From dc6f1d875d7c6f86b07aba8b6f1119083279cd30 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Feb 2014 12:32:57 +0100 Subject: An admin should not be able to add remote and public services on its own. This should only be possible programmatically. This change is due the fact that an admin may not be expected to execute arbitrary code in every environment. --- core/ajax/appconfig.php | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'core/ajax') diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 4f26dedc797..6629d8a664b 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -9,28 +9,40 @@ OC_Util::checkAdminUser(); OCP\JSON::callCheck(); $action=isset($_POST['action'])?$_POST['action']:$_GET['action']; +$app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); + +// An admin should not be able to add remote and public services +// on its own. This should only be possible programmatically. +// This change is due the fact that an admin may not be expected +// to execute arbitrary code in every environment. +if($app === 'core' && (substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { + OC_JSON::error(array('data' => array('message' => 'Unexpected error!'))); + return; +} + $result=false; switch($action) { case 'getValue': - $result=OC_Appconfig::getValue($_GET['app'], $_GET['key'], $_GET['defaultValue']); + $result=OC_Appconfig::getValue($app, $_GET['key'], $_GET['defaultValue']); break; case 'setValue': - $result=OC_Appconfig::setValue($_POST['app'], $_POST['key'], $_POST['value']); + $result=OC_Appconfig::setValue($app, $_POST['key'], $_POST['value']); break; case 'getApps': $result=OC_Appconfig::getApps(); break; case 'getKeys': - $result=OC_Appconfig::getKeys($_GET['app']); + $result=OC_Appconfig::getKeys($app); break; case 'hasKey': - $result=OC_Appconfig::hasKey($_GET['app'], $_GET['key']); + $result=OC_Appconfig::hasKey($app, $_GET['key']); break; case 'deleteKey': - $result=OC_Appconfig::deleteKey($_POST['app'], $_POST['key']); + $result=OC_Appconfig::deleteKey($app, $_POST['key']); break; case 'deleteApp': - $result=OC_Appconfig::deleteApp($_POST['app']); + $result=OC_Appconfig::deleteApp($app); break; } OC_JSON::success(array('data'=>$result)); + -- cgit v1.2.3 From 1352c63dca25b04594cbdfeb8c832351997a1d14 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Feb 2014 12:47:05 +0100 Subject: Check whether the Key is set --- core/ajax/appconfig.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/ajax') diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 6629d8a664b..1d066d9169a 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -15,7 +15,7 @@ $app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); // on its own. This should only be possible programmatically. // This change is due the fact that an admin may not be expected // to execute arbitrary code in every environment. -if($app === 'core' && (substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { +if($app === 'core' && isset($_POST['key']) &&(substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { OC_JSON::error(array('data' => array('message' => 'Unexpected error!'))); return; } -- cgit v1.2.3 From c19cacb29f263558f052ccd8d78033d63326589e Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Feb 2014 14:12:49 +0100 Subject: Check whether the app is set --- core/ajax/appconfig.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'core/ajax') diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 1d066d9169a..05b7572c6d7 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -9,7 +9,10 @@ OC_Util::checkAdminUser(); OCP\JSON::callCheck(); $action=isset($_POST['action'])?$_POST['action']:$_GET['action']; -$app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); + +if(isset($_POST['app']) || isset($_GET['app'])) { + $app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); +} // An admin should not be able to add remote and public services // on its own. This should only be possible programmatically. -- cgit v1.2.3 From 2fd75d8f1c6de7138f962fa55b6a45d33f8936b2 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Mon, 17 Feb 2014 18:26:52 +0100 Subject: clean up the sharing ajax calls, add mail notification class --- core/ajax/share.php | 112 +++------------------- lib/private/share/mailnotifications.php | 160 ++++++++++++++++++++++++++++++++ 2 files changed, 173 insertions(+), 99 deletions(-) create mode 100644 lib/private/share/mailnotifications.php (limited to 'core/ajax') diff --git a/core/ajax/share.php b/core/ajax/share.php index c251f8e7bae..86ee018e388 100644 --- a/core/ajax/share.php +++ b/core/ajax/share.php @@ -85,93 +85,32 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo } break; case 'informRecipients': - $l = OC_L10N::get('core'); - $shareType = (int) $_POST['shareType']; $itemType = $_POST['itemType']; $itemSource = $_POST['itemSource']; $recipient = $_POST['recipient']; - $ownerDisplayName = \OCP\User::getDisplayName(); - $from = \OCP\Util::getDefaultEmailAddress('sharing-noreply'); - - $noMail = array(); - $recipientList = array(); if($shareType === \OCP\Share::SHARE_TYPE_USER) { $recipientList[] = $recipient; } elseif ($shareType === \OCP\Share::SHARE_TYPE_GROUP) { $recipientList = \OC_Group::usersInGroup($recipient); } - // don't send a mail to the user who shared the file $recipientList = array_diff($recipientList, array(\OCP\User::getUser())); - // send mail to all recipients with an email address - foreach ($recipientList as $recipient) { - //get correct target folder name - $email = OC_Preferences::getValue($recipient, 'settings', 'email', ''); - - if ($email !== '') { - $displayName = \OCP\User::getDisplayName($recipient); - $items = \OCP\Share::getItemSharedWithUser($itemType, $itemSource, $recipient); - $filename = trim($items[0]['file_target'], '/'); - $subject = (string)$l->t('%s shared »%s« with you', array($ownerDisplayName, $filename)); - $expiration = null; - if (isset($items[0]['expiration'])) { - try { - $date = new DateTime($items[0]['expiration']); - $expiration = $l->l('date', $date->getTimestamp()); - } catch (Exception $e) { - \OCP\Util::writeLog('sharing', "Couldn't read date: " . $e->getMessage(), \OCP\Util::ERROR); - } - } - - if ($itemType === 'folder') { - $foldername = "/Shared/" . $filename; - } else { - // if it is a file we can just link to the Shared folder, - // that's the place where the user will find the file - $foldername = "/Shared"; - } - - $link = \OCP\Util::linkToAbsolute('files', 'index.php', array("dir" => $foldername)); - - $content = new OC_Template("core", "mail", ""); - $content->assign('link', $link); - $content->assign('user_displayname', $ownerDisplayName); - $content->assign('filename', $filename); - $content->assign('expiration', $expiration); - $text = $content->fetchPage(); - - $content = new OC_Template("core", "altmail", ""); - $content->assign('link', $link); - $content->assign('user_displayname', $ownerDisplayName); - $content->assign('filename', $filename); - $content->assign('expiration', $expiration); - $alttext = $content->fetchPage(); - - $default_from = OCP\Util::getDefaultEmailAddress('sharing-noreply'); - $from = OCP\Config::getUserValue(\OCP\User::getUser(), 'settings', 'email', $default_from); - - // send it out now - try { - OCP\Util::sendMail($email, $displayName, $subject, $text, $from, $ownerDisplayName, 1, $alttext); - } catch (Exception $exception) { - $noMail[] = \OCP\User::getDisplayName($recipient); - } - } - } + $mailNotification = new OC\Share\MailNotifications(); + $result = $mailNotification->sendInternalShareMail($recipientList, $itemSource, $itemType); \OCP\Share::setSendMailStatus($itemType, $itemSource, $shareType, true); - if (empty($noMail)) { + if (empty($result)) { OCP\JSON::success(); } else { OCP\JSON::error(array( 'data' => array( 'message' => $l->t("Couldn't send mail to following users: %s ", - implode(', ', $noMail) + implode(', ', $result) ) ) )); @@ -187,56 +126,31 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo break; case 'email': - // enable l10n support - $l = OC_L10N::get('core'); // read post variables - $user = OCP\USER::getUser(); - $displayName = OCP\User::getDisplayName(); - $type = $_POST['itemType']; $link = $_POST['link']; $file = $_POST['file']; $to_address = $_POST['toaddress']; + $mailNotification = new \OC\Share\MailNotifications(); + $expiration = null; if (isset($_POST['expiration']) && $_POST['expiration'] !== '') { try { $date = new DateTime($_POST['expiration']); - $expiration = $l->l('date', $date->getTimestamp()); + $expiration = $date->getTimestamp(); } catch (Exception $e) { \OCP\Util::writeLog('sharing', "Couldn't read date: " . $e->getMessage(), \OCP\Util::ERROR); } } - // setup the email - $subject = (string)$l->t('%s shared »%s« with you', array($displayName, $file)); - - $content = new OC_Template("core", "mail", ""); - $content->assign ('link', $link); - $content->assign ('type', $type); - $content->assign ('user_displayname', $displayName); - $content->assign ('filename', $file); - $content->assign('expiration', $expiration); - $text = $content->fetchPage(); - - $content = new OC_Template("core", "altmail", ""); - $content->assign ('link', $link); - $content->assign ('type', $type); - $content->assign ('user_displayname', $displayName); - $content->assign ('filename', $file); - $content->assign('expiration', $expiration); - $alttext = $content->fetchPage(); - - $default_from = OCP\Util::getDefaultEmailAddress('sharing-noreply'); - $from_address = OCP\Config::getUserValue($user, 'settings', 'email', $default_from ); - - // send it out now - try { - OCP\Util::sendMail($to_address, $to_address, $subject, $text, $from_address, $displayName, 1, $alttext); - OCP\JSON::success(); - } catch (Exception $exception) { - OCP\JSON::error(array('data' => array('message' => OC_Util::sanitizeHTML($exception->getMessage())))); + $result = $mailNotification->sendLinkShareMail($to_address, $file, $link, $expiration); + if($result === true) { + \OCP\JSON::success(); + } else { + \OCP\JSON::error(array('data' => array('message' => OC_Util::sanitizeHTML($result)))); } + break; } } else if (isset($_GET['fetch'])) { diff --git a/lib/private/share/mailnotifications.php b/lib/private/share/mailnotifications.php new file mode 100644 index 00000000000..360376294cc --- /dev/null +++ b/lib/private/share/mailnotifications.php @@ -0,0 +1,160 @@ + +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE +* License as published by the Free Software Foundation; either +* version 3 of the License, or any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU AFFERO GENERAL PUBLIC LICENSE for more details. +* +* You should have received a copy of the GNU Affero General Public +* License along with this library. If not, see . +*/ + +namespace OC\Share; + +class MailNotifications { + + private $senderId; // sender userId + private $from; // sender email address + private $senderDisplayName; + private $l; + + /** + * + * @param string $recipient user id + * @param string $sender user id (if nothing is set we use the currently logged-in user) + */ + public function __construct($sender = null) { + $this->l = \OC_L10N::get('core'); + + $this->senderId = $sender; + + $this->from = \OCP\Util::getDefaultEmailAddress('sharing-noreply'); + if ($this->senderId) { + $this->from = \OCP\Config::getUserValue($this->senderId, 'settings', 'email', $this->from); + $this->senderDisplayName = \OCP\User::getDisplayName($this->senderId); + } else { + $this->senderDisplayName = \OCP\User::getDisplayName(); + } + } + + /** + * @brief inform users if a file was shared with them + * + * @param array $recipientList list of recipients + * @param type $itemSource shared item source + * @param type $itemType shared item type + * @return array list of user to whom the mail send operation failed + */ + public function sendInternalShareMail($recipientList, $itemSource, $itemType) { + + $noMail = array(); + + foreach ($recipientList as $recipient) { + $recipientDisplayName = \OCP\User::getDisplayName($recipient); + $to = \OC_Preferences::getValue($recipient, 'settings', 'email', ''); + + if ($to === '') { + $noMail[] = $recipientDisplayName; + continue; + } + + $items = \OCP\Share::getItemSharedWithUser($itemType, $itemSource, $recipient); + $filename = trim($items[0]['file_target'], '/'); + $subject = (string) $this->l->t('%s shared »%s« with you', array($this->senderDisplayName, $filename)); + $expiration = null; + if (isset($items[0]['expiration'])) { + try { + $date = new DateTime($items[0]['expiration']); + $expiration = $date->getTimestamp(); + } catch (\Exception $e) { + \OCP\Util::writeLog('sharing', "Couldn't read date: " . $e->getMessage(), \OCP\Util::ERROR); + } + } + + if ($itemType === 'folder') { + $foldername = "/Shared/" . $filename; + } else { + // if it is a file we can just link to the Shared folder, + // that's the place where the user will find the file + $foldername = "/Shared"; + } + + $link = \OCP\Util::linkToAbsolute('files', 'index.php', array("dir" => $foldername)); + + list($htmlMail, $alttextMail) = $this->createMailBody($filename, $link, $expiration); + + // send it out now + try { + \OCP\Util::sendMail($to, $recipientDisplayName, $subject, $htmlMail, $this->from, $this->senderDisplayName, 1, $alttextMail); + } catch (\Exception $e) { + \OCP\Util::writeLog('sharing', "Can't send mail to inform the user abaut an internal share: " . $e->getMessage() , \OCP\Util::ERROR); + $noMail[] = $recipientDisplayName; + } + } + + return $noMail; + + } + + /** + * @brief inform recipient about public link share + * + * @param string recipient recipient email address + * @param string $filename the shared file + * @param string $link the public link + * @param int $expiration expiration date (timestamp) + * @return mixed $result true or error message + */ + public function sendLinkShareMail($recipient, $filename, $link, $expiration) { + $subject = (string)$this->l->t('%s shared »%s« with you', array($this->senderDisplayName, $filename)); + list($htmlMail, $alttextMail) = $this->createMailBody($filename, $link, $expiration); + try { + \OCP\Util::sendMail($recipient, $recipient, $subject, $htmlMail, $this->from, $this->senderDisplayName, 1, $alttextMail); + } catch (\Exception $e) { + \OCP\Util::writeLog('sharing', "Can't send mail with public link: " . $e->getMessage(), \OCP\Util::ERROR); + return $e->getMessage(); + } + + return true; + } + + /** + * @brief create mail body for plain text and html mail + * + * @param string $filename the shared file + * @param string $link link to the shared file + * @param int $expiration expiration date (timestamp) + * @return array with the html mail body and the plain text mail body + */ + private function createMailBody($filename, $link, $expiration) { + + $formatedDate = $expiration ? $this->l->l('date', $expiration) : null; + + $html = new \OC_Template("core", "mail", ""); + $html->assign ('link', $link); + $html->assign ('user_displayname', $this->senderDisplayName); + $html->assign ('filename', $filename); + $html->assign('expiration', $formatedDate); + $htmlMail = $html->fetchPage(); + + $alttext = new \OC_Template("core", "altmail", ""); + $alttext->assign ('link', $link); + $alttext->assign ('user_displayname', $this->senderDisplayName); + $alttext->assign ('filename', $filename); + $alttext->assign('expiration', $formatedDate); + $alttextMail = $alttext->fetchPage(); + + return array($htmlMail, $alttextMail); + } + +} -- cgit v1.2.3