HTTP_ORIGIN']) && |
|
| 117 | + $this->reflector->hasAnnotation('CORS')) { |
|
| 118 | 118 | |
| 119 | - // allow credentials headers must not be true or CSRF is possible |
|
| 120 | - // otherwise |
|
| 121 | - foreach($response->getHeaders() as $header => $value) { |
|
| 122 | - if(strtolower($header) === 'access-control-allow-credentials' && |
|
| 123 | - strtolower(trim($value)) === 'true') { |
|
| 124 | - $msg = 'Access-Control-Allow-Credentials must not be '. |
|
| 125 | - 'set to true in order to prevent CSRF'; |
|
| 126 | - throw new SecurityException($msg); |
|
| 127 | - } |
|
| 128 | - } |
|
| 119 | + // allow credentials headers must not be true or CSRF is possible |
|
| 120 | + // otherwise |
|
| 121 | + foreach($response->getHeaders() as $header => $value) { |
|
| 122 | + if(strtolower($header) === 'access-control-allow-credentials' && |
|
| 123 | + strtolower(trim($value)) === 'true') { |
|
| 124 | + $msg = 'Access-Control-Allow-Credentials must not be '. |
|
| 125 | + 'set to true in order to prevent CSRF'; |
|
| 126 | + throw new SecurityException($msg); |
|
| 127 | + } |
|
| 128 | + } |
|
| 129 | 129 | |
| 130 | - $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 131 | - $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 132 | - } |
|
| 133 | - return $response; |
|
| 134 | - } |
|
| 130 | + $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 131 | + $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 132 | + } |
|
| 133 | + return $response; |
|
| 134 | + } |
|
| 135 | 135 | |
| 136 | - /** |
|
| 137 | - * If an SecurityException is being caught return a JSON error response |
|
| 138 | - * |
|
| 139 | - * @param Controller $controller the controller that is being called |
|
| 140 | - * @param string $methodName the name of the method that will be called on |
|
| 141 | - * the controller |
|
| 142 | - * @param \Exception $exception the thrown exception |
|
| 143 | - * @throws \Exception the passed in exception if it can't handle it |
|
| 144 | - * @return Response a Response object or null in case that the exception could not be handled |
|
| 145 | - */ |
|
| 146 | - public function afterException($controller, $methodName, \Exception $exception){ |
|
| 147 | - if($exception instanceof SecurityException){ |
|
| 148 | - $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 149 | - if($exception->getCode() !== 0) { |
|
| 150 | - $response->setStatus($exception->getCode()); |
|
| 151 | - } else { |
|
| 152 | - $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
|
| 153 | - } |
|
| 154 | - return $response; |
|
| 155 | - } |
|
| 136 | + /** |
|
| 137 | + * If an SecurityException is being caught return a JSON error response |
|
| 138 | + * |
|
| 139 | + * @param Controller $controller the controller that is being called |
|
| 140 | + * @param string $methodName the name of the method that will be called on |
|
| 141 | + * the controller |
|
| 142 | + * @param \Exception $exception the thrown exception |
|
| 143 | + * @throws \Exception the passed in exception if it can't handle it |
|
| 144 | + * @return Response a Response object or null in case that the exception could not be handled |
|
| 145 | + */ |
|
| 146 | + public function afterException($controller, $methodName, \Exception $exception){ |
|
| 147 | + if($exception instanceof SecurityException){ |
|
| 148 | + $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 149 | + if($exception->getCode() !== 0) { |
|
| 150 | + $response->setStatus($exception->getCode()); |
|
| 151 | + } else { |
|
| 152 | + $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
|
| 153 | + } |
|
| 154 | + return $response; |
|
| 155 | + } |
|
| 156 | 156 | |
| 157 | - throw $exception; |
|
| 158 | - } |
|
| 157 | + throw $exception; |
|
| 158 | + } |
|
| 159 | 159 | |
| 160 | 160 | } |
@@ -80,11 +80,11 @@ discard block |
||
| 80 | 80 | * @throws SecurityException |
| 81 | 81 | * @since 6.0.0 |
| 82 | 82 | */ |
| 83 | - public function beforeController($controller, $methodName){ |
|
| 83 | + public function beforeController($controller, $methodName) { |
|
| 84 | 84 | // ensure that @CORS annotated API routes are not used in conjunction |
| 85 | 85 | // with session authentication since this enables CSRF attack vectors |
| 86 | 86 | if ($this->reflector->hasAnnotation('CORS') && |
| 87 | - !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 87 | + !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 88 | 88 | $user = $this->request->server['PHP_AUTH_USER']; |
| 89 | 89 | $pass = $this->request->server['PHP_AUTH_PW']; |
| 90 | 90 | |
@@ -110,16 +110,16 @@ discard block |
||
| 110 | 110 | * @return Response a Response object |
| 111 | 111 | * @throws SecurityException |
| 112 | 112 | */ |
| 113 | - public function afterController($controller, $methodName, Response $response){ |
|
| 113 | + public function afterController($controller, $methodName, Response $response) { |
|
| 114 | 114 | // only react if its a CORS request and if the request sends origin and |
| 115 | 115 | |
| 116 | - if(isset($this->request->server['HTTP_ORIGIN']) && |
|
| 116 | + if (isset($this->request->server['HTTP_ORIGIN']) && |
|
| 117 | 117 | $this->reflector->hasAnnotation('CORS')) { |
| 118 | 118 | |
| 119 | 119 | // allow credentials headers must not be true or CSRF is possible |
| 120 | 120 | // otherwise |
| 121 | - foreach($response->getHeaders() as $header => $value) { |
|
| 122 | - if(strtolower($header) === 'access-control-allow-credentials' && |
|
| 121 | + foreach ($response->getHeaders() as $header => $value) { |
|
| 122 | + if (strtolower($header) === 'access-control-allow-credentials' && |
|
| 123 | 123 | strtolower(trim($value)) === 'true') { |
| 124 | 124 | $msg = 'Access-Control-Allow-Credentials must not be '. |
| 125 | 125 | 'set to true in order to prevent CSRF'; |
@@ -143,10 +143,10 @@ discard block |
||
| 143 | 143 | * @throws \Exception the passed in exception if it can't handle it |
| 144 | 144 | * @return Response a Response object or null in case that the exception could not be handled |
| 145 | 145 | */ |
| 146 | - public function afterException($controller, $methodName, \Exception $exception){ |
|
| 147 | - if($exception instanceof SecurityException){ |
|
| 148 | - $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 149 | - if($exception->getCode() !== 0) { |
|
| 146 | + public function afterException($controller, $methodName, \Exception $exception) { |
|
| 147 | + if ($exception instanceof SecurityException) { |
|
| 148 | + $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 149 | + if ($exception->getCode() !== 0) { |
|
| 150 | 150 | $response->setStatus($exception->getCode()); |
| 151 | 151 | } else { |
| 152 | 152 | $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
@@ -31,7 +31,7 @@ |
||
| 31 | 31 | * @package OC\AppFramework\Middleware\Security\Exceptions |
| 32 | 32 | */ |
| 33 | 33 | class NotConfirmedException extends SecurityException { |
| 34 | - public function __construct() { |
|
| 35 | - parent::__construct('Password confirmation is required', Http::STATUS_FORBIDDEN); |
|
| 36 | - } |
|
| 34 | + public function __construct() { |
|
| 35 | + parent::__construct('Password confirmation is required', Http::STATUS_FORBIDDEN); |
|
| 36 | + } |
|
| 37 | 37 | } |
@@ -34,7 +34,7 @@ |
||
| 34 | 34 | * @package OC\AppFramework\Middleware\Security\Exceptions |
| 35 | 35 | */ |
| 36 | 36 | class CrossSiteRequestForgeryException extends SecurityException { |
| 37 | - public function __construct() { |
|
| 38 | - parent::__construct('CSRF check failed', Http::STATUS_PRECONDITION_FAILED); |
|
| 39 | - } |
|
| 37 | + public function __construct() { |
|
| 38 | + parent::__construct('CSRF check failed', Http::STATUS_PRECONDITION_FAILED); |
|
| 39 | + } |
|
| 40 | 40 | } |
@@ -34,7 +34,7 @@ |
||
| 34 | 34 | * @package OC\AppFramework\Middleware\Security\Exceptions |
| 35 | 35 | */ |
| 36 | 36 | class AppNotEnabledException extends SecurityException { |
| 37 | - public function __construct() { |
|
| 38 | - parent::__construct('App is not enabled', Http::STATUS_PRECONDITION_FAILED); |
|
| 39 | - } |
|
| 37 | + public function __construct() { |
|
| 38 | + parent::__construct('App is not enabled', Http::STATUS_PRECONDITION_FAILED); |
|
| 39 | + } |
|
| 40 | 40 | } |
@@ -34,7 +34,7 @@ |
||
| 34 | 34 | * @package OC\AppFramework\Middleware\Security\Exceptions |
| 35 | 35 | */ |
| 36 | 36 | class NotLoggedInException extends SecurityException { |
| 37 | - public function __construct() { |
|
| 38 | - parent::__construct('Current user is not logged in', Http::STATUS_UNAUTHORIZED); |
|
| 39 | - } |
|
| 37 | + public function __construct() { |
|
| 38 | + parent::__construct('Current user is not logged in', Http::STATUS_UNAUTHORIZED); |
|
| 39 | + } |
|
| 40 | 40 | } |
@@ -143,7 +143,7 @@ |
||
| 143 | 143 | $format = $this->request->getParam('format'); |
| 144 | 144 | |
| 145 | 145 | // if none is given try the first Accept header |
| 146 | - if($format === null) { |
|
| 146 | + if ($format === null) { |
|
| 147 | 147 | $headers = $this->request->getHeader('Accept'); |
| 148 | 148 | $format = $controller->getResponderByHTTPHeader($headers, 'xml'); |
| 149 | 149 | } |
@@ -39,116 +39,116 @@ |
||
| 39 | 39 | |
| 40 | 40 | class OCSMiddleware extends Middleware { |
| 41 | 41 | |
| 42 | - /** @var IRequest */ |
|
| 43 | - private $request; |
|
| 44 | - |
|
| 45 | - /** @var int */ |
|
| 46 | - private $ocsVersion; |
|
| 47 | - |
|
| 48 | - /** |
|
| 49 | - * @param IRequest $request |
|
| 50 | - */ |
|
| 51 | - public function __construct(IRequest $request) { |
|
| 52 | - $this->request = $request; |
|
| 53 | - } |
|
| 54 | - |
|
| 55 | - /** |
|
| 56 | - * @param Controller $controller |
|
| 57 | - * @param string $methodName |
|
| 58 | - */ |
|
| 59 | - public function beforeController($controller, $methodName) { |
|
| 60 | - if ($controller instanceof OCSController) { |
|
| 61 | - if (substr_compare($this->request->getScriptName(), '/ocs/v2.php', -strlen('/ocs/v2.php')) === 0) { |
|
| 62 | - $this->ocsVersion = 2; |
|
| 63 | - } else { |
|
| 64 | - $this->ocsVersion = 1; |
|
| 65 | - } |
|
| 66 | - $controller->setOCSVersion($this->ocsVersion); |
|
| 67 | - } |
|
| 68 | - } |
|
| 69 | - |
|
| 70 | - /** |
|
| 71 | - * @param Controller $controller |
|
| 72 | - * @param string $methodName |
|
| 73 | - * @param \Exception $exception |
|
| 74 | - * @throws \Exception |
|
| 75 | - * @return BaseResponse |
|
| 76 | - */ |
|
| 77 | - public function afterException($controller, $methodName, \Exception $exception) { |
|
| 78 | - if ($controller instanceof OCSController && $exception instanceof OCSException) { |
|
| 79 | - $code = $exception->getCode(); |
|
| 80 | - if ($code === 0) { |
|
| 81 | - $code = API::RESPOND_UNKNOWN_ERROR; |
|
| 82 | - } |
|
| 83 | - |
|
| 84 | - return $this->buildNewResponse($controller, $code, $exception->getMessage()); |
|
| 85 | - } |
|
| 86 | - |
|
| 87 | - throw $exception; |
|
| 88 | - } |
|
| 89 | - |
|
| 90 | - /** |
|
| 91 | - * @param Controller $controller |
|
| 92 | - * @param string $methodName |
|
| 93 | - * @param Response $response |
|
| 94 | - * @return \OCP\AppFramework\Http\Response |
|
| 95 | - */ |
|
| 96 | - public function afterController($controller, $methodName, Response $response) { |
|
| 97 | - /* |
|
| 42 | + /** @var IRequest */ |
|
| 43 | + private $request; |
|
| 44 | + |
|
| 45 | + /** @var int */ |
|
| 46 | + private $ocsVersion; |
|
| 47 | + |
|
| 48 | + /** |
|
| 49 | + * @param IRequest $request |
|
| 50 | + */ |
|
| 51 | + public function __construct(IRequest $request) { |
|
| 52 | + $this->request = $request; |
|
| 53 | + } |
|
| 54 | + |
|
| 55 | + /** |
|
| 56 | + * @param Controller $controller |
|
| 57 | + * @param string $methodName |
|
| 58 | + */ |
|
| 59 | + public function beforeController($controller, $methodName) { |
|
| 60 | + if ($controller instanceof OCSController) { |
|
| 61 | + if (substr_compare($this->request->getScriptName(), '/ocs/v2.php', -strlen('/ocs/v2.php')) === 0) { |
|
| 62 | + $this->ocsVersion = 2; |
|
| 63 | + } else { |
|
| 64 | + $this->ocsVersion = 1; |
|
| 65 | + } |
|
| 66 | + $controller->setOCSVersion($this->ocsVersion); |
|
| 67 | + } |
|
| 68 | + } |
|
| 69 | + |
|
| 70 | + /** |
|
| 71 | + * @param Controller $controller |
|
| 72 | + * @param string $methodName |
|
| 73 | + * @param \Exception $exception |
|
| 74 | + * @throws \Exception |
|
| 75 | + * @return BaseResponse |
|
| 76 | + */ |
|
| 77 | + public function afterException($controller, $methodName, \Exception $exception) { |
|
| 78 | + if ($controller instanceof OCSController && $exception instanceof OCSException) { |
|
| 79 | + $code = $exception->getCode(); |
|
| 80 | + if ($code === 0) { |
|
| 81 | + $code = API::RESPOND_UNKNOWN_ERROR; |
|
| 82 | + } |
|
| 83 | + |
|
| 84 | + return $this->buildNewResponse($controller, $code, $exception->getMessage()); |
|
| 85 | + } |
|
| 86 | + |
|
| 87 | + throw $exception; |
|
| 88 | + } |
|
| 89 | + |
|
| 90 | + /** |
|
| 91 | + * @param Controller $controller |
|
| 92 | + * @param string $methodName |
|
| 93 | + * @param Response $response |
|
| 94 | + * @return \OCP\AppFramework\Http\Response |
|
| 95 | + */ |
|
| 96 | + public function afterController($controller, $methodName, Response $response) { |
|
| 97 | + /* |
|
| 98 | 98 | * If a different middleware has detected that a request unauthorized or forbidden |
| 99 | 99 | * we need to catch the response and convert it to a proper OCS response. |
| 100 | 100 | */ |
| 101 | - if ($controller instanceof OCSController && !($response instanceof BaseResponse)) { |
|
| 102 | - if ($response->getStatus() === Http::STATUS_UNAUTHORIZED || |
|
| 103 | - $response->getStatus() === Http::STATUS_FORBIDDEN) { |
|
| 104 | - |
|
| 105 | - $message = ''; |
|
| 106 | - if ($response instanceof JSONResponse) { |
|
| 107 | - /** @var DataResponse $response */ |
|
| 108 | - $message = $response->getData()['message']; |
|
| 109 | - } |
|
| 110 | - |
|
| 111 | - return $this->buildNewResponse($controller, API::RESPOND_UNAUTHORISED, $message); |
|
| 112 | - } |
|
| 113 | - } |
|
| 114 | - |
|
| 115 | - return $response; |
|
| 116 | - } |
|
| 117 | - |
|
| 118 | - /** |
|
| 119 | - * @param Controller $controller |
|
| 120 | - * @param int $code |
|
| 121 | - * @param string $message |
|
| 122 | - * @return V1Response|V2Response |
|
| 123 | - */ |
|
| 124 | - private function buildNewResponse(Controller $controller, $code, $message) { |
|
| 125 | - $format = $this->getFormat($controller); |
|
| 126 | - |
|
| 127 | - $data = new DataResponse(); |
|
| 128 | - $data->setStatus($code); |
|
| 129 | - if ($this->ocsVersion === 1) { |
|
| 130 | - $response = new V1Response($data, $format, $message); |
|
| 131 | - } else { |
|
| 132 | - $response = new V2Response($data, $format, $message); |
|
| 133 | - } |
|
| 134 | - |
|
| 135 | - return $response; |
|
| 136 | - } |
|
| 137 | - |
|
| 138 | - /** |
|
| 139 | - * @param Controller $controller |
|
| 140 | - * @return string |
|
| 141 | - */ |
|
| 142 | - private function getFormat(Controller $controller) { |
|
| 143 | - // get format from the url format or request format parameter |
|
| 144 | - $format = $this->request->getParam('format'); |
|
| 145 | - |
|
| 146 | - // if none is given try the first Accept header |
|
| 147 | - if($format === null) { |
|
| 148 | - $headers = $this->request->getHeader('Accept'); |
|
| 149 | - $format = $controller->getResponderByHTTPHeader($headers, 'xml'); |
|
| 150 | - } |
|
| 151 | - |
|
| 152 | - return $format; |
|
| 153 | - } |
|
| 101 | + if ($controller instanceof OCSController && !($response instanceof BaseResponse)) { |
|
| 102 | + if ($response->getStatus() === Http::STATUS_UNAUTHORIZED || |
|
| 103 | + $response->getStatus() === Http::STATUS_FORBIDDEN) { |
|
| 104 | + |
|
| 105 | + $message = ''; |
|
| 106 | + if ($response instanceof JSONResponse) { |
|
| 107 | + /** @var DataResponse $response */ |
|
| 108 | + $message = $response->getData()['message']; |
|
| 109 | + } |
|
| 110 | + |
|
| 111 | + return $this->buildNewResponse($controller, API::RESPOND_UNAUTHORISED, $message); |
|
| 112 | + } |
|
| 113 | + } |
|
| 114 | + |
|
| 115 | + return $response; |
|
| 116 | + } |
|
| 117 | + |
|
| 118 | + /** |
|
| 119 | + * @param Controller $controller |
|
| 120 | + * @param int $code |
|
| 121 | + * @param string $message |
|
| 122 | + * @return V1Response|V2Response |
|
| 123 | + */ |
|
| 124 | + private function buildNewResponse(Controller $controller, $code, $message) { |
|
| 125 | + $format = $this->getFormat($controller); |
|
| 126 | + |
|
| 127 | + $data = new DataResponse(); |
|
| 128 | + $data->setStatus($code); |
|
| 129 | + if ($this->ocsVersion === 1) { |
|
| 130 | + $response = new V1Response($data, $format, $message); |
|
| 131 | + } else { |
|
| 132 | + $response = new V2Response($data, $format, $message); |
|
| 133 | + } |
|
| 134 | + |
|
| 135 | + return $response; |
|
| 136 | + } |
|
| 137 | + |
|
| 138 | + /** |
|
| 139 | + * @param Controller $controller |
|
| 140 | + * @return string |
|
| 141 | + */ |
|
| 142 | + private function getFormat(Controller $controller) { |
|
| 143 | + // get format from the url format or request format parameter |
|
| 144 | + $format = $this->request->getParam('format'); |
|
| 145 | + |
|
| 146 | + // if none is given try the first Accept header |
|
| 147 | + if($format === null) { |
|
| 148 | + $headers = $this->request->getHeader('Accept'); |
|
| 149 | + $format = $controller->getResponderByHTTPHeader($headers, 'xml'); |
|
| 150 | + } |
|
| 151 | + |
|
| 152 | + return $format; |
|
| 153 | + } |
|
| 154 | 154 | } |
@@ -71,7 +71,7 @@ |
||
| 71 | 71 | * @param Response $response |
| 72 | 72 | * @return Response |
| 73 | 73 | */ |
| 74 | - public function afterController($controller, $methodName, Response $response){ |
|
| 74 | + public function afterController($controller, $methodName, Response $response) { |
|
| 75 | 75 | $useSession = $this->reflector->hasAnnotation('UseSession'); |
| 76 | 76 | if ($useSession) { |
| 77 | 77 | $this->session->close(); |
@@ -34,41 +34,41 @@ |
||
| 34 | 34 | |
| 35 | 35 | class SessionMiddleware extends Middleware { |
| 36 | 36 | |
| 37 | - /** @var ControllerMethodReflector */ |
|
| 38 | - private $reflector; |
|
| 37 | + /** @var ControllerMethodReflector */ |
|
| 38 | + private $reflector; |
|
| 39 | 39 | |
| 40 | - /** @var ISession */ |
|
| 41 | - private $session; |
|
| 40 | + /** @var ISession */ |
|
| 41 | + private $session; |
|
| 42 | 42 | |
| 43 | - public function __construct(ControllerMethodReflector $reflector, |
|
| 44 | - ISession $session) { |
|
| 45 | - $this->reflector = $reflector; |
|
| 46 | - $this->session = $session; |
|
| 47 | - } |
|
| 43 | + public function __construct(ControllerMethodReflector $reflector, |
|
| 44 | + ISession $session) { |
|
| 45 | + $this->reflector = $reflector; |
|
| 46 | + $this->session = $session; |
|
| 47 | + } |
|
| 48 | 48 | |
| 49 | - /** |
|
| 50 | - * @param Controller $controller |
|
| 51 | - * @param string $methodName |
|
| 52 | - */ |
|
| 53 | - public function beforeController($controller, $methodName) { |
|
| 54 | - $useSession = $this->reflector->hasAnnotation('UseSession'); |
|
| 55 | - if (!$useSession) { |
|
| 56 | - $this->session->close(); |
|
| 57 | - } |
|
| 58 | - } |
|
| 49 | + /** |
|
| 50 | + * @param Controller $controller |
|
| 51 | + * @param string $methodName |
|
| 52 | + */ |
|
| 53 | + public function beforeController($controller, $methodName) { |
|
| 54 | + $useSession = $this->reflector->hasAnnotation('UseSession'); |
|
| 55 | + if (!$useSession) { |
|
| 56 | + $this->session->close(); |
|
| 57 | + } |
|
| 58 | + } |
|
| 59 | 59 | |
| 60 | - /** |
|
| 61 | - * @param Controller $controller |
|
| 62 | - * @param string $methodName |
|
| 63 | - * @param Response $response |
|
| 64 | - * @return Response |
|
| 65 | - */ |
|
| 66 | - public function afterController($controller, $methodName, Response $response){ |
|
| 67 | - $useSession = $this->reflector->hasAnnotation('UseSession'); |
|
| 68 | - if ($useSession) { |
|
| 69 | - $this->session->close(); |
|
| 70 | - } |
|
| 71 | - return $response; |
|
| 72 | - } |
|
| 60 | + /** |
|
| 61 | + * @param Controller $controller |
|
| 62 | + * @param string $methodName |
|
| 63 | + * @param Response $response |
|
| 64 | + * @return Response |
|
| 65 | + */ |
|
| 66 | + public function afterController($controller, $methodName, Response $response){ |
|
| 67 | + $useSession = $this->reflector->hasAnnotation('UseSession'); |
|
| 68 | + if ($useSession) { |
|
| 69 | + $this->session->close(); |
|
| 70 | + } |
|
| 71 | + return $response; |
|
| 72 | + } |
|
| 73 | 73 | |
| 74 | 74 | } |
@@ -26,7 +26,7 @@ |
||
| 26 | 26 | use OCP\AppFramework\Http\EmptyContentSecurityPolicy; |
| 27 | 27 | use OCP\AppFramework\Http\Response; |
| 28 | 28 | |
| 29 | -abstract class BaseResponse extends Response { |
|
| 29 | +abstract class BaseResponse extends Response { |
|
| 30 | 30 | /** @var array */ |
| 31 | 31 | protected $data; |
| 32 | 32 | |
@@ -28,122 +28,122 @@ |
||
| 28 | 28 | use OCP\AppFramework\Http\Response; |
| 29 | 29 | |
| 30 | 30 | abstract class BaseResponse extends Response { |
| 31 | - /** @var array */ |
|
| 32 | - protected $data; |
|
| 33 | - |
|
| 34 | - /** @var string */ |
|
| 35 | - protected $format; |
|
| 36 | - |
|
| 37 | - /** @var string */ |
|
| 38 | - protected $statusMessage; |
|
| 39 | - |
|
| 40 | - /** @var int */ |
|
| 41 | - protected $itemsCount; |
|
| 42 | - |
|
| 43 | - /** @var int */ |
|
| 44 | - protected $itemsPerPage; |
|
| 45 | - |
|
| 46 | - /** |
|
| 47 | - * BaseResponse constructor. |
|
| 48 | - * |
|
| 49 | - * @param DataResponse|null $dataResponse |
|
| 50 | - * @param string $format |
|
| 51 | - * @param string|null $statusMessage |
|
| 52 | - * @param int|null $itemsCount |
|
| 53 | - * @param int|null $itemsPerPage |
|
| 54 | - */ |
|
| 55 | - public function __construct(DataResponse $dataResponse, |
|
| 56 | - $format = 'xml', |
|
| 57 | - $statusMessage = null, |
|
| 58 | - $itemsCount = null, |
|
| 59 | - $itemsPerPage = null) { |
|
| 60 | - parent::__construct(); |
|
| 61 | - |
|
| 62 | - $this->format = $format; |
|
| 63 | - $this->statusMessage = $statusMessage; |
|
| 64 | - $this->itemsCount = $itemsCount; |
|
| 65 | - $this->itemsPerPage = $itemsPerPage; |
|
| 66 | - |
|
| 67 | - $this->data = $dataResponse->getData(); |
|
| 68 | - |
|
| 69 | - $this->setHeaders($dataResponse->getHeaders()); |
|
| 70 | - $this->setStatus($dataResponse->getStatus()); |
|
| 71 | - $this->setETag($dataResponse->getETag()); |
|
| 72 | - $this->setLastModified($dataResponse->getLastModified()); |
|
| 73 | - $this->setCookies($dataResponse->getCookies()); |
|
| 74 | - |
|
| 75 | - if ($format === 'json') { |
|
| 76 | - $this->addHeader( |
|
| 77 | - 'Content-Type', 'application/json; charset=utf-8' |
|
| 78 | - ); |
|
| 79 | - } else { |
|
| 80 | - $this->addHeader( |
|
| 81 | - 'Content-Type', 'application/xml; charset=utf-8' |
|
| 82 | - ); |
|
| 83 | - } |
|
| 84 | - } |
|
| 85 | - |
|
| 86 | - /** |
|
| 87 | - * @param string[] $meta |
|
| 88 | - * @return string |
|
| 89 | - */ |
|
| 90 | - protected function renderResult(array $meta): string { |
|
| 91 | - $status = $this->getStatus(); |
|
| 92 | - if ($status === Http::STATUS_NO_CONTENT || |
|
| 93 | - $status === Http::STATUS_NOT_MODIFIED || |
|
| 94 | - ($status >= 100 && $status <= 199)) { |
|
| 95 | - // Those status codes are not supposed to have a body: |
|
| 96 | - // https://stackoverflow.com/q/8628725 |
|
| 97 | - return ''; |
|
| 98 | - } |
|
| 99 | - |
|
| 100 | - $response = [ |
|
| 101 | - 'ocs' => [ |
|
| 102 | - 'meta' => $meta, |
|
| 103 | - 'data' => $this->data, |
|
| 104 | - ], |
|
| 105 | - ]; |
|
| 106 | - |
|
| 107 | - if ($this->format === 'json') { |
|
| 108 | - return json_encode($response, JSON_HEX_TAG); |
|
| 109 | - } |
|
| 110 | - |
|
| 111 | - $writer = new \XMLWriter(); |
|
| 112 | - $writer->openMemory(); |
|
| 113 | - $writer->setIndent(true); |
|
| 114 | - $writer->startDocument(); |
|
| 115 | - $this->toXML($response, $writer); |
|
| 116 | - $writer->endDocument(); |
|
| 117 | - return $writer->outputMemory(true); |
|
| 118 | - |
|
| 119 | - } |
|
| 120 | - |
|
| 121 | - /** |
|
| 122 | - * @param array $array |
|
| 123 | - * @param \XMLWriter $writer |
|
| 124 | - */ |
|
| 125 | - protected function toXML(array $array, \XMLWriter $writer) { |
|
| 126 | - foreach ($array as $k => $v) { |
|
| 127 | - if ($k[0] === '@') { |
|
| 128 | - $writer->writeAttribute(substr($k, 1), $v); |
|
| 129 | - continue; |
|
| 130 | - } |
|
| 131 | - |
|
| 132 | - if (\is_numeric($k)) { |
|
| 133 | - $k = 'element'; |
|
| 134 | - } |
|
| 135 | - |
|
| 136 | - if (\is_array($v)) { |
|
| 137 | - $writer->startElement($k); |
|
| 138 | - $this->toXML($v, $writer); |
|
| 139 | - $writer->endElement(); |
|
| 140 | - } else { |
|
| 141 | - $writer->writeElement($k, $v); |
|
| 142 | - } |
|
| 143 | - } |
|
| 144 | - } |
|
| 145 | - |
|
| 146 | - public function getOCSStatus() { |
|
| 147 | - return parent::getStatus(); |
|
| 148 | - } |
|
| 31 | + /** @var array */ |
|
| 32 | + protected $data; |
|
| 33 | + |
|
| 34 | + /** @var string */ |
|
| 35 | + protected $format; |
|
| 36 | + |
|
| 37 | + /** @var string */ |
|
| 38 | + protected $statusMessage; |
|
| 39 | + |
|
| 40 | + /** @var int */ |
|
| 41 | + protected $itemsCount; |
|
| 42 | + |
|
| 43 | + /** @var int */ |
|
| 44 | + protected $itemsPerPage; |
|
| 45 | + |
|
| 46 | + /** |
|
| 47 | + * BaseResponse constructor. |
|
| 48 | + * |
|
| 49 | + * @param DataResponse|null $dataResponse |
|
| 50 | + * @param string $format |
|
| 51 | + * @param string|null $statusMessage |
|
| 52 | + * @param int|null $itemsCount |
|
| 53 | + * @param int|null $itemsPerPage |
|
| 54 | + */ |
|
| 55 | + public function __construct(DataResponse $dataResponse, |
|
| 56 | + $format = 'xml', |
|
| 57 | + $statusMessage = null, |
|
| 58 | + $itemsCount = null, |
|
| 59 | + $itemsPerPage = null) { |
|
| 60 | + parent::__construct(); |
|
| 61 | + |
|
| 62 | + $this->format = $format; |
|
| 63 | + $this->statusMessage = $statusMessage; |
|
| 64 | + $this->itemsCount = $itemsCount; |
|
| 65 | + $this->itemsPerPage = $itemsPerPage; |
|
| 66 | + |
|
| 67 | + $this->data = $dataResponse->getData(); |
|
| 68 | + |
|
| 69 | + $this->setHeaders($dataResponse->getHeaders()); |
|
| 70 | + $this->setStatus($dataResponse->getStatus()); |
|
| 71 | + $this->setETag($dataResponse->getETag()); |
|
| 72 | + $this->setLastModified($dataResponse->getLastModified()); |
|
| 73 | + $this->setCookies($dataResponse->getCookies()); |
|
| 74 | + |
|
| 75 | + if ($format === 'json') { |
|
| 76 | + $this->addHeader( |
|
| 77 | + 'Content-Type', 'application/json; charset=utf-8' |
|
| 78 | + ); |
|
| 79 | + } else { |
|
| 80 | + $this->addHeader( |
|
| 81 | + 'Content-Type', 'application/xml; charset=utf-8' |
|
| 82 | + ); |
|
| 83 | + } |
|
| 84 | + } |
|
| 85 | + |
|
| 86 | + /** |
|
| 87 | + * @param string[] $meta |
|
| 88 | + * @return string |
|
| 89 | + */ |
|
| 90 | + protected function renderResult(array $meta): string { |
|
| 91 | + $status = $this->getStatus(); |
|
| 92 | + if ($status === Http::STATUS_NO_CONTENT || |
|
| 93 | + $status === Http::STATUS_NOT_MODIFIED || |
|
| 94 | + ($status >= 100 && $status <= 199)) { |
|
| 95 | + // Those status codes are not supposed to have a body: |
|
| 96 | + // https://stackoverflow.com/q/8628725 |
|
| 97 | + return ''; |
|
| 98 | + } |
|
| 99 | + |
|
| 100 | + $response = [ |
|
| 101 | + 'ocs' => [ |
|
| 102 | + 'meta' => $meta, |
|
| 103 | + 'data' => $this->data, |
|
| 104 | + ], |
|
| 105 | + ]; |
|
| 106 | + |
|
| 107 | + if ($this->format === 'json') { |
|
| 108 | + return json_encode($response, JSON_HEX_TAG); |
|
| 109 | + } |
|
| 110 | + |
|
| 111 | + $writer = new \XMLWriter(); |
|
| 112 | + $writer->openMemory(); |
|
| 113 | + $writer->setIndent(true); |
|
| 114 | + $writer->startDocument(); |
|
| 115 | + $this->toXML($response, $writer); |
|
| 116 | + $writer->endDocument(); |
|
| 117 | + return $writer->outputMemory(true); |
|
| 118 | + |
|
| 119 | + } |
|
| 120 | + |
|
| 121 | + /** |
|
| 122 | + * @param array $array |
|
| 123 | + * @param \XMLWriter $writer |
|
| 124 | + */ |
|
| 125 | + protected function toXML(array $array, \XMLWriter $writer) { |
|
| 126 | + foreach ($array as $k => $v) { |
|
| 127 | + if ($k[0] === '@') { |
|
| 128 | + $writer->writeAttribute(substr($k, 1), $v); |
|
| 129 | + continue; |
|
| 130 | + } |
|
| 131 | + |
|
| 132 | + if (\is_numeric($k)) { |
|
| 133 | + $k = 'element'; |
|
| 134 | + } |
|
| 135 | + |
|
| 136 | + if (\is_array($v)) { |
|
| 137 | + $writer->startElement($k); |
|
| 138 | + $this->toXML($v, $writer); |
|
| 139 | + $writer->endElement(); |
|
| 140 | + } else { |
|
| 141 | + $writer->writeElement($k, $v); |
|
| 142 | + } |
|
| 143 | + } |
|
| 144 | + } |
|
| 145 | + |
|
| 146 | + public function getOCSStatus() { |
|
| 147 | + return parent::getStatus(); |
|
| 148 | + } |
|
| 149 | 149 | } |
@@ -27,50 +27,50 @@ |
||
| 27 | 27 | |
| 28 | 28 | class V2Response extends BaseResponse { |
| 29 | 29 | |
| 30 | - /** |
|
| 31 | - * The V2 endpoint just passes on status codes. |
|
| 32 | - * Of course we have to map the OCS specific codes to proper HTTP status codes |
|
| 33 | - * |
|
| 34 | - * @return int |
|
| 35 | - */ |
|
| 36 | - public function getStatus() { |
|
| 30 | + /** |
|
| 31 | + * The V2 endpoint just passes on status codes. |
|
| 32 | + * Of course we have to map the OCS specific codes to proper HTTP status codes |
|
| 33 | + * |
|
| 34 | + * @return int |
|
| 35 | + */ |
|
| 36 | + public function getStatus() { |
|
| 37 | 37 | |
| 38 | - $status = parent::getStatus(); |
|
| 39 | - if ($status === API::RESPOND_UNAUTHORISED) { |
|
| 40 | - return Http::STATUS_UNAUTHORIZED; |
|
| 41 | - } else if ($status === API::RESPOND_NOT_FOUND) { |
|
| 42 | - return Http::STATUS_NOT_FOUND; |
|
| 43 | - } else if ($status === API::RESPOND_SERVER_ERROR || $status === API::RESPOND_UNKNOWN_ERROR) { |
|
| 44 | - return Http::STATUS_INTERNAL_SERVER_ERROR; |
|
| 45 | - } else if ($status < 200 || $status > 600) { |
|
| 46 | - return Http::STATUS_BAD_REQUEST; |
|
| 47 | - } |
|
| 38 | + $status = parent::getStatus(); |
|
| 39 | + if ($status === API::RESPOND_UNAUTHORISED) { |
|
| 40 | + return Http::STATUS_UNAUTHORIZED; |
|
| 41 | + } else if ($status === API::RESPOND_NOT_FOUND) { |
|
| 42 | + return Http::STATUS_NOT_FOUND; |
|
| 43 | + } else if ($status === API::RESPOND_SERVER_ERROR || $status === API::RESPOND_UNKNOWN_ERROR) { |
|
| 44 | + return Http::STATUS_INTERNAL_SERVER_ERROR; |
|
| 45 | + } else if ($status < 200 || $status > 600) { |
|
| 46 | + return Http::STATUS_BAD_REQUEST; |
|
| 47 | + } |
|
| 48 | 48 | |
| 49 | - return $status; |
|
| 50 | - } |
|
| 49 | + return $status; |
|
| 50 | + } |
|
| 51 | 51 | |
| 52 | - /** |
|
| 53 | - * Construct the meta part of the response |
|
| 54 | - * And then late the base class render |
|
| 55 | - * |
|
| 56 | - * @return string |
|
| 57 | - */ |
|
| 58 | - public function render() { |
|
| 59 | - $status = parent::getStatus(); |
|
| 52 | + /** |
|
| 53 | + * Construct the meta part of the response |
|
| 54 | + * And then late the base class render |
|
| 55 | + * |
|
| 56 | + * @return string |
|
| 57 | + */ |
|
| 58 | + public function render() { |
|
| 59 | + $status = parent::getStatus(); |
|
| 60 | 60 | |
| 61 | - $meta = [ |
|
| 62 | - 'status' => $status >= 200 && $status < 300 ? 'ok' : 'failure', |
|
| 63 | - 'statuscode' => $this->getOCSStatus(), |
|
| 64 | - 'message' => $status >= 200 && $status < 300 ? 'OK' : $this->statusMessage, |
|
| 65 | - ]; |
|
| 61 | + $meta = [ |
|
| 62 | + 'status' => $status >= 200 && $status < 300 ? 'ok' : 'failure', |
|
| 63 | + 'statuscode' => $this->getOCSStatus(), |
|
| 64 | + 'message' => $status >= 200 && $status < 300 ? 'OK' : $this->statusMessage, |
|
| 65 | + ]; |
|
| 66 | 66 | |
| 67 | - if ($this->itemsCount !== null) { |
|
| 68 | - $meta['totalitems'] = $this->itemsCount; |
|
| 69 | - } |
|
| 70 | - if ($this->itemsPerPage !== null) { |
|
| 71 | - $meta['itemsperpage'] = $this->itemsPerPage; |
|
| 72 | - } |
|
| 67 | + if ($this->itemsCount !== null) { |
|
| 68 | + $meta['totalitems'] = $this->itemsCount; |
|
| 69 | + } |
|
| 70 | + if ($this->itemsPerPage !== null) { |
|
| 71 | + $meta['itemsperpage'] = $this->itemsPerPage; |
|
| 72 | + } |
|
| 73 | 73 | |
| 74 | - return $this->renderResult($meta); |
|
| 75 | - } |
|
| 74 | + return $this->renderResult($meta); |
|
| 75 | + } |
|
| 76 | 76 | } |
@@ -35,7 +35,7 @@ |
||
| 35 | 35 | */ |
| 36 | 36 | public function getStatus() { |
| 37 | 37 | |
| 38 | - $status = parent::getStatus(); |
|
| 38 | + $status = parent::getStatus(); |
|
| 39 | 39 | if ($status === API::RESPOND_UNAUTHORISED) { |
| 40 | 40 | return Http::STATUS_UNAUTHORIZED; |
| 41 | 41 | } else if ($status === API::RESPOND_NOT_FOUND) { |
