public function testSessionNotClosedOnAfterController() { $session = $this->getSessionMock(0); $this->reflector->reflect($this, __FUNCTION__); $middleware = new SessionMiddleware($this->request, $this->reflector, $session); $middleware->afterController($this, __FUNCTION__, new Response()); }
/** * Check if sharing is enabled before the controllers is executed * @param \OCP\AppFramework\Controller $controller * @param string $methodName * @throws \Exception */ public function beforeController($controller, $methodName) { if (!$this->reflector->hasAnnotation('NoSubadminRequired')) { if (!$this->isSubAdmin) { throw new NotAdminException('Logged in user must be a subadmin'); } } }
/** * @param \OCP\AppFramework\Controller $controller * @param string $methodName * @param Response $response * @return Response */ public function afterController($controller, $methodName, Response $response) { $useSession = $this->reflector->hasAnnotation('UseSession'); if ($useSession) { $this->session->close(); } return $response; }
/** * This runs all the security checks before a method call. The * security checks are determined by inspecting the controller method * annotations * @param string $controller the controllername or string * @param string $methodName the name of the method * @throws SecurityException when a security check fails */ public function beforeController($controller, $methodName) { // this will set the current navigation entry of the app, use this only // for normal HTML requests and not for AJAX requests $this->navigationManager->setActiveEntry($this->appName); // security checks $isPublicPage = $this->reflector->hasAnnotation('PublicPage'); if (!$isPublicPage) { if (!$this->isLoggedIn) { throw new NotLoggedInException(); } if (!$this->reflector->hasAnnotation('NoAdminRequired')) { if (!$this->isAdminUser) { throw new NotAdminException(); } } } // CSRF check - also registers the CSRF token since the session may be closed later Util::callRegister(); if (!$this->reflector->hasAnnotation('NoCSRFRequired')) { if (!$this->request->passesCSRFCheck()) { throw new CrossSiteRequestForgeryException(); } } /** * FIXME: Use DI once available * Checks if app is enabled (also includes a check whether user is allowed to access the resource) * The getAppPath() check is here since components such as settings also use the AppFramework and * therefore won't pass this check. */ if (\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) { throw new AppNotEnabledException(); } }
/** * This is being run after a successful controllermethod call and allows * the manipulation of a Response object. The middleware is run in reverse order * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @param Response $response the generated response from the controller * @return Response a Response object */ public function afterController($controller, $methodName, Response $response) { // only react if its a CORS request and if the request sends origin and if (isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) { // allow credentials headers must not be true or CSRF is possible // otherwise foreach ($response->getHeaders() as $header => $value) { if (strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') { $msg = 'Access-Control-Allow-Credentials must not be ' . 'set to true in order to prevent CSRF'; throw new SecurityException($msg); } } $origin = $this->request->server['HTTP_ORIGIN']; $response->addHeader('Access-Control-Allow-Origin', $origin); } return $response; }
public function testBeforeControllerAsSubAdminWithExemption() { $this->reflector->expects($this->once())->method('hasAnnotation')->with('NoSubadminRequired')->will($this->returnValue(true)); $this->subadminMiddlewareAsSubAdmin->beforeController($this->controller, 'foo'); }
public function testInheritanceOverrideNoDocblock() { $reader = new ControllerMethodReflector(); $reader->reflect('Test\\AppFramework\\Utility\\EndController', 'test3'); $this->assertFalse($reader->hasAnnotation('Annotation')); }