| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| |
|
|
| |
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
| |
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
| |
Signed-off-by: Robin Appelman <icewind@owncloud.com>
|
| |\
| |
| | |
Allow rich object strings in messages as well
|
| | |
| |
| |
| | |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |/
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
|
|
| |
* Fixed comments
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
|
|
|
|
|
|
| |
* introduce callForSeenUsers and countSeenUsers
* add tests
* oracle should support not null on clob
* since 9.2.0
|
| |\
| |
| | |
Nextcloud rich object strings
|
| | |
| |
| |
| | |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| | |
| |
| |
| | |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| | |
| |
| |
| | |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |\ \
| | |
| | |
| | |
| | | |
nextcloud/comments-provide-displaynames-with-mentions
comment mentions: show displayname not uid
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| | |/
| |
| |
| | |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| |\ \
| | |
| | | |
Use CSP nonces
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.
At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)
IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.
Implementing this offers the following advantages:
1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.
If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
| |/ /
| |
| |
| |
| | |
"Storage not available" is now "Storage temporarily not available".
Exceptions are now logged in DEBUG level, not FATAL.
|
| |/
|
|
| |
Signed-off-by: Robin Appelman <robin@icewind.nl>
|
| |\
| |
| | |
Notifications for simple @-mentioning in comments
|
| | |
| |
| |
| |
| |
| |
| | |
* notifications can be cleaned up, no polluted DB
* updating comments will re-notify users or remove notifications, depending on the message
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(WIP) notify user when mentioned in comments
Fix doc, and create absolute URL for as notification link.
PSR-4 compatibility changes
also move notification creation to comments app
Do not notify yourself
unit test for controller and application
smaller fixes
- translatable app name
- remove doubles in mention array
- micro perf optimization
- display name: special label for deleted users, keep user id for users that could not be fetched from userManager
Comment Notification-Listener Unit Test
fix email adresses
remove notification when triggering comment was deleted
add and adjust tests
add missing @license tags
simplify NotificationsController registration
appinfo simplification, php docs
make string easier to translate
adjust test
replace dispatcher-based listeners with a registration method and interface
safer to not pass optional data parameter to setSubject for marking as processed. ID and mention suffices
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
update comment
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
| | |
| |
| |
| | |
Signed-off-by: Robin Appelman <robin@icewind.nl>
|
| |/
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
|
|
| |
* Fix AvatarTest
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Introduce simpleFS
* Introduce IAppData
* Introduce AppData Factory to get your AppData folder
* Update FileDisplayResponse
* AppData implements a ISimpleRoot but lazy. So only if an apps starts
to access data will stuff get initialized
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |
|
|
|
| |
If a repsonse now explicitly has the Empty CSP set then the middleware
won't touch it.
|
| |
|
|
|
|
| |
This cleans up a bit the OCSController/Middleware. Since the 2 versions
of OCS differ a bit. Moved a lot of stuff internal since it is of no
concern to the outside.
|
| |
|
|
|
| |
A lazy implementation of the DisplayResponse that only hits the
filesystem if the etag and mtime do not match.
|
| |\
| |
| | |
Cache avatars
|
| | |
| |
| |
| |
| | |
* Set proper caching headers for avatars (15 minutes)
* For our own avatar use some extra logic to invalidate when we update
|
| |\ \
| | |
| | | |
Null !== void, those methods are void
|
| | |/ |
|
| |/
|
|
|
| |
The OCSResponse should not be used by apps. They should extend the
OCSController and use normal DataResponses instead.
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
Some scrutinizer phpdoc fixes
|
| | | |
|
| | |
| |
| |
| | |
collect orphaned classes
|
| | | |
|
| |\| |
|
| | |\
| | |
| | | |
OCSController requires DataResponse
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The OCS Controller requires a DataResponse object to be returned.
This means that all error handling will have to be done via exceptions
thrown and handling in the middleware.
|
| | |/ |
|
