aboutsummaryrefslogtreecommitdiffstats
path: root/lib/public/AppFramework/Http
Commit message (Collapse)AuthorAgeFilesLines
* fix: Migrate all uses of OCP\Template to OCP\Template\ITemplateManagerCôme Chilliet2025-03-061-1/+7
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Fix psalm issues and add missing methods to ITemplate interfaceCôme Chilliet2025-03-061-2/+3
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* chore: Correctly flag json encoding methods as escaping html and quotesCôme Chilliet2025-02-171-0/+3
| | | | | | | Especially with JSON_HEX_TAG it’s perfectly fine to echo JSON, and we only use it in JSON output anyway. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Merge pull request #50070 from nextcloud/docs/http/cors-attributeJoas Schilling2025-01-091-1/+3
|\ | | | | docs(HTTP): Add proper docs for CORS attribute
| * docs(HTTP): Add proper docs for CORS attributedocs/http/cors-attributeprovokateurin2025-01-071-1/+3
| | | | | | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* | fix(Http): Only allow valid HTTP status code values via templatefix/http/template-valid-status-codesprovokateurin2025-01-0717-33/+35
|/ | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix(HTTP): Adjust JSONResponse data typefix/http/jsonresponse-data-typeprovokateurin2025-01-041-1/+1
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat: Use inline password confirmation in external storage settingsLouis Chemineau2024-11-281-0/+17
| | | | Signed-off-by: Louis Chemineau <louis@chmn.me>
* chore: Add proper deprecation dates where missingFerdinand Thiessen2024-09-201-1/+1
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* chore(deps): Update nextcloud/coding-standard to v1.3.1provokateurin2024-09-195-5/+7
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix: Fix missing footer on public pagesChristopher Ng2024-09-041-0/+12
| | | | Signed-off-by: Christopher Ng <chrng8@gmail.com>
* chore(ExternalShareMenuAction): Remove unused legacy propertiesFerdinand Thiessen2024-09-031-16/+5
| | | | | | | | | | | Keep them in the constructor to not break the API, but they are not used anymore. This way of adding a share was deprecated in Nextcloud 12 (2016!), in favor of the federated share API, in Nextcloud 28 this way to create a share was removed. So we can cleanup as all it takes now to create a federeated share is the share token + federated user ID. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* refactor(IMenuAction): Make public menu actions use the new Vue UIFerdinand Thiessen2024-09-035-61/+62
| | | | | | | | This removes custom rendering code an replaces it with the declarative menu actions. Also adjust the template to allow the Vue UI to mount. Custom entries still are possible. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* style: update codestyle for coding-standard 1.2.3Daniel Kesselberg2024-08-256-13/+13
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* test: Adjust tests for CSP nonceFerdinand Thiessen2024-08-131-1/+1
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix: Make sure CSP nonce is not double base64 encodedFerdinand Thiessen2024-08-131-2/+2
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat: Allow passing additional encode flags for json responseChristopher Ng2024-08-011-2/+15
| | | | Signed-off-by: Christopher Ng <chrng8@gmail.com>
* feat: Increase max depth of encoded jsonChristopher Ng2024-08-011-1/+1
| | | | Signed-off-by: Christopher Ng <chrng8@gmail.com>
* feat: allow for ExApps to call Admin endpoints marked with specific attrAlexander Piskun2024-07-181-0/+21
| | | | Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
* fix: ARateLimit documentationskjnldsv2024-07-121-0/+2
| | | | Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
* feat(OpenAPI): Add ex_app scopeprovokateurin2024-07-021-0/+8
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(AppFramework): Add ExAppRequired attributeprovokateurin2024-07-011-0/+21
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-2451-1043/+130
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix(AppFramework): Fix error message about 204 not allowing custom headersprovokateurin2024-04-081-1/+1
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix: Apply new coding standard to all filesCôme Chilliet2024-04-021-1/+1
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: Allow nonce in csp header also if no other reasons are givenJulius Härtl2024-03-081-3/+3
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* feat(AppFramework): Add Route attributeprovokateurin2024-02-213-0/+287
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* fix(API): Use a distinct exception so apps can react to it and customize the ↵Joas Schilling2023-11-281-0/+79
| | | | | | return Signed-off-by: Joas Schilling <coding@schilljs.com>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-231-1/+1
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fix(CSP): Only add `strict-dynamic` when using noncesFerdinand Thiessen2023-11-171-6/+6
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on ↵Ferdinand Thiessen2023-11-171-1/+1
| | | | | | `script-src-elem` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on ↵Ferdinand Thiessen2023-11-172-6/+30
| | | | | | | | | `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(openapi): Add OpenAPI attribute to allow multiple scopes and ↵Joas Schilling2023-11-032-0/+100
| | | | | | overwriting tags Signed-off-by: Joas Schilling <coding@schilljs.com>
* Stop sending deprecated Pragma headerGit'Fellow2023-08-281-4/+3
| | | | Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
* add separate event for rendering login page templateRobin Appelman2023-08-171-0/+52
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* Allow "wasm-unsafe-eval" in CSPDaniel Calviño Sánchez2023-08-103-1/+21
| | | | | | | | | | | | | | | | | | If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* fix!: Remove legacy event dispatching Symfony's GenericEvent from ↵Joas Schilling2023-07-271-9/+0
| | | | | | AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add IgnoreOpenAPI attributejld31032023-07-101-0/+37
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* chore: Replace \OC::$server->query with \OCP\Server::get in /libChristoph Wurst2023-07-061-1/+1
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add template types to responsesjld31032023-06-3017-94/+198
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* chore(appframework)!: Drop ↵Christoph Wurst2023-06-121-18/+1
| | | | | | \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Drop meta robots tagGit'Fellow2023-06-091-1/+0
| | | | | | Revert mistake Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
* fix(docs): Fix language and copy-paste class name in docs of CSPJoas Schilling2023-05-303-4/+4
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add PHP \Attribute for remaining security annotationsJoas Schilling2023-04-258-0/+315
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(ratelimit): Add Attributes support to rate limit middlewareJoas Schilling2023-04-243-0/+133
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute ↵Joas Schilling2023-03-082-1/+53
| | | | | | and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>
* Change X-Robots-Tag header from "none" to "noindex, nofollow"MichaIng2023-02-151-1/+1
| | | | | | | | | | While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240 Signed-off-by: MichaIng <micha@dietpi.com>
* feat(app-framework): Add UseSession attribute to replace annotationChristoph Wurst2023-01-271-0/+37
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* composer run cs:fixCôme Chilliet2023-01-2016-16/+0
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Fix typo in deprecatedJoas Schilling2022-10-041-2/+2
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-28 02:20:43 +0000