aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
Commit message (Collapse)AuthorAgeFilesLines
* fix(l10n): Improve english source stringsJoas Schilling2025-02-261-3/+3
| | | | | | | - No leading/trailing whitespace - Use asci single quote Signed-off-by: Joas Schilling <coding@schilljs.com>
* perf: delay getting (sub)admin status for user in the security middleware ↵Robin Appelman2024-08-231-7/+28
| | | | | | untill we need it Signed-off-by: Robin Appelman <robin@icewind.nl>
* feat(security): Add public API to allow validating IP Ranges and checking ↵Joas Schilling2024-07-191-5/+5
| | | | | | | for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat(security): restrict admin actions to IP rangesBenjamin Gaussorgues2024-07-191-53/+30
| | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat: allow for ExApps to call Admin endpoints marked with specific attrAlexander Piskun2024-07-181-6/+15
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* feat(Security): Warn about using annotations instead of attributesprovokateurin2024-07-181-0/+1
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(AppFramework): Add ExAppRequired attributeprovokateurin2024-07-011-1/+9
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-241-32/+3
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* feat: rename users to account or personVincent Petry2024-02-131-3/+3
| | | | | | Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-231-12/+12
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* Rewrite OCS CSRF check to be readablejld31032023-08-161-7/+15
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* Refactors "strpos" calls in lib/private to improve code readability.Faraz Samapoor2023-05-151-1/+1
| | | | Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
* feat(security): Add PHP \Attribute for remaining security annotationsJoas Schilling2023-04-251-9/+61
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* composer run cs:fixCôme Chilliet2023-01-201-6/+5
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Add direct arg to login flowVincent Petry2022-03-281-0/+3
| | | | | Signed-off-by: Vincent Petry <vincent@nextcloud.com> Co-Authored-by: Carl Schwan <carl@carlschwan.eu>
* Pass username prefill through unauthenticated request redirectsJulius Härtl2021-12-291-0/+4
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add admin privilege delegation for admin settingsCarl Schwan2021-09-291-5/+42
| | | | | | | This makes it possible for selected groups to access some settings pages. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
* Update php licensesJohn Molakvoæ (skjnldsv)2021-06-041-2/+0
| | | | Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* Less ILoggerJoas Schilling2021-04-271-6/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Update the license headers for Nextcloud 20Christoph Wurst2020-08-241-0/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Update SecurityMiddleware.phpHolger Hees2020-07-061-1/+1
| | | | | | OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header. in other areas OC::$WEBROOT is always used together with an /
* Format control structures, classes, methods and functionChristoph Wurst2020-04-101-12/+11
| | | | | | | | | | | | | | | To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix (array) indent style to always use one tabChristoph Wurst2020-04-091-1/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix loaded controller checkJoas Schilling2020-01-211-1/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Update license headersChristoph Wurst2019-12-051-1/+8
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Some php-cs fixesRoeland Jago Douma2019-11-221-7/+6
| | | | | | | | | | | * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Merge pull request #17850 from ↵Joas Schilling2019-11-201-0/+6
|\ | | | | | | | | nextcloud/bugfix/noid/mark-spreed-as-active-on-call-urls Mark "Talk" active on /call/token URLs
| * Make phan happy ;)Daniel Kesselberg2019-11-191-1/+2
| | | | | | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
| * Mark "Talk" active on /call/token URLsJoas Schilling2019-11-121-0/+5
| | | | | | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* | Fixes a 500 without useridArthur Schiwon2019-11-161-5/+0
|/ | | | | | plus cleanup of unused use statements Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Split up security middlewareRoeland Jago Douma2019-07-271-40/+0
| | | | | | | | | | With upcoming work for the feature policy header. Splitting this in smaller classes that just do 1 thing makes sense. I rather have a few small classes that are tiny and do 1 thing right (and we all understand what is going on) than have big ones. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make it possible to show admin settings for sub adminsChristoph Wurst2019-05-231-1/+12
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Do not use file as template parameterRoeland Jago Douma2018-08-091-1/+1
| | | | | | | | Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* move log constants to ILoggerArthur Schiwon2018-04-261-1/+1
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Add testsRoeland Jago Douma2018-03-081-18/+8
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make SecurityMiddleware strictRoeland Jago Douma2018-03-081-10/+9
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Do not throw AppNotEnabledException for app public pages - refs #6962, refs ↵Julien Veyssier2018-02-281-1/+2
| | | | | | | | #5309 It allows non-logged user to access public pages of applications restricted to a group Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
* Provide translated error message for permission errorMorris Jobke2018-02-261-2/+8
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Don't perform CSRF check on OCS routes with Bearer authRoeland Jago Douma2018-01-291-2/+8
| | | | | | Fixes #5694 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Properly log the full exception instead of only the messageMorris Jobke2018-01-231-1/+4
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Move passwordconfirmation to its own midlewareRoeland Jago Douma2018-01-021-28/+1
| | | | | | Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* disable password confirmation with SSOBjoern Schiessle2018-01-021-2/+16
| | | | Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* Update license headersMorris Jobke2017-11-061-0/+1
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Use proper DI for security middleware for app enabled checkMorris Jobke2017-10-241-2/+8
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Remove explicit type hints for ControllerLukas Reschke2017-08-011-3/+3
| | | | | | This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Fix middleware implementations signaturesRoeland Jago Douma2017-07-311-3/+3
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Check whether the $_SERVER['REQUEST_*'] vars exist before using themJoas Schilling2017-05-151-6/+5
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Make BruteForceProtection annotation more cleverLukas Reschke2017-04-131-14/+1
| | | | | | | | This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Move to dedicated MiddleWareLukas Reschke2017-04-131-35/+10
| | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add support for ratelimiting via annotationsLukas Reschke2017-04-131-11/+36
| | | | | | | | | | | | | This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-29 08:17:08 +0000