public function testSessionNotClosedOnAfterController()
{
$session = $this->getSessionMock(0);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new SessionMiddleware($this->request, $this->reflector, $session);
$middleware->afterController($this, __FUNCTION__, new Response());
}
/**
* Check if sharing is enabled before the controllers is executed
* @param \OCP\AppFramework\Controller $controller
* @param string $methodName
* @throws \Exception
*/
public function beforeController($controller, $methodName)
{
if (!$this->reflector->hasAnnotation('NoSubadminRequired')) {
if (!$this->isSubAdmin) {
throw new NotAdminException('Logged in user must be a subadmin');
}
}
}
/**
* @param \OCP\AppFramework\Controller $controller
* @param string $methodName
* @param Response $response
* @return Response
*/
public function afterController($controller, $methodName, Response $response)
{
$useSession = $this->reflector->hasAnnotation('UseSession');
if ($useSession) {
$this->session->close();
}
return $response;
}
/**
* This runs all the security checks before a method call. The
* security checks are determined by inspecting the controller method
* annotations
* @param string $controller the controllername or string
* @param string $methodName the name of the method
* @throws SecurityException when a security check fails
*/
public function beforeController($controller, $methodName)
{
// this will set the current navigation entry of the app, use this only
// for normal HTML requests and not for AJAX requests
$this->navigationManager->setActiveEntry($this->appName);
// security checks
$isPublicPage = $this->reflector->hasAnnotation('PublicPage');
if (!$isPublicPage) {
if (!$this->isLoggedIn) {
throw new NotLoggedInException();
}
if (!$this->reflector->hasAnnotation('NoAdminRequired')) {
if (!$this->isAdminUser) {
throw new NotAdminException();
}
}
}
// CSRF check - also registers the CSRF token since the session may be closed later
Util::callRegister();
if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {
if (!$this->request->passesCSRFCheck()) {
throw new CrossSiteRequestForgeryException();
}
}
/**
* FIXME: Use DI once available
* Checks if app is enabled (also includes a check whether user is allowed to access the resource)
* The getAppPath() check is here since components such as settings also use the AppFramework and
* therefore won't pass this check.
*/
if (\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) {
throw new AppNotEnabledException();
}
}
/**
* This is being run after a successful controllermethod call and allows
* the manipulation of a Response object. The middleware is run in reverse order
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @param Response $response the generated response from the controller
* @return Response a Response object
*/
public function afterController($controller, $methodName, Response $response)
{
// only react if its a CORS request and if the request sends origin and
if (isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) {
// allow credentials headers must not be true or CSRF is possible
// otherwise
foreach ($response->getHeaders() as $header => $value) {
if (strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') {
$msg = 'Access-Control-Allow-Credentials must not be ' . 'set to true in order to prevent CSRF';
throw new SecurityException($msg);
}
}
$origin = $this->request->server['HTTP_ORIGIN'];
$response->addHeader('Access-Control-Allow-Origin', $origin);
}
return $response;
}
public function testBeforeControllerAsSubAdminWithExemption()
{
$this->reflector->expects($this->once())->method('hasAnnotation')->with('NoSubadminRequired')->will($this->returnValue(true));
$this->subadminMiddlewareAsSubAdmin->beforeController($this->controller, 'foo');
}
public function testInheritanceOverrideNoDocblock()
{
$reader = new ControllerMethodReflector();
$reader->reflect('Test\\AppFramework\\Utility\\EndController', 'test3');
$this->assertFalse($reader->hasAnnotation('Annotation'));
}
