diff options
author | Roeland Jago Douma <rullzer@owncloud.com> | 2016-04-22 15:28:09 +0200 |
---|---|---|
committer | Roeland Jago Douma <rullzer@owncloud.com> | 2016-04-22 15:28:09 +0200 |
commit | 1d33a5ef133d917074a94d40a939b6cbbe698711 (patch) | |
tree | 6880e3e6eb5b5c5be2a39d078416f92e7b359b91 /lib/private/appframework/middleware | |
parent | 606b756a94643eaae87e18b39f6c75e6d18fec7e (diff) | |
download | nextcloud-server-1d33a5ef133d917074a94d40a939b6cbbe698711.tar.gz nextcloud-server-1d33a5ef133d917074a94d40a939b6cbbe698711.zip |
Move \OC\AppFramework to PSR-4
* Also moved the autoloader setup a bit up since we need it in initpaths
Diffstat (limited to 'lib/private/appframework/middleware')
9 files changed, 0 insertions, 797 deletions
diff --git a/lib/private/appframework/middleware/middlewaredispatcher.php b/lib/private/appframework/middleware/middlewaredispatcher.php deleted file mode 100644 index 4bd25f79bba..00000000000 --- a/lib/private/appframework/middleware/middlewaredispatcher.php +++ /dev/null @@ -1,162 +0,0 @@ -<?php -/** - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Thomas Tanghus <thomas@tanghus.net> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - - -namespace OC\AppFramework\Middleware; - -use OCP\AppFramework\Controller; -use OCP\AppFramework\Http\Response; -use OCP\AppFramework\MiddleWare; - -/** - * This class is used to store and run all the middleware in correct order - */ -class MiddlewareDispatcher { - - /** - * @var array array containing all the middlewares - */ - private $middlewares; - - /** - * @var int counter which tells us what middlware was executed once an - * exception occurs - */ - private $middlewareCounter; - - - /** - * Constructor - */ - public function __construct(){ - $this->middlewares = array(); - $this->middlewareCounter = 0; - } - - - /** - * Adds a new middleware - * @param Middleware $middleWare the middleware which will be added - */ - public function registerMiddleware(Middleware $middleWare){ - array_push($this->middlewares, $middleWare); - } - - - /** - * returns an array with all middleware elements - * @return array the middlewares - */ - public function getMiddlewares(){ - return $this->middlewares; - } - - - /** - * This is being run in normal order before the controller is being - * called which allows several modifications and checks - * - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - */ - public function beforeController(Controller $controller, $methodName){ - // we need to count so that we know which middlewares we have to ask in - // case there is an exception - $middlewareCount = count($this->middlewares); - for($i = 0; $i < $middlewareCount; $i++){ - $this->middlewareCounter++; - $middleware = $this->middlewares[$i]; - $middleware->beforeController($controller, $methodName); - } - } - - - /** - * This is being run when either the beforeController method or the - * controller method itself is throwing an exception. The middleware is asked - * in reverse order to handle the exception and to return a response. - * If the response is null, it is assumed that the exception could not be - * handled and the error will be thrown again - * - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - * @param \Exception $exception the thrown exception - * @return Response a Response object if the middleware can handle the - * exception - * @throws \Exception the passed in exception if it can't handle it - */ - public function afterException(Controller $controller, $methodName, \Exception $exception){ - for($i=$this->middlewareCounter-1; $i>=0; $i--){ - $middleware = $this->middlewares[$i]; - try { - return $middleware->afterException($controller, $methodName, $exception); - } catch(\Exception $exception){ - continue; - } - } - throw $exception; - } - - - /** - * This is being run after a successful controllermethod call and allows - * the manipulation of a Response object. The middleware is run in reverse order - * - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - * @param Response $response the generated response from the controller - * @return Response a Response object - */ - public function afterController(Controller $controller, $methodName, Response $response){ - for($i=count($this->middlewares)-1; $i>=0; $i--){ - $middleware = $this->middlewares[$i]; - $response = $middleware->afterController($controller, $methodName, $response); - } - return $response; - } - - - /** - * This is being run after the response object has been rendered and - * allows the manipulation of the output. The middleware is run in reverse order - * - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - * @param string $output the generated output from a response - * @return string the output that should be printed - */ - public function beforeOutput(Controller $controller, $methodName, $output){ - for($i=count($this->middlewares)-1; $i>=0; $i--){ - $middleware = $this->middlewares[$i]; - $output = $middleware->beforeOutput($controller, $methodName, $output); - } - return $output; - } - -} diff --git a/lib/private/appframework/middleware/security/corsmiddleware.php b/lib/private/appframework/middleware/security/corsmiddleware.php deleted file mode 100644 index 258119b326a..00000000000 --- a/lib/private/appframework/middleware/security/corsmiddleware.php +++ /dev/null @@ -1,155 +0,0 @@ -<?php -/** - * @author Bernhard Posselt <dev@bernhard-posselt.com> - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\AppFramework\Middleware\Security; - -use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; -use OC\AppFramework\Utility\ControllerMethodReflector; -use OCP\AppFramework\Controller; -use OCP\AppFramework\Http; -use OCP\AppFramework\Http\JSONResponse; -use OCP\IRequest; -use OCP\IUserSession; -use OCP\AppFramework\Http\Response; -use OCP\AppFramework\Middleware; - -/** - * This middleware sets the correct CORS headers on a response if the - * controller has the @CORS annotation. This is needed for webapps that want - * to access an API and don't run on the same domain, see - * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS - */ -class CORSMiddleware extends Middleware { - - /** - * @var IRequest - */ - private $request; - - /** - * @var ControllerMethodReflector - */ - private $reflector; - - /** - * @var IUserSession - */ - private $session; - - /** - * @param IRequest $request - * @param ControllerMethodReflector $reflector - * @param IUserSession $session - */ - public function __construct(IRequest $request, - ControllerMethodReflector $reflector, - IUserSession $session) { - $this->request = $request; - $this->reflector = $reflector; - $this->session = $session; - } - - /** - * This is being run in normal order before the controller is being - * called which allows several modifications and checks - * - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - * @throws SecurityException - * @since 6.0.0 - */ - public function beforeController($controller, $methodName){ - // ensure that @CORS annotated API routes are not used in conjunction - // with session authentication since this enables CSRF attack vectors - if ($this->reflector->hasAnnotation('CORS') && - !$this->reflector->hasAnnotation('PublicPage')) { - $user = $this->request->server['PHP_AUTH_USER']; - $pass = $this->request->server['PHP_AUTH_PW']; - - $this->session->logout(); - if(!$this->session->login($user, $pass)) { - throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); - } - } - } - - /** - * This is being run after a successful controllermethod call and allows - * the manipulation of a Response object. The middleware is run in reverse order - * - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - * @param Response $response the generated response from the controller - * @return Response a Response object - * @throws SecurityException - */ - public function afterController($controller, $methodName, Response $response){ - // only react if its a CORS request and if the request sends origin and - - if(isset($this->request->server['HTTP_ORIGIN']) && - $this->reflector->hasAnnotation('CORS')) { - - // allow credentials headers must not be true or CSRF is possible - // otherwise - foreach($response->getHeaders() as $header => $value) { - if(strtolower($header) === 'access-control-allow-credentials' && - strtolower(trim($value)) === 'true') { - $msg = 'Access-Control-Allow-Credentials must not be '. - 'set to true in order to prevent CSRF'; - throw new SecurityException($msg); - } - } - - $origin = $this->request->server['HTTP_ORIGIN']; - $response->addHeader('Access-Control-Allow-Origin', $origin); - } - return $response; - } - - /** - * If an SecurityException is being caught return a JSON error response - * - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - * @param \Exception $exception the thrown exception - * @throws \Exception the passed in exception if it can't handle it - * @return Response a Response object or null in case that the exception could not be handled - */ - public function afterException($controller, $methodName, \Exception $exception){ - if($exception instanceof SecurityException){ - $response = new JSONResponse(['message' => $exception->getMessage()]); - if($exception->getCode() !== 0) { - $response->setStatus($exception->getCode()); - } else { - $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); - } - return $response; - } - - throw $exception; - } - -} diff --git a/lib/private/appframework/middleware/security/exceptions/appnotenabledexception.php b/lib/private/appframework/middleware/security/exceptions/appnotenabledexception.php deleted file mode 100644 index 59e247f3307..00000000000 --- a/lib/private/appframework/middleware/security/exceptions/appnotenabledexception.php +++ /dev/null @@ -1,38 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Appframework\Middleware\Security\Exceptions; - -use OCP\AppFramework\Http; - -/** - * Class AppNotEnabledException is thrown when a resource for an application is - * requested that is not enabled. - * - * @package OC\Appframework\Middleware\Security\Exceptions - */ -class AppNotEnabledException extends SecurityException { - public function __construct() { - parent::__construct('App is not enabled', Http::STATUS_PRECONDITION_FAILED); - } -} diff --git a/lib/private/appframework/middleware/security/exceptions/crosssiterequestforgeryexception.php b/lib/private/appframework/middleware/security/exceptions/crosssiterequestforgeryexception.php deleted file mode 100644 index 0eeb81730d4..00000000000 --- a/lib/private/appframework/middleware/security/exceptions/crosssiterequestforgeryexception.php +++ /dev/null @@ -1,38 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Appframework\Middleware\Security\Exceptions; - -use OCP\AppFramework\Http; - -/** - * Class CrossSiteRequestForgeryException is thrown when a CSRF exception has - * been encountered. - * - * @package OC\Appframework\Middleware\Security\Exceptions - */ -class CrossSiteRequestForgeryException extends SecurityException { - public function __construct() { - parent::__construct('CSRF check failed', Http::STATUS_PRECONDITION_FAILED); - } -} diff --git a/lib/private/appframework/middleware/security/exceptions/notadminexception.php b/lib/private/appframework/middleware/security/exceptions/notadminexception.php deleted file mode 100644 index be0f2f9d2a9..00000000000 --- a/lib/private/appframework/middleware/security/exceptions/notadminexception.php +++ /dev/null @@ -1,38 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Appframework\Middleware\Security\Exceptions; - -use OCP\AppFramework\Http; - -/** - * Class NotAdminException is thrown when a resource has been requested by a - * non-admin user that is not accessible to non-admin users. - * - * @package OC\Appframework\Middleware\Security\Exceptions - */ -class NotAdminException extends SecurityException { - public function __construct() { - parent::__construct('Logged in user must be an admin', Http::STATUS_FORBIDDEN); - } -} diff --git a/lib/private/appframework/middleware/security/exceptions/notloggedinexception.php b/lib/private/appframework/middleware/security/exceptions/notloggedinexception.php deleted file mode 100644 index f5b2e032032..00000000000 --- a/lib/private/appframework/middleware/security/exceptions/notloggedinexception.php +++ /dev/null @@ -1,38 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Appframework\Middleware\Security\Exceptions; - -use OCP\AppFramework\Http; - -/** - * Class NotLoggedInException is thrown when a resource has been requested by a - * guest user that is not accessible to the public. - * - * @package OC\Appframework\Middleware\Security\Exceptions - */ -class NotLoggedInException extends SecurityException { - public function __construct() { - parent::__construct('Current user is not logged in', Http::STATUS_UNAUTHORIZED); - } -} diff --git a/lib/private/appframework/middleware/security/exceptions/securityexception.php b/lib/private/appframework/middleware/security/exceptions/securityexception.php deleted file mode 100644 index c86614ec477..00000000000 --- a/lib/private/appframework/middleware/security/exceptions/securityexception.php +++ /dev/null @@ -1,32 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\AppFramework\Middleware\Security\Exceptions; - -/** - * Class SecurityException is the base class for security exceptions thrown by - * the security middleware. - * - * @package OC\AppFramework\Middleware\Security\Exceptions - */ -class SecurityException extends \Exception {} diff --git a/lib/private/appframework/middleware/security/securitymiddleware.php b/lib/private/appframework/middleware/security/securitymiddleware.php deleted file mode 100644 index 4afd29cd060..00000000000 --- a/lib/private/appframework/middleware/security/securitymiddleware.php +++ /dev/null @@ -1,215 +0,0 @@ -<?php -/** - * @author Bernhard Posselt <dev@bernhard-posselt.com> - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Thomas Tanghus <thomas@tanghus.net> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - - -namespace OC\AppFramework\Middleware\Security; - -use OC\Appframework\Middleware\Security\Exceptions\AppNotEnabledException; -use OC\Appframework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException; -use OC\Appframework\Middleware\Security\Exceptions\NotAdminException; -use OC\Appframework\Middleware\Security\Exceptions\NotLoggedInException; -use OC\AppFramework\Utility\ControllerMethodReflector; -use OC\Security\CSP\ContentSecurityPolicyManager; -use OCP\AppFramework\Http\ContentSecurityPolicy; -use OCP\AppFramework\Http\RedirectResponse; -use OCP\AppFramework\Http\TemplateResponse; -use OCP\AppFramework\Middleware; -use OCP\AppFramework\Http\Response; -use OCP\AppFramework\Http\JSONResponse; -use OCP\INavigationManager; -use OCP\IURLGenerator; -use OCP\IRequest; -use OCP\ILogger; -use OCP\AppFramework\Controller; -use OCP\Util; -use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; - -/** - * Used to do all the authentication and checking stuff for a controller method - * It reads out the annotations of a controller method and checks which if - * security things should be checked and also handles errors in case a security - * check fails - */ -class SecurityMiddleware extends Middleware { - /** @var INavigationManager */ - private $navigationManager; - /** @var IRequest */ - private $request; - /** @var ControllerMethodReflector */ - private $reflector; - /** @var string */ - private $appName; - /** @var IURLGenerator */ - private $urlGenerator; - /** @var ILogger */ - private $logger; - /** @var bool */ - private $isLoggedIn; - /** @var bool */ - private $isAdminUser; - /** @var ContentSecurityPolicyManager */ - private $contentSecurityPolicyManager; - - /** - * @param IRequest $request - * @param ControllerMethodReflector $reflector - * @param INavigationManager $navigationManager - * @param IURLGenerator $urlGenerator - * @param ILogger $logger - * @param string $appName - * @param bool $isLoggedIn - * @param bool $isAdminUser - * @param ContentSecurityPolicyManager $contentSecurityPolicyManager - */ - public function __construct(IRequest $request, - ControllerMethodReflector $reflector, - INavigationManager $navigationManager, - IURLGenerator $urlGenerator, - ILogger $logger, - $appName, - $isLoggedIn, - $isAdminUser, - ContentSecurityPolicyManager $contentSecurityPolicyManager) { - $this->navigationManager = $navigationManager; - $this->request = $request; - $this->reflector = $reflector; - $this->appName = $appName; - $this->urlGenerator = $urlGenerator; - $this->logger = $logger; - $this->isLoggedIn = $isLoggedIn; - $this->isAdminUser = $isAdminUser; - $this->contentSecurityPolicyManager = $contentSecurityPolicyManager; - } - - - /** - * This runs all the security checks before a method call. The - * security checks are determined by inspecting the controller method - * annotations - * @param string $controller the controllername or string - * @param string $methodName the name of the method - * @throws SecurityException when a security check fails - */ - public function beforeController($controller, $methodName) { - - // this will set the current navigation entry of the app, use this only - // for normal HTML requests and not for AJAX requests - $this->navigationManager->setActiveEntry($this->appName); - - // security checks - $isPublicPage = $this->reflector->hasAnnotation('PublicPage'); - if(!$isPublicPage) { - if(!$this->isLoggedIn) { - throw new NotLoggedInException(); - } - - if(!$this->reflector->hasAnnotation('NoAdminRequired')) { - if(!$this->isAdminUser) { - throw new NotAdminException(); - } - } - } - - // CSRF check - also registers the CSRF token since the session may be closed later - Util::callRegister(); - if(!$this->reflector->hasAnnotation('NoCSRFRequired')) { - if(!$this->request->passesCSRFCheck()) { - throw new CrossSiteRequestForgeryException(); - } - } - - /** - * FIXME: Use DI once available - * Checks if app is enabled (also includes a check whether user is allowed to access the resource) - * The getAppPath() check is here since components such as settings also use the AppFramework and - * therefore won't pass this check. - */ - if(\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) { - throw new AppNotEnabledException(); - } - - } - - /** - * Performs the default CSP modifications that may be injected by other - * applications - * - * @param Controller $controller - * @param string $methodName - * @param Response $response - * @return Response - */ - public function afterController($controller, $methodName, Response $response) { - $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy(); - - $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy(); - $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy); - - $response->setContentSecurityPolicy($defaultPolicy); - - return $response; - } - - /** - * If an SecurityException is being caught, ajax requests return a JSON error - * response and non ajax requests redirect to the index - * @param Controller $controller the controller that is being called - * @param string $methodName the name of the method that will be called on - * the controller - * @param \Exception $exception the thrown exception - * @throws \Exception the passed in exception if it can't handle it - * @return Response a Response object or null in case that the exception could not be handled - */ - public function afterException($controller, $methodName, \Exception $exception) { - if($exception instanceof SecurityException) { - - if (stripos($this->request->getHeader('Accept'),'html') === false) { - $response = new JSONResponse( - array('message' => $exception->getMessage()), - $exception->getCode() - ); - } else { - if($exception instanceof NotLoggedInException) { - $url = $this->urlGenerator->linkToRoute( - 'core.login.showLoginForm', - [ - 'redirect_url' => urlencode($this->request->server['REQUEST_URI']), - ] - ); - $response = new RedirectResponse($url); - } else { - $response = new TemplateResponse('core', '403', ['file' => $exception->getMessage()], 'guest'); - $response->setStatus($exception->getCode()); - } - } - - $this->logger->debug($exception->getMessage()); - return $response; - } - - throw $exception; - } - -} diff --git a/lib/private/appframework/middleware/sessionmiddleware.php b/lib/private/appframework/middleware/sessionmiddleware.php deleted file mode 100644 index b218b48ea11..00000000000 --- a/lib/private/appframework/middleware/sessionmiddleware.php +++ /dev/null @@ -1,81 +0,0 @@ -<?php -/** - * @author Morris Jobke <hey@morrisjobke.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\AppFramework\Middleware; - -use OC\AppFramework\Utility\ControllerMethodReflector; -use OCP\IRequest; -use OCP\AppFramework\Http\Response; -use OCP\AppFramework\Middleware; -use OCP\ISession; - -class SessionMiddleware extends Middleware { - - /** - * @var IRequest - */ - private $request; - - /** - * @var ControllerMethodReflector - */ - private $reflector; - - /** - * @param IRequest $request - * @param ControllerMethodReflector $reflector - */ - public function __construct(IRequest $request, - ControllerMethodReflector $reflector, - ISession $session -) { - $this->request = $request; - $this->reflector = $reflector; - $this->session = $session; - } - - /** - * @param \OCP\AppFramework\Controller $controller - * @param string $methodName - */ - public function beforeController($controller, $methodName) { - $useSession = $this->reflector->hasAnnotation('UseSession'); - if (!$useSession) { - $this->session->close(); - } - } - - /** - * @param \OCP\AppFramework\Controller $controller - * @param string $methodName - * @param Response $response - * @return Response - */ - public function afterController($controller, $methodName, Response $response){ - $useSession = $this->reflector->hasAnnotation('UseSession'); - if ($useSession) { - $this->session->close(); - } - return $response; - } - -} |