/**
* This runs all the security checks before a method call. The
* security checks are determined by inspecting the controller method
* annotations
* @param string $controller the controllername or string
* @param string $methodName the name of the method
* @throws SecurityException when a security check fails
*/
public function beforeController($controller, $methodName)
{
// this will set the current navigation entry of the app, use this only
// for normal HTML requests and not for AJAX requests
$this->navigationManager->setActiveEntry($this->appName);
// security checks
$isPublicPage = $this->reflector->hasAnnotation('PublicPage');
if (!$isPublicPage) {
if (!$this->isLoggedIn) {
throw new SecurityException('Current user is not logged in', Http::STATUS_UNAUTHORIZED);
}
if (!$this->reflector->hasAnnotation('NoAdminRequired')) {
if (!$this->isAdminUser) {
throw new SecurityException('Logged in user must be an admin', Http::STATUS_FORBIDDEN);
}
}
}
// CSRF check - also registers the CSRF token since the session may be closed later
Util::callRegister();
if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {
if (!$this->request->passesCSRFCheck()) {
throw new SecurityException('CSRF check failed', Http::STATUS_PRECONDITION_FAILED);
}
}
/**
* FIXME: Use DI once available
* Checks if app is enabled (also inclues a check whether user is allowed to access the resource)
* The getAppPath() check is here since components such as settings also use the AppFramework and
* therefore won't pass this check.
*/
if (\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) {
throw new SecurityException('App is not enabled', Http::STATUS_PRECONDITION_FAILED);
}
}
/**
* Constructor
*
* @param string $app app providing the template
* @param string $name of the template file (without suffix)
* @param string $renderAs If $renderAs is set, OC_Template will try to
* produce a full page in the according layout. For
* now, $renderAs can be set to "guest", "user" or
* "admin".
* @param bool $registerCall = true
*/
public function __construct($app, $name, $renderAs = "", $registerCall = true)
{
// Read the selected theme from the config file
self::initTemplateEngine($renderAs);
$theme = OC_Util::getTheme();
$requestToken = OC::$server->getSession() && $registerCall ? \OCP\Util::callRegister() : '';
$parts = explode('/', $app);
// fix translation when app is something like core/lostpassword
$l10n = \OC::$server->getL10N($parts[0]);
$themeDefaults = new OC_Defaults();
list($path, $template) = $this->findTemplate($theme, $app, $name);
// Set the private data
$this->renderAs = $renderAs;
$this->path = $path;
$this->app = $app;
parent::__construct($template, $requestToken, $l10n, $themeDefaults);
}
$tmpl->printPage();
exit;
}
} else {
// Check if item id is set in session
if (!\OC::$server->getSession()->exists('public_link_authenticated') || \OC::$server->getSession()->get('public_link_authenticated') !== $linkItem['id']) {
// Prompt for password
OCP\Util::addStyle('files_sharing', 'authenticate');
$tmpl = new OCP\Template('files_sharing', 'authenticate', 'guest');
$tmpl->assign('URL', $url);
$tmpl->printPage();
exit;
}
}
}
// render template
$tmpl = new \OCP\Template('gallery', 'public', 'base');
OCP\Util::addScript('gallery', 'album');
OCP\Util::addScript('gallery', 'gallery');
OCP\Util::addScript('gallery', 'thumbnail');
OCP\Util::addStyle('gallery', 'public');
$tmpl->assign('token', $token);
$tmpl->assign('requesttoken', \OCP\Util::callRegister());
$tmpl->assign('displayName', $ownerDisplayName);
$tmpl->assign('albumName', $albumName);
$tmpl->printPage();
exit;
}
}
$tmpl = new OCP\Template('', '404', 'guest');
$tmpl->printPage();
/**
* Supplies an attribute to the logout hyperlink. The default behaviour
* is to return an href with '?logout=true' appended. However, it can
* supply any attribute(s) which are valid for <a>.
*
* @return string with one or more HTML attributes.
*/
public static function getLogoutAttribute()
{
$backend = self::findFirstActiveUsedBackend();
if ($backend) {
return $backend->getLogoutAttribute();
}
$logoutUrl = \OC::$server->getURLGenerator()->linkToRouteAbsolute('core.login.logout', ['requesttoken' => \OCP\Util::callRegister()]);
return 'href="' . $logoutUrl . '"';
}
/**
* Supplies an attribute to the logout hyperlink. The default behaviour
* is to return an href with '?logout=true' appended. However, it can
* supply any attribute(s) which are valid for <a>.
*
* @return string with one or more HTML attributes.
*/
public static function getLogoutAttribute()
{
$backend = self::findFirstActiveUsedBackend();
if ($backend) {
return $backend->getLogoutAttribute();
}
return 'href="' . link_to('', 'index.php') . '?logout=true&requesttoken=' . urlencode(\OCP\Util::callRegister()) . '"';
}
$c = $app->getContainer();
// It is not necessary to activate Shibboleth backend
// for these URLs. The list comes from here:
// https://doc.owncloud.com/server/8.2/admin_manual/enterprise_user_management/user_auth_shibboleth.html#apache-configuration
$nonShibUrls = '^/' . '(status.php' . '|remote.php' . '|index.php/s/' . '|public.php' . '|cron.php' . '|core/img/' . '|index.php/apps/files_sharing/ajax/publicpreview.php$' . '|index.php/apps/files/ajax/upload.php$' . '|apps/files/templates/fileexists.html$' . '|index.php/apps/files/ajax/mimeicon.php$' . '|apps/gallery/templates/slideshow.html$' . '|index.php/apps/gallery/ajax/getimages.php' . '|index.php/apps/gallery/ajax/thumbnail.php' . '|index.php/apps/gallery/ajax/image.php' . '|.*\\.css$' . '|.*\\.js$' . '|.*\\.woff$' . '|index.php/settings/personal/changepassword' . '|ocs' . ')';
$nonShibRegex = '/' . str_replace('/', '\\/', $nonShibUrls) . '/i';
$request = $c->query('Request');
$requestUri = $request->getRequestUri();
if (!\OC::$CLI && !preg_match($nonShibRegex, $requestUri)) {
// Register itself as User Backend
$c->query('UserManager')->registerBackend($c->query('UserBackend'));
// Register Hooks
$c->query('UserHooks')->register();
$c->query('UserHooks')->registerPostSetPassword();
// Prepare login URL with possible redirect URL
$urlGen = $c->query('URLGenerator');
$urlParams = $request->getParams();
if (array_key_exists('redirect_url', $urlParams)) {
$loginRoute = $urlGen->linkToRoute('user_shib.session.login', array('redirect_url' => $urlParams['redirect_url'], 'requesttoken' => \OCP\Util::callRegister()));
} else {
$loginRoute = $urlGen->linkToRoute('user_shib.session.login', array('requesttoken' => \OCP\Util::callRegister()));
}
// Templates registration
// TODO: Couldn't find an \OCP way for achieving this
\OC_App::registerLogIn(array('name' => 'Shibboleth Login', 'href' => $loginRoute));
\OCP\App::registerAdmin($c->query('AppName'), 'admin');
\OCP\App::registerPersonal($c->query('AppName'), 'personal');
} elseif ($requestUri === '/index.php/settings/personal/changepassword') {
// Register only Non-Shib Hook for password setting
$c->query('UserHooks')->registerPostSetPassword();
}
/**
* Creates an attribute which is added to the logout hyperlink. It can
* supply any attribute(s) which are valid for <a>.
*
* @return string with one or more HTML attributes.
*/
public function getLogoutAttribute()
{
return 'href="' . link_to('', 'index.php') . '?logout=true&requesttoken=' . urlencode(\OCP\Util::callRegister()) . '"';
}
