summaryrefslogtreecommitdiffstats
path: root/lib/public
Commit message (Collapse)AuthorAgeFilesLines
* Add support for CSP noncesLukas Reschke2016-10-242-2/+24
| | | | | | | | | | | | | | | | | CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Allow 4byte unicode filenames on supported platformsRobin Appelman2016-10-201-0/+8
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* Merge pull request #1449 from nextcloud/comments-user-mentionMorris Jobke2016-10-173-3/+52
|\ | | | | Notifications for simple @-mentioning in comments
| * emit pre-update event for commentsArthur Schiwon2016-10-121-3/+4
| | | | | | | | | | | | | | * notifications can be cleaned up, no polluted DB * updating comments will re-notify users or remove notifications, depending on the message Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
| * Notificacations for simple @-mentioning in commentsArthur Schiwon2016-10-072-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (WIP) notify user when mentioned in comments Fix doc, and create absolute URL for as notification link. PSR-4 compatibility changes also move notification creation to comments app Do not notify yourself unit test for controller and application smaller fixes - translatable app name - remove doubles in mention array - micro perf optimization - display name: special label for deleted users, keep user id for users that could not be fetched from userManager Comment Notification-Listener Unit Test fix email adresses remove notification when triggering comment was deleted add and adjust tests add missing @license tags simplify NotificationsController registration appinfo simplification, php docs make string easier to translate adjust test replace dispatcher-based listeners with a registration method and interface safer to not pass optional data parameter to setSubject for marking as processed. ID and mention suffices Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> update comment Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* | optimize Folder::getById to use less queriesRobin Appelman2016-10-121-0/+8
| | | | | | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* | Add an icon to the notification APIJoas Schilling2016-10-071-7/+21
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* add proper exception documentation for ISimpleFS interfaceMorris Jobke2016-10-051-0/+6
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Deprecate old app folderRoeland Jago Douma2016-10-051-0/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* avatar to appdataRoeland Jago Douma2016-10-051-0/+1
| | | | | | * Fix AvatarTest Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Initial AppDataRoeland Jago Douma2016-10-055-4/+287
| | | | | | | | | | | | * Introduce simpleFS * Introduce IAppData * Introduce AppData Factory to get your AppData folder * Update FileDisplayResponse * AppData implements a ISimpleRoot but lazy. So only if an apps starts to access data will stuff get initialized Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* write channel to config file when changedMorris Jobke2016-09-261-0/+1
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Add trict CSP to OCS responsesRoeland Jago Douma2016-09-151-3/+3
| | | | | If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
* Split OCS version handlingRoeland Jago Douma2016-09-061-13/+19
| | | | | | This cleans up a bit the OCSController/Middleware. Since the 2 versions of OCS differ a bit. Moved a lot of stuff internal since it is of no concern to the outside.
* Add FileDisplayResponseRoeland Jago Douma2016-09-051-0/+70
| | | | | A lazy implementation of the DisplayResponse that only hits the filesystem if the etag and mtime do not match.
* Merge pull request #1158 from nextcloud/cache_avatarsLukas Reschke2016-09-051-2/+1
|\ | | | | Cache avatars
| * Cache avatars properlyRoeland Jago Douma2016-08-301-2/+1
| | | | | | | | | | * Set proper caching headers for avatars (15 minutes) * For our own avatar use some extra logic to invalidate when we update
* | Merge pull request #1271 from nextcloud/fix-docs-for-notificationsJoas Schilling2016-09-052-4/+0
|\ \ | | | | | | Null !== void, those methods are void
| * | Null !== void, those methods are voidJoas Schilling2016-09-052-4/+0
| |/
* / Deprecate OCSResponeRoeland Jago Douma2016-09-051-2/+3
|/ | | | | The OCSResponse should not be used by apps. They should extend the OCSController and use normal DataResponses instead.
* add stacktrace to query loggerRobin Appelman2016-08-241-0/+12
|
* Validate the operationJoas Schilling2016-08-191-0/+39
|
* Fix constant name, copy-pasterinoJoas Schilling2016-08-171-1/+1
|
* Merge pull request #892 from nextcloud/fix_phpdocRoeland Jago Douma2016-08-171-2/+2
|\ | | | | Some scrutinizer phpdoc fixes
| * Fix IL10N phpdocRoeland Jago Douma2016-08-161-2/+2
| |
* | check registered sections and settings after an app got updated to garbage ↵Arthur Schiwon2016-08-162-0/+20
| | | | | | | | collect orphaned classes
* | attempt to remove section and settings entries when an app got disabledArthur Schiwon2016-08-161-0/+14
| |
* | Merge branch 'master' into implement_712Lukas Reschke2016-08-112-11/+12
|\|
| * Merge pull request #807 from nextcloud/ocs_dataresponseRoeland Jago Douma2016-08-101-11/+4
| |\ | | | | | | OCSController requires DataResponse
| | * OCSController requires DataResponseRoeland Jago Douma2016-08-101-11/+4
| | | | | | | | | | | | | | | | | | The OCS Controller requires a DataResponse object to be returned. This means that all error handling will have to be done via exceptions thrown and handling in the middleware.
| * | get shared storage storage id without setting up the storageRobin Appelman2016-08-091-0/+8
| |/
* | Add since tags to classLukas Reschke2016-08-113-1/+9
| |
* | Add missing since annotationsLukas Reschke2016-08-112-0/+5
| |
* | rename IAdmin to ISettings, the interface is not bound to a specific ↵Arthur Schiwon2016-08-111-1/+4
| | | | | | | | settings scope
* | more admin page splitup improvementsArthur Schiwon2016-08-101-3/+3
| | | | | | | | | | | | | | | | | | | | * bump version to ensure tables are created * make updatenotification app use settings api * change IAdmin::render() to getForm() and change return type from Template to TemplateResponse * adjust User_LDAP accordingly, as well as built-in forms * add IDateTimeFormatter to AppFramework/DependencyInjection/DIContainer.php. This is important so that \OC::$server->query() is able to resolve the constructor parameters. We should ensure that all OCP/* stuff that is available from \OC::$server is available here. Kudos to @LukasReschke * make sure apps that have settings info in their info.xml are loaded before triggering adding the settings setup method
* | Initial work on Apps page split:Arthur Schiwon2016-08-093-0/+164
|/ | | | | | * interfaces for the Admin settings (IAdmin) and section (ISection) * SettingsManager service * example setup with LDAP app
* Merge pull request #519 from GitHubUser4234/masterblizzz2016-07-283-0/+203
|\ | | | | New LDAPProvider for user_ldap
| * Nextcloud license header for new filesroot2016-07-283-24/+31
| |
| * Merge branch 'master' of https://github.com/nextcloud/serverroot2016-07-272-0/+13
| |\
| * | final changesroot2016-07-273-13/+10
| | |
| * | New LDAPProvider for user_ldaproot2016-07-223-0/+199
| | |
* | | Remove php side of check registrationJoas Schilling2016-07-271-79/+0
| | |
* | | Add workflowengineMorris Jobke2016-07-263-0/+183
| |/ |/|
* | use limit instead of since when listing recent filesRobin Appelman2016-07-221-2/+3
| |
* | add recent files to node apiRobin Appelman2016-07-222-0/+12
|/
* Merge pull request #507 from nextcloud/run-le-scriptMorris Jobke2016-07-21223-374/+602
|\ | | | | Update emails and license headers with latest changes
| * Update with robinJoas Schilling2016-07-2169-69/+69
| |
| * Fix othersJoas Schilling2016-07-21223-306/+534
| |
* | AppFramework do not get default responseRoeland Jago Douma2016-07-202-3/+18
|/ | | | | | | | | The OCSResponse differs from other responses in that it defaults to XML. However we fell back to json by default. This makes sure that if nothing is set we don't pass anything. Which defaults then to the controllers default (which is often 'json') but in the case of the OCSResponse 'xml'.
* Merge pull request #476 from nextcloud/port-same-site-cookiesLukas Reschke2016-07-202-0/+23
|\ | | | | [master] Port Same-Site Cookies to master