/**
* @NoAdminRequired
* @NoCSRFRequired
*
* @return JSONResponse
*/
public function get()
{
// When there are no apps registered that use the notifications
// We stop polling for them.
if (!$this->manager->hasNotifiers()) {
$response = new Response();
$response->setStatus(Http::STATUS_NO_CONTENT);
return $response;
}
$filter = $this->manager->createNotification();
$filter->setUser($this->user);
$language = $this->config->getUserValue($this->user, 'core', 'lang', null);
$notifications = $this->handler->get($filter);
$data = [];
$notificationIds = [];
foreach ($notifications as $notificationId => $notification) {
try {
$notification = $this->manager->prepare($notification, $language);
} catch (\InvalidArgumentException $e) {
// The app was disabled, skip the notification
continue;
}
$notificationIds[] = $notificationId;
$data[] = $this->notificationToArray($notificationId, $notification);
}
$response = new JSONResponse($data);
$response->setETag($this->generateEtag($notificationIds));
return $response;
}
/**
* Shortcut for testing expected headers of a response
* @param array $expected an array with the expected headers
* @param Response $response the response which we want to test for headers
*/
protected function assertHeaders(array $expected = array(), Response $response)
{
$headers = $response->getHeaders();
foreach ($expected as $header) {
$this->assertTrue(in_array($header, $headers));
}
}
/**
* @CORS
* @expectedException \OC\AppFramework\Middleware\Security\SecurityException
*/
public function testCorsIgnoredIfWithCredentialsHeaderPresent()
{
$request = new Request(['server' => ['HTTP_ORIGIN' => 'test']], $this->getMock('\\OCP\\Security\\ISecureRandom'), $this->getMock('\\OCP\\IConfig'));
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
$response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
$middleware->afterController($this, __FUNCTION__, $response);
}
/**
* @CORS
* @expectedException \OC\AppFramework\Middleware\Security\SecurityException
*/
public function testCorsIgnoredIfWithCredentialsHeaderPresent()
{
$request = new Request(array('server' => array('HTTP_ORIGIN' => 'test')));
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector);
$response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
$response = $middleware->afterController($this, __FUNCTION__, $response);
}
/**
* This is being run after a successful controllermethod call and allows
* the manipulation of a Response object. The middleware is run in reverse order
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @param Response $response the generated response from the controller
* @return Response a Response object
*/
public function afterController($controller, $methodName, Response $response)
{
$annotationReader = new MethodAnnotationReader($controller, $methodName);
// only react if its an API request and if the request sends origin
if (isset($this->request->server['HTTP_ORIGIN']) && $annotationReader->hasAnnotation('API')) {
$origin = $this->request->server['HTTP_ORIGIN'];
$response->addHeader('Access-Control-Allow-Origin', $origin);
$response->addHeader('Access-Control-Allow-Credentials', 'false');
}
return $response;
}
/**
* This is being run after a successful controllermethod call and allows
* the manipulation of a Response object. The middleware is run in reverse order
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @param Response $response the generated response from the controller
* @return Response a Response object
*/
public function afterController($controller, $methodName, Response $response)
{
// only react if its a CORS request and if the request sends origin and
if (isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) {
// allow credentials headers must not be true or CSRF is possible
// otherwise
foreach ($response->getHeaders() as $header => $value) {
if (strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') {
$msg = 'Access-Control-Allow-Credentials must not be ' . 'set to true in order to prevent CSRF';
throw new SecurityException($msg);
}
}
$origin = $this->request->server['HTTP_ORIGIN'];
$response->addHeader('Access-Control-Allow-Origin', $origin);
}
return $response;
}
public function testChainability()
{
$lastModified = new \DateTime(null, new \DateTimeZone('GMT'));
$lastModified->setTimestamp(1);
$this->childResponse->setEtag('hi')->setStatus(Http::STATUS_NOT_FOUND)->setLastModified($lastModified)->cacheFor(33)->addHeader('hello', 'world');
$headers = $this->childResponse->getHeaders();
$this->assertEquals('world', $headers['hello']);
$this->assertEquals(Http::STATUS_NOT_FOUND, $this->childResponse->getStatus());
$this->assertEquals('hi', $this->childResponse->getEtag());
$this->assertEquals('Thu, 01 Jan 1970 00:00:01 +0000', $headers['Last-Modified']);
$this->assertEquals('max-age=33, must-revalidate', $headers['Cache-Control']);
}
public function render()
{
if (parent::getStatus() === Http::STATUS_NOT_FOUND) {
return '';
}
$info = $this->view->getFileInfo($this->path);
$this->ETag = $info['etag'];
$content = $this->view->file_get_contents($this->path);
$data = \OCA\Documents\Filter::read($content, $info['mimetype']);
$size = strlen($data['content']);
if (isset($this->request->server['HTTP_RANGE']) && !is_null($this->request->server['HTTP_RANGE'])) {
$isValidRange = preg_match('/^bytes=\\d*-\\d*(,\\d*-\\d*)*$/', $this->request->server['HTTP_RANGE']);
if (!$isValidRange) {
return $this->sendRangeNotSatisfiable($size);
}
$ranges = explode(',', substr($this->request->server['HTTP_RANGE'], 6));
foreach ($ranges as $range) {
$parts = explode('-', $range);
if ($parts[0] === '' && $parts[1] == '') {
$this->sendNotSatisfiable($size);
}
if ($parts[0] === '') {
$start = $size - $parts[1];
$end = $size - 1;
} else {
$start = $parts[0];
$end = $parts[1] === '' ? $size - 1 : $parts[1];
}
if ($start > $end) {
$this->sendNotSatisfiable($size);
}
$buffer = substr($data['content'], $start, $end - $start);
$md5Sum = md5($buffer);
// send the headers and data
$this->addHeader('Content-Length', $end - $start);
$this->addHeader('Content-md5', $md5Sum);
$this->addHeader('Accept-Ranges', 'bytes');
$this->addHeader('Content-Range', 'bytes ' . $start . '-' . $end . '/' . $size);
$this->addHeader('Connection', 'close');
$this->addHeader('Content-Type', $data['mimetype']);
$this->addContentDispositionHeader();
return $buffer;
}
}
$this->addHeader('Content-Type', $data['mimetype']);
$this->addContentDispositionHeader();
$this->addHeader('Content-Length', $size);
return $data['content'];
}
/**
* This method implements a preflighted cors response for you that you can
* link to for the options request
*
* @NoAdminRequired
* @NoCSRFRequired
* @PublicPage
* @since 7.0.0
*/
public function preflightedCors()
{
if (isset($this->request->server['HTTP_ORIGIN'])) {
$origin = $this->request->server['HTTP_ORIGIN'];
} else {
$origin = '*';
}
$response = new Response();
$response->addHeader('Access-Control-Allow-Origin', $origin);
$response->addHeader('Access-Control-Allow-Methods', $this->corsMethods);
$response->addHeader('Access-Control-Max-Age', $this->corsMaxAge);
$response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders);
$response->addHeader('Access-Control-Allow-Credentials', 'false');
return $response;
}
/**
* @NoAdminRequired
* @NoCSRFRequired
* @PublicPage
*/
public function cors()
{
// needed for webapps access due to cross origin request policy
if (isset($this->request->server['HTTP_ORIGIN'])) {
$origin = $this->request->server['HTTP_ORIGIN'];
} else {
$origin = '*';
}
$response = new Response();
$response->addHeader('Access-Control-Allow-Origin', $origin);
$response->addHeader('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE');
$response->addHeader('Access-Control-Allow-Credentials', 'false');
$response->addHeader('Access-Control-Max-Age', '1728000');
$response->addHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type');
return $response;
}
/**
* Change the default sort mode
*
* @NoAdminRequired
*
* @param string $mode
* @param string $direction
* @return Response
*/
public function updateFileSorting($mode, $direction)
{
$allowedMode = ['name', 'size', 'mtime'];
$allowedDirection = ['asc', 'desc'];
if (!in_array($mode, $allowedMode) || !in_array($direction, $allowedDirection)) {
$response = new Response();
$response->setStatus(Http::STATUS_UNPROCESSABLE_ENTITY);
return $response;
}
$this->config->setUserValue($this->userSession->getUser()->getUID(), 'files', 'file_sorting', $mode);
$this->config->setUserValue($this->userSession->getUser()->getUID(), 'files', 'file_sorting_direction', $direction);
return new Response();
}
/**
* @NoAdminRequired
* @NoCSRFRequired
*/
public function imageproxy($hash)
{
$url = base64_decode($hash);
if (filter_var($url, FILTER_VALIDATE_URL) === false) {
die('Not a valid URL');
}
$fileInfo = getimagesize($url);
$imageType = $fileInfo['mime'];
preg_match('/image\\/(.*)/', $imageType, $match);
$response = new Response();
$response->setStatus(304);
$response->cacheFor(60 * 60 * 24 * 90);
if ($match) {
$response->addHeader('Content-Type', $match[0]);
$f = $this->getURL($url);
if (extension_loaded('imagick') || class_exists("Imagick")) {
$name = tempnam('/tmp', "imageProxy");
file_put_contents($name, $f);
try {
$isIcon = strpos($url, '.ico') !== false ? 'ico:' : '';
$image = new \Imagick($isIcon . $name);
if ($image->valid()) {
$image->setImageFormat('jpg');
}
} catch (exception $e) {
$f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
$f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>';
$f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">';
$f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>';
$f .= '</svg>';
echo $f;
}
} else {
$f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
$f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>';
$f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">';
$f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>';
$f .= '</svg>';
}
} else {
$f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
$f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>';
$f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">';
$f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>';
$f .= '</svg>';
}
echo $f;
return $response;
//
//
/*if (extension_loaded('imagick') || class_exists("Imagick")) {
try {
$isIcon = (strpos($url, '.ico') !== false) ? 'ico:' : '';
$image = new \Imagick($isIcon . $name);
if ($image->valid()) {
$image->setImageFormat('jpg');
}
} catch (exception $e) {
header("HTTP/1.1 200 OK");
echo "test";
die();
}
return die();
} else {
if ($f) {
$image_mime = image_type_to_mime_type(exif_imagetype($f));
if ($image_mime) {
header("Content-Type:" . $image_mime);
header('Cache-Control: max-age=86400, public');
header('Cache-Control: max-age=86400, public');
echo $f;
return die();
}
}
}*/
}
/**
* @NoAdminRequired
* @NoCSRFRequired
*/
public function cover()
{
// we no longer need the session to be kept open
session_write_close();
$albumId = $this->getIdFromSlug($this->params('albumIdOrSlug'));
$album = $this->albumBusinessLayer->find($albumId, $this->userId);
$nodes = $this->userFolder->getById($album->getCoverFileId());
if (count($nodes) > 0) {
// get the first valid node
$node = $nodes[0];
$mime = $node->getMimeType();
$content = $node->getContent();
return new FileResponse(array('mimetype' => $mime, 'content' => $content));
}
$r = new Response();
$r->setStatus(Http::STATUS_NOT_FOUND);
return $r;
}
/**
* @dataProvider invalidSortingModeData
*/
public function testUpdateInvalidFileSorting($mode, $direction)
{
$this->config->expects($this->never())->method('setUserValue');
$expected = new Http\Response(null);
$expected->setStatus(Http::STATUS_UNPROCESSABLE_ENTITY);
$result = $this->apiController->updateFileSorting($mode, $direction);
$this->assertEquals($expected, $result);
}
/**
* @NoAdminRequired
*/
public function update()
{
$response = new Response();
$response->setStatus(Http::STATUS_NOT_IMPLEMENTED);
return $response;
}
/**
* Performs the default CSP modifications that may be injected by other
* applications
*
* @param Controller $controller
* @param string $methodName
* @param Response $response
* @return Response
*/
public function afterController($controller, $methodName, Response $response)
{
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
$defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
$defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
$response->setContentSecurityPolicy($defaultPolicy);
return $response;
}
