aboutsummaryrefslogtreecommitdiffstats
path: root/lib/base.php
Commit message (Collapse)AuthorAgeFilesLines
* fix(Coordinator): ensure the core app is loaded firstFerdinand Thiessen4 days1-2/+0
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* Revert "perf(base): Stop setting up the FS for every basic auth request"John Molakvoæ10 days1-0/+17
|
* Merge pull request #53141 from nextcloud/perf/files/setup-fs-basic-auth-requestJohn Molakvoæ10 days1-17/+0
|\
| * perf(base): Stop setting up the FS for every basic auth requestprovokateurin13 days1-17/+0
| | | | | | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* | fix: Fix theming for disabled accountsfix-theming-for-disabled-accountsDaniel Calviño Sánchez11 days1-1/+22
|/ | | | | | | | | | | | | | | | | | | | | | The Theming app injects the stylesheets for the different themes in the "<header>" element of the page, and those stylesheets are then loaded by the browser from a "Controller" (a plain "Controller", not an "OCSController"). The stylesheets, in turn, may also get some images (like the background) also from the "Controller". When handling a request to "index.php" it is checked whether the user is logged in and, if not, a login is tried. A disabled user is explicitly seen as not logged in, so a login is always tried in that case, but disabled users are also explicitly prevented to log in, so the login also fails. Due to that trying to get any of the themed stylesheets or images with a disabled account (to be able to show the "Account disabled" error page) fails with an HTTP status 401. To solve that, and to avoid touching this basic logic as much as possible, the login exception is now ignored (if the user is disabled) for some specific requests to the Theming app. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* fix(ocs): Return a proper error on JSON decoding failuresCôme Chilliet2025-07-011-4/+5
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* feat(core): add cookie_domain config optionSamuel Bizien Filippi2025-06-161-0/+6
| | | | Signed-off-by: Samuel Bizien Filippi <samuel.bizien-filippi@finances.gouv.fr>
* fix: Switch lazy object to enabled by default on PHP 8.4feat/use-php84-lazy-objectsCôme Chilliet2025-06-051-1/+1
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* feat: Add a configuration toggle for lazy objects in DICôme Chilliet2025-06-051-0/+3
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Merge pull request #53157 from nextcloud/chore/refactor-coreFerdinand Thiessen2025-06-021-2/+2
|\ | | | | refactor(core): migrate core application to `IBootstrap`
| * fix: make core application bootstrapable by coordinatorchore/refactor-coreFerdinand Thiessen2025-06-021-2/+2
| | | | | | | | | | | | Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de> Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* | fix: Remove useless legacy autoloaderfix/delete-legacy-autoloaderCôme Chilliet2025-05-271-32/+2
|/ | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* chore: Remove useless legacy autoloader for testsfix/cleanup-test-legacy-autoloaderCôme Chilliet2025-05-271-3/+0
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Merge pull request #52810 from ↵Louis2025-05-221-4/+4
|\ | | | | | | nextcloud/artonge/feat/do_not_require_samesite_strict_cookie_on_public.php
| * fix: Move CSRF check from base to PublicAuth for public.phpLouis Chemineau2025-05-211-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment. Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF. So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin. We also add a redirect to be helpful to the user. **Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view. Fix #52482 Signed-off-by: Louis Chemineau <louis@chmn.me>
* | chore: deprecate `OC_Helper::isReadOnlyConfigEnabled`chore/depreate-oc-helper-roFerdinand Thiessen2025-05-171-1/+2
|/ | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* Merge pull request #52667 from nextcloud/fix/improve-init-profilingCôme Chilliet2025-05-141-2/+5
|\ | | | | Improve init profiling
| * feat: Improve init a bit, and add more profiling stepsCôme Chilliet2025-05-131-2/+5
| | | | | | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* | feat(encryption): Migrate from hooks to eventsCôme Chilliet2025-05-131-7/+8
|/ | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* perf: Add config options to trigger individual and sample profiling using ↵perf/excimerJulius Knorr2025-04-221-3/+14
| | | | | | excimer Signed-off-by: Julius Knorr <jus@bitgrid.net>
* fix: Replace all usages of OC_User backend method calls by IUserManagerfix/cleanup-user-backendsCôme Chilliet2025-04-101-1/+1
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Remove some call and references to deprecated OC_Util classCôme Chilliet2025-04-071-1/+1
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Merge pull request #51029 from nextcloud/fix/deprecate-oc-template-and-cleanupCôme Chilliet2025-03-101-10/+11
|\ | | | | fix: Deprecate OC_Template, add proper template manager instead
| * fix: Migrate all uses of OCP\Template to OCP\Template\ITemplateManagerCôme Chilliet2025-03-061-1/+1
| | | | | | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
| * fix: Deprecate OC_Template, add proper template manager insteadCôme Chilliet2025-03-061-9/+10
| | | | | | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* | fix(base.php): Correct order for booting \OC\Serverbugfix/50619/correctly-init-serverJoas Schilling2025-03-101-28/+31
|/ | | | | | | | | | | | | | | | | A recent change had broken authentication with an older FastCGI Apache2 module, because the IRequest object got initialised before the fix from self::handleAuthHeaders() copied the authentication headers into the correct $_SERVER variables. Since this part is completely independent from any Nextcloud code it is now done as a first thing within the init() call. Additionally similar issues could happen when another class would boot too early and read other global PHP settings like ini values and default timezone, so those are now also moved to the beginning. Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #51000 from nextcloud/fix/federatedfilesharing/group-cleanupStephan Orbaugh2025-03-031-4/+8
|\ | | | | fix(FederatedShareProvider): Delete external shares when groups are deleted or users removed from a group
| * fix(Share20): Convert broken hooks to IEventListenerprovokateurin2025-03-031-4/+8
| | | | | | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* | Fix A+ rating when checking with Nextcloud Security Scan.backport/51173/masterDaleBCooper2025-03-021-7/+7
| | | | | | | | | | Due to commit 33d7019 session.cookie_secure=true is not set when accessing /status.php. This results in a degration from A+ to A rating due to missing __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies.
* | fix: Replace OC_App calls by IAppManagerCôme Chilliet2025-02-241-9/+14
|/ | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Merge pull request #48738 from nextcloud/perf/log-high-memory-requestsJulius Knorr2025-02-131-0/+16
|\ | | | | perf: Log requests using high amount of memory as warning
| * perf: Log requests using high amount of memory as warningperf/log-high-memory-requestsJulius Knorr2025-02-131-0/+16
| | | | | | | | Signed-off-by: Julius Knorr <jus@bitgrid.net>
* | fix: Replace isInstalled calls with isEnabledForAnyone or isEnabledForUserCôme Chilliet2025-02-131-4/+4
|/ | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Use the new countUsersTotal method where it makes senseCôme Chilliet2025-01-141-2/+1
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix(status): Avoid session creation for status requestsavoidStatusSessionsGit'Fellow2024-11-211-0/+7
| | | | Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
* fix: Do not check for strict cookie when running webcronfix/cron-strict-cookieFerdinand Thiessen2024-11-071-1/+3
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore(legacy): Introduce public version ct plass and drop version methods ↵clean/version-ocpJulius Knorr2024-09-201-3/+5
| | | | | | from OC_Util Signed-off-by: Julius Knorr <jus@bitgrid.net>
* chore(deps): Update nextcloud/coding-standard to v1.3.1provokateurin2024-09-191-8/+8
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix(setup-checks): Ensure URL with webroot worksFerdinand Thiessen2024-09-131-1/+1
| | | | | | | | | | | We basically mock the way `URLGenerator::getAbsoluteURL` works, so we must make sure that the URL might already contain the webroot. Because `baseURL` and `cliURL` also contain the webroot we need to remove the webroot from the URL first. Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de> Co-authored-by: Daniel <mail@danielkesselberg.de> Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix(setup): ignore long session login during installationMaxence Lange2024-08-271-1/+6
| | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* style: update codestyle for coding-standard 1.2.3Daniel Kesselberg2024-08-251-9/+9
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* (base) Give a hint in web interface if SimpleXML (php-xml) is missingJosh Richards2024-08-161-0/+7
| | | | | | | | | | | | | Fixes #2180 And prevents #31473, #23970, #18610, #15708 Avoids a 500 error and also gives a useful error message on the web interface if this module isn't installed, gets overlooked during a PHP upgrade, etc. While we check for it later, it's too late for session. Inspired by #17163 Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
* fix(session): Log when session_* calls are slowChristoph Wurst2024-08-071-1/+4
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* fix(occ): Use the const instead of hardcoded string for --debug-log optionCôme Chilliet2024-07-081-1/+1
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix(occ): Move debug log listener setup to a static method, add option for levelCôme Chilliet2024-07-021-9/+2
| | | | | | Also changed option from --debug to --debug-log to avoid conflicts Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* feat(occ): Add a --debug option to output all log levels to the outputCôme Chilliet2024-07-021-0/+12
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* chore: Add SPDX headerAndy Scherzinger2024-05-241-64/+3
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* chore: remove unnecessary ini_setDaniel Kesselberg2024-04-301-1/+0
| | | | | | | | Changing gc_maxlifetime cannot have any effect because this configuration option does not exist. There is a configuration option named session.gc_maxlifetime. I removed the ini_set call because autoconfiguring is error-prone, and the current code could never have worked as intended. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* fix: Fix default values for ini var in lib/base.phpCôme Chilliet2024-04-301-2/+2
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Remove unused endpoint from base.phpCôme Chilliet2024-03-061-15/+0
| | | | | | It’s not called anymore, and app loading cannot break boot anymore Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-21 08:04:44 +0000