diff options
Diffstat (limited to 'core/Controller')
| -rw-r--r-- | core/Controller/AvatarController.php | 20 | ||||
| -rw-r--r-- | core/Controller/GuestAvatarController.php | 6 | ||||
| -rw-r--r-- | core/Controller/OCJSController.php | 5 | ||||
| -rw-r--r-- | core/Controller/ProfilePageController.php | 13 | ||||
| -rw-r--r-- | core/Controller/UnifiedSearchController.php | 7 | ||||
| -rw-r--r-- | core/Controller/UnsupportedBrowserController.php | 4 |
6 files changed, 42 insertions, 13 deletions
diff --git a/core/Controller/AvatarController.php b/core/Controller/AvatarController.php index 03f59fd6439..2f8dfc85e73 100644 --- a/core/Controller/AvatarController.php +++ b/core/Controller/AvatarController.php @@ -38,6 +38,7 @@ use OCP\AppFramework\Http\Attribute\FrontpageRoute; use OCP\AppFramework\Http\DataDisplayResponse; use OCP\AppFramework\Http\FileDisplayResponse; use OCP\AppFramework\Http\JSONResponse; +use OCP\AppFramework\Http\Response; use OCP\Files\File; use OCP\Files\IRootFolder; use OCP\IAvatarManager; @@ -64,6 +65,7 @@ class AvatarController extends Controller { protected LoggerInterface $logger, protected ?string $userId, protected TimeFactory $timeFactory, + protected GuestAvatarController $guestAvatarController, ) { parent::__construct($appName, $request); } @@ -78,13 +80,15 @@ class AvatarController extends Controller { * * @param string $userId ID of the user * @param int $size Size of the avatar - * @return FileDisplayResponse<Http::STATUS_OK, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|JSONResponse<Http::STATUS_NOT_FOUND, array<empty>, array{}> + * @param bool $guestFallback Fallback to guest avatar if not found + * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|JSONResponse<Http::STATUS_NOT_FOUND, array<empty>, array{}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}> * * 200: Avatar returned + * 201: Avatar returned * 404: Avatar not found */ #[FrontpageRoute(verb: 'GET', url: '/avatar/{userId}/{size}/dark')] - public function getAvatarDark(string $userId, int $size) { + public function getAvatarDark(string $userId, int $size, bool $guestFallback = false) { if ($size <= 64) { if ($size !== 64) { $this->logger->debug('Avatar requested in deprecated size ' . $size); @@ -106,6 +110,9 @@ class AvatarController extends Controller { ['Content-Type' => $avatarFile->getMimeType(), 'X-NC-IsCustomAvatar' => (int)$avatar->isCustomAvatar()] ); } catch (\Exception $e) { + if ($guestFallback) { + return $this->guestAvatarController->getAvatarDark($userId, (string)$size); + } return new JSONResponse([], Http::STATUS_NOT_FOUND); } @@ -125,13 +132,15 @@ class AvatarController extends Controller { * * @param string $userId ID of the user * @param int $size Size of the avatar - * @return FileDisplayResponse<Http::STATUS_OK, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|JSONResponse<Http::STATUS_NOT_FOUND, array<empty>, array{}> + * @param bool $guestFallback Fallback to guest avatar if not found + * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|JSONResponse<Http::STATUS_NOT_FOUND, array<empty>, array{}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}> * * 200: Avatar returned + * 201: Avatar returned * 404: Avatar not found */ #[FrontpageRoute(verb: 'GET', url: '/avatar/{userId}/{size}')] - public function getAvatar(string $userId, int $size) { + public function getAvatar(string $userId, int $size, bool $guestFallback = false) { if ($size <= 64) { if ($size !== 64) { $this->logger->debug('Avatar requested in deprecated size ' . $size); @@ -153,6 +162,9 @@ class AvatarController extends Controller { ['Content-Type' => $avatarFile->getMimeType(), 'X-NC-IsCustomAvatar' => (int)$avatar->isCustomAvatar()] ); } catch (\Exception $e) { + if ($guestFallback) { + return $this->guestAvatarController->getAvatar($userId, (string)$size); + } return new JSONResponse([], Http::STATUS_NOT_FOUND); } diff --git a/core/Controller/GuestAvatarController.php b/core/Controller/GuestAvatarController.php index 5e6f2438dd6..63e4b264ca0 100644 --- a/core/Controller/GuestAvatarController.php +++ b/core/Controller/GuestAvatarController.php @@ -57,7 +57,7 @@ class GuestAvatarController extends Controller { * @param string $guestName The guest name, e.g. "Albert" * @param string $size The desired avatar size, e.g. 64 for 64x64px * @param bool|null $darkTheme Return dark avatar - * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}> + * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}> * * 200: Custom avatar returned * 201: Avatar returned @@ -86,7 +86,7 @@ class GuestAvatarController extends Controller { $resp = new FileDisplayResponse( $avatarFile, $avatar->isCustomAvatar() ? Http::STATUS_OK : Http::STATUS_CREATED, - ['Content-Type' => $avatarFile->getMimeType()] + ['Content-Type' => $avatarFile->getMimeType(), 'X-NC-IsCustomAvatar' => (int)$avatar->isCustomAvatar()] ); } catch (\Exception $e) { $this->logger->error('error while creating guest avatar', [ @@ -110,7 +110,7 @@ class GuestAvatarController extends Controller { * * @param string $guestName The guest name, e.g. "Albert" * @param string $size The desired avatar size, e.g. 64 for 64x64px - * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}> + * @return FileDisplayResponse<Http::STATUS_OK|Http::STATUS_CREATED, array{Content-Type: string, X-NC-IsCustomAvatar: int}>|Response<Http::STATUS_INTERNAL_SERVER_ERROR, array{}> * * 200: Custom avatar returned * 201: Avatar returned diff --git a/core/Controller/OCJSController.php b/core/Controller/OCJSController.php index dbb203e827f..4dc3a0a4b9c 100644 --- a/core/Controller/OCJSController.php +++ b/core/Controller/OCJSController.php @@ -29,6 +29,7 @@ namespace OC\Core\Controller; use bantu\IniGetWrapper\IniGetWrapper; +use OC\Authentication\Token\IProvider; use OC\CapabilitiesManager; use OC\Template\JSConfigHelper; use OCP\App\IAppManager; @@ -65,6 +66,7 @@ class OCJSController extends Controller { IURLGenerator $urlGenerator, CapabilitiesManager $capabilitiesManager, IInitialStateService $initialStateService, + IProvider $tokenProvider, ) { parent::__construct($appName, $request); @@ -79,7 +81,8 @@ class OCJSController extends Controller { $iniWrapper, $urlGenerator, $capabilitiesManager, - $initialStateService + $initialStateService, + $tokenProvider ); } diff --git a/core/Controller/ProfilePageController.php b/core/Controller/ProfilePageController.php index c3a33d6bbda..4ff2a661fb0 100644 --- a/core/Controller/ProfilePageController.php +++ b/core/Controller/ProfilePageController.php @@ -29,14 +29,16 @@ namespace OC\Core\Controller; use OC\Profile\ProfileManager; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\AnonRateLimit; +use OCP\AppFramework\Http\Attribute\BruteForceProtection; use OCP\AppFramework\Http\Attribute\FrontpageRoute; use OCP\AppFramework\Http\Attribute\OpenAPI; +use OCP\AppFramework\Http\Attribute\UserRateLimit; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Services\IInitialState; use OCP\EventDispatcher\IEventDispatcher; use OCP\INavigationManager; use OCP\IRequest; -use OCP\IUser; use OCP\IUserManager; use OCP\IUserSession; use OCP\Profile\BeforeTemplateRenderedEvent; @@ -67,6 +69,9 @@ class ProfilePageController extends Controller { * @NoSubAdminRequired */ #[FrontpageRoute(verb: 'GET', url: '/u/{targetUserId}')] + #[BruteForceProtection(action: 'user')] + #[UserRateLimit(limit: 30, period: 120)] + #[AnonRateLimit(limit: 30, period: 120)] public function index(string $targetUserId): TemplateResponse { $profileNotFoundTemplate = new TemplateResponse( 'core', @@ -76,7 +81,11 @@ class ProfilePageController extends Controller { ); $targetUser = $this->userManager->get($targetUserId); - if (!($targetUser instanceof IUser) || !$targetUser->isEnabled()) { + if ($targetUser === null) { + $profileNotFoundTemplate->throttle(); + return $profileNotFoundTemplate; + } + if (!$targetUser->isEnabled()) { return $profileNotFoundTemplate; } $visitingUser = $this->userSession->getUser(); diff --git a/core/Controller/UnifiedSearchController.php b/core/Controller/UnifiedSearchController.php index 469c6c6ed7b..3df7749ce72 100644 --- a/core/Controller/UnifiedSearchController.php +++ b/core/Controller/UnifiedSearchController.php @@ -92,7 +92,7 @@ class UnifiedSearchController extends OCSController { * @param string $providerId ID of the provider * @param string $term Term to search * @param int|null $sortOrder Order of entries - * @param int|null $limit Maximum amount of entries + * @param int|null $limit Maximum amount of entries, limited to 25 * @param int|string|null $cursor Offset for searching * @param string $from The current user URL * @@ -113,6 +113,9 @@ class UnifiedSearchController extends OCSController { ): DataResponse { [$route, $routeParameters] = $this->getRouteInformation($from); + $limit ??= SearchQuery::LIMIT_DEFAULT; + $limit = max(1, min($limit, 25)); + try { $filters = $this->composer->buildFilterList($providerId, $this->request->getParams()); } catch (UnsupportedFilter|InvalidArgumentException $e) { @@ -125,7 +128,7 @@ class UnifiedSearchController extends OCSController { new SearchQuery( $filters, $sortOrder ?? ISearchQuery::SORT_DATE_DESC, - $limit ?? SearchQuery::LIMIT_DEFAULT, + $limit, $cursor, $route, $routeParameters diff --git a/core/Controller/UnsupportedBrowserController.php b/core/Controller/UnsupportedBrowserController.php index dfcff8df381..0017576c18e 100644 --- a/core/Controller/UnsupportedBrowserController.php +++ b/core/Controller/UnsupportedBrowserController.php @@ -51,6 +51,8 @@ class UnsupportedBrowserController extends Controller { public function index(): Response { Util::addScript('core', 'unsupported-browser'); Util::addStyle('core', 'icons'); - return new TemplateResponse('core', 'unsupportedbrowser', [], TemplateResponse::RENDER_AS_ERROR); + + // not using RENDER_AS_ERROR as we need the JSConfigHelper for url generation + return new TemplateResponse('core', 'unsupportedbrowser', [], TemplateResponse::RENDER_AS_GUEST); } } |