summaryrefslogtreecommitdiffstats
path: root/lib/public/AppFramework
Commit message (Collapse)AuthorAgeFilesLines
* set default CSP on NotFoundResponseRoeland Jago Douma2019-09-101-0/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Remove reflect method form public interfaceRoeland Jago Douma2019-08-301-0/+1
| | | | | | | | The reflect method is (and should) only every be called internally. Since if you call it again it would otherwise start mixing and matching arguments etc. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add deprecation warningRoeland Jago Douma2019-08-291-0/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Do not enforce the parent constructor of response to be calledRoeland Jago Douma2019-08-191-10/+8
| | | | | | | If there is no policy set we just take the default empty ones. That way no obscure errors get thrown if the constructor is not called. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* frame-src doesn't respect the nonce attributeRoeland Jago Douma2019-08-161-3/+0
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add feature policy headerRoeland Jago Douma2019-08-104-0/+266
| | | | | | | This adds the events and the classes to modify the feature policy. It also adds a default restricted feature policy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add form-action CSP elementRoeland Jago Douma2019-07-312-0/+35
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* No need to have these classes we tighten the default CSP from time toRoeland Jago Douma2019-07-273-0/+3
| | | | | | time Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Redirect to the right token on public sharesRoeland Jago Douma2019-05-231-0/+14
| | | | | | | | If the token doesn't match (or isn't set) during the redirect. We should properly set it. Else we might redirect to a later auth display that set these values. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Set empty CSP by defaultRoeland Jago Douma2019-04-1612-1/+34
| | | | | | | | | For #14179 By default responses should have the strictest (and simplest) CSP possible. Only template responses should require an actual CSP. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* [#11236] Set parameter type in QBMapperMarius David Wieschollek2019-03-241-3/+35
| | | | Signed-off-by: Marius David Wieschollek <git.public@mdns.eu>
* CSP: set nonce for iframesRoeland Jago Douma2019-03-161-1/+5
| | | | | | | This for now uses the jsNonce. That way we can easily backport it. For 17 I will fix it properly. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Avoid duplicate App container creationJoas Schilling2019-03-051-1/+6
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Allow apps to redirect to the default appJoas Schilling2019-03-011-0/+40
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add StandaloneTemplateResponseRoeland Jago Douma2019-02-061-0/+37
| | | | | | | This can be used by pages that do not have the full Nextcloud UI. So notifications etc do not load there. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Emit to load additionalscriptsRoeland Jago Douma2019-01-311-0/+3
| | | | | | | | | | | | | Fixes #13662 This will fire of an event after a Template Response has been returned. There is an event for the generic loading and one when logged in. So apps can chose to load only on loged in pages. This is a more generic approach than the files app event. As some things we might want to load on other pages as well besides the files app. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Set default frame-ancestors to 'self'Roeland Jago Douma2019-01-081-1/+3
| | | | | | For #13042 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* CSP: Allow fonts to be provided in dataRoeland Jago Douma2019-01-071-0/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Access id property without getter.Daniel Kesselberg2018-12-241-1/+1
| | | | | | Some implementations typehint getId to integer but default is null. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* Fetch lastInsertId only when id nullDaniel Kesselberg2018-12-241-1/+3
| | | | | | | | When id column has no autoincrement flag query for lastInsertId fails on postgres because no value has been generated. Call lastInsertId only if id is null. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* Add IMapperExceptionRoeland Jago Douma2018-12-063-2/+34
| | | | | | | This way code using the DB mappers can have try catch blocks on this type of exceptions if they do not care if there was non or to many. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Basic CSP no longer deprecatedRoeland Jago Douma2018-11-081-1/+0
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add report-uri to CSPRoeland Jago Douma2018-10-212-0/+23
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Disallow unsafe-eval by defaultRoeland Jago Douma2018-10-141-6/+2
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Allow to inject/mock `new \DateTime()` similar to time()Joas Schilling2018-10-091-1/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #10967 from nextcloud/zipresponseMorris Jobke2018-10-021-0/+87
|\ | | | | Add zip response
| * Add PHPDocMorris Jobke2018-10-021-4/+14
| | | | | | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
| * fixup! Add fix responseRoeland Jago Douma2018-10-021-1/+1
| | | | | | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
| * fixup! Add fix responseRoeland Jago Douma2018-10-021-3/+5
| | | | | | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
| * Add fix responseJakob Sack2018-10-021-0/+75
| | | | | | | | implements #7589
* | Document possibly thrown excption of QBMapper::insertOrUpdateChristoph Wurst2018-10-021-0/+1
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Add QBMapper::insertOrUpdate()Christoph Wurst2018-10-021-1/+18
|/ | | | | | | | This allows elegant upserts where the entity ID is provided (e.g. by an external system) and when that data is fed into our database multiple times. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Deprecate the childSrc functionsRoeland Jago Douma2018-09-041-0/+2
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add workerSrc to CSPRoeland Jago Douma2018-09-042-0/+34
| | | | | | | | | Fixes #11035 Since the child-src directive is deprecated (we should kill it at some point) we need to have the proper worker-src available Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Disallow eval on the StrictEvalCSPRoeland Jago Douma2018-07-111-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Fix direct access to authen pageRoeland Jago Douma2018-06-201-1/+3
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Update token on regeneration for public loginRoeland Jago Douma2018-06-201-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add AuthPublicShareControllerTestRoeland Jago Douma2018-06-201-1/+0
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add PublicShareControllerTestsRoeland Jago Douma2018-06-201-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Move public auth page overRoeland Jago Douma2018-06-201-3/+6
| | | | | | | Now this is in core so the basics (that 99% of the app will want to use) looks always the same. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add the new PublicShareController and PublicShareMiddlewareRoeland Jago Douma2018-06-202-0/+326
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add stricter CSPsRoeland Jago Douma2018-06-134-2/+192
| | | | | | | | | | | | * Deprecate our default CSP * Add strict CSP that is always our strictest setting * Add strict eval CSP (disable unsafe-eval) * Add strict inline CSP (disables inline styles) This is just to move forward and have a incremental improvement of our CSP Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Move caching logic to responseRoeland Jago Douma2018-06-041-2/+14
| | | | | | | | | | This avoids having to do it at all the places we want cached responses. We can't inject the ITimeFactor without breaking public API. However we can perfectly overwrite the service (resulting in the same testable effect). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* The column is not user input so suppress the phan warningRoeland Jago Douma2018-05-141-0/+2
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add a QueryBuilder MapperRoeland Jago Douma2018-05-102-1/+284
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add since tagsJulius Härtl2018-04-052-1/+18
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Move external share saving to templateJulius Härtl2018-04-051-7/+3
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Add footer to public page templateJulius Härtl2018-04-051-0/+15
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Move common menu templates to public APIJulius Härtl2018-04-052-0/+130
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* OCP\AppFramework\App strictRoeland Jago Douma2018-03-091-7/+9
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>