nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Christoph Wurst	87aeae21e3	Fix failing csp/nonce check due to timed out session The CSP nonce is based on the CSRF token. This token does not change, unless you log in (or out). In case of the session data being lost, e.g. because php gets rid of old sessions, a new CSRF token is gen- erated. While this is fine in theory, it actually caused some annoying problems where the browser restored a tab and Nextcloud js was blocked due to an outdated nonce. The main problem here is that, while processing the request, we write out security headers relatively early. At that point the CSRF token is known/generated and transformed into a CSP nonce. During this request, however, we also log the user in because the session information was lost. At that point we also refresh the CSRF token, which eventually causes the browser to block any scripts as the nonce in the header does not match the one which is used to include scripts. This patch adds a flag to indicate whether the CSRF token should be refreshed or not. It is assumed that refreshing is only necessary if we want to re-generate the session id too. To my knowledge, this case only happens on fresh logins, not when we recover from a deleted session file. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Lukas Reschke	ed8a98eaa1	Prevent SQL error message in case of error `\OC\User\Database::createUser` can throw a PHP exception in case the UID is longer than permitted in the database. This is against it's PHPDocs and we should cast this to `false`, so that the regular error handling triggers in. The easiest way to reproduce is on MySQL: 1. Create user `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` in admin panel 2. Create user `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` in admin panel again 3. See SQL exception as error message Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Joas Schilling	20f8d1094a	Can not insert auto increment on oracle Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Robin Appelman	5185a3c0c9	null users dont exist Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Joas Schilling	b726204f91	Create users in non default backends first Most of the time, when people have multiple backends or add a custom backend, they want to create the users there and not in the default backend. But since that is registered first, users were always created there. Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Arthur Schiwon	999455c1aa	emit changeUser only if there really was a change (quota, displayname) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Lukas Reschke	5f71805c35	Add basic implementation for OAuth 2.0 Authorization Code Flow Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Christoph Wurst	0a43c259c4	Fix encryption + remembered login due to missing login hook The encryption app relies on the post_login hook to initialize its keys. Since we do not emit it on a remembered login, the keys were always un- initialized and the user was asked to log out and in again. This patch translates the postRememberedLogin hook to a post_login hook. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Joas Schilling	975e572a3d	Remove account data on user deletion Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Robin Appelman	2b0da0f218	handle permissions errors when copying the skeleton for a read only user Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Arthur Schiwon	668fe7df51	UserManager can now count disabled users Users page takes advantage of that Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Joas Schilling	9212089151	Use the new method in the old one to remove duplicate code Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Joas Schilling	9e6ac3de70	Allow to create a user for a specific backend Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Joas Schilling	ac0c21f4a7	Trigger change when a user is enabled/disabled Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Joas Schilling	a3922bbcdc	Better validation of allowed user names Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Morris Jobke	ac05d6dd67	Improve PHPDoc Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Joas Schilling	1110b51aa3	Allow to read the old email on the hook as well Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Joas Schilling	7ad791efb4	Dont create a log entry on email login Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Arthur Schiwon	fbadb37b9b	use known LockdownManager Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	0a463e55ae	Save correct login name Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	daf9d23547	don't regenerate Session ID twice, also fixes tests Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	50844e8c47	regenerate session id on successful login, fixes integration test Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Arthur Schiwon	7b3fdfeeaa	do login routine only once when done via LoginController Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	9 years ago
Robin Appelman	baec42e80a	Save the scope of an auth token in the session Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Robin Appelman	0aeb595784	user ids are strings Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Morris Jobke	dbaebc53b0	fix sorting in the backend Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Vincent Petry	aacfef463c	Add tests for database user backend caching Add comment, closeCursor in user DB query Invalidate user in cache after successful creation Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Jörn Friedrich Dreyer	592c04a9db	cache loadUser if not exists Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Felix Rupp	e7dc1f4326	Add postLogout hook to finish sessions from external session managers (#27048 ) * Add postLogout hook to finish sessions from external session managers like CAS * Add postLogout hook to finish sessions from external session managers like CAS Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Lukas Reschke	d134dea508	Don't call function in constructor The constructor is iniitiated already very early in base.php, thus requiring this here will break the setup and some more. For now we probably have to live with a static function call here thus. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	085891a15d	Escape like parameters in database user backend Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Morris Jobke	a5ba1f7803	Remove legacy class OC_Group and OC_User * basically a straight replacement of the wrapped code at the calling code parts Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Morris Jobke	2e88bec14b	Fix setup issue and refine error messages Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
tobiasKaminsky	c3fe8f6cf2	use random password if "password link" is enabled Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
tobiasKaminsky	be139c85a8	empty password only allowed if password link is sent Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
tobiasKaminsky	a37f29964f	add setting for "send password link" Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Joas Schilling	7c47f822a1	Save the used token id in the session so it can be used later on Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Robin Appelman	fa49c4a13b	Add a single public api for resolving a cloud id to a user and remote and back Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Sandro Lutz	9b6f99ab08	Update license header Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Sandro Lutz	6feff0ceba	Add check if UserManager is of type PublicEmitter before calling preLogin hook Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Sandro Lutz	e30d28f7eb	Change where preLogin hook gets called Signed-off-by: Sandro Lutz <sandro.lutz@temparus.ch>	9 years ago
Morris Jobke	a4ad8af6e3	Add proper default value for datadir * better safe than sorry * fixes #3091 Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Bjoern Schiessle	cdf01feba7	add action to existing brute force protection Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Loki3000	8ab16f87ac	spaces added	10 years ago
Loki3000	5c77923360	allowed '0' uid	10 years ago
Loki3000	b0ff59d42f	remove non required db requests	10 years ago
Loki3000	135198bf0d	Default value for null user For guest users on every request executes query: SELECT `uid`, `displayname` FROM `users` WHERE LOWER(`uid`) = LOWER(null) as I see, uid can't be equal to null by design.	10 years ago
Joas Schilling	5aa388bbe2	Make sure the loginname is set when logging in via cookie Signed-off-by: Joas Schilling <coding@schilljs.com>	10 years ago
Vincent Petry	91cd57e55b	Get user home folder before deletion After the deletion getHome() will fail because the user doesn't exist any more, so we need to fetch that value earlier. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	10 years ago
Roeland Jago Douma	e368a745aa	Set last-login-check on basic auth Else the last-login-check fails hard because the session value is not set and thus defaults to 0. * Started with tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	10 years ago

1 2 3

133 Commits (00e341925bc134cbbadaf00a84381e72ed33dbf7)