public function testGetCsp() { $policy = new Http\ContentSecurityPolicy(); $policy->allowInlineScript(true); $this->childResponse->setContentSecurityPolicy($policy); $this->assertEquals($policy, $this->childResponse->getContentSecurityPolicy()); }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $status = $this->statusService->getStatus(); $response = new TemplateResponse($this->appName, 'index', ['cronWarning' => $status['warnings']['improperlyConfiguredCron']]); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('*')->addAllowedMediaDomain('*')->addAllowedConnectDomain('*')->addAllowedFrameDomain('https://youtube.com')->addAllowedFrameDomain('https://www.youtube.com')->addAllowedFrameDomain('https://player.vimeo.com')->addAllowedFrameDomain('https://www.player.vimeo.com'); $response->setContentSecurityPolicy($csp); return $response; }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $params = array('user' => $this->userId); $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('data:'); $response = new TemplateResponse('ownnote', 'main', $params); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $bookmarkleturl = $this->urlgenerator->getAbsoluteURL('index.php/apps/bookmarks/bookmarklet'); $params = array('user' => $this->userId, 'bookmarkleturl' => $bookmarkleturl); $policy = new ContentSecurityPolicy(); $policy->addAllowedFrameDomain("'self'"); $response = new TemplateResponse('bookmarks', 'main', $params); $response->setContentSecurityPolicy($policy); return $response; }
public function testShowPdfViewer() { $params = ['urlGenerator' => $this->urlGenerator]; $expectedResponse = new TemplateResponse($this->appName, 'viewer', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('\'self\''); $policy->addAllowedFontDomain('data:'); $expectedResponse->setContentSecurityPolicy($policy); $this->assertEquals($expectedResponse, $this->controller->showPdfViewer()); }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showPdfViewer() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'viewer', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('\'self\''); $policy->addAllowedFontDomain('data:'); $response->setContentSecurityPolicy($policy); return $response; }
/** * @NoCSRFRequired * @return TemplateResponse */ public function viewApps() { $params = []; $params['experimentalEnabled'] = $this->config->getSystemValue('appstore.experimental.enabled', false); $this->navigationManager->setActiveEntry('core_apps'); $templateResponse = new TemplateResponse($this->appName, 'apps', $params, 'user'); $policy = new ContentSecurityPolicy(); $policy->addAllowedImageDomain('https://apps.owncloud.com'); $templateResponse->setContentSecurityPolicy($policy); return $templateResponse; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function webRTC() { $params = []; $response = new TemplateResponse(Settings::APP_ID, 'webrtc', $params); // Allow to embed iframes $csp = new ContentSecurityPolicy(); //$csp->addAllowedFrameDomain('*'); $csp->addAllowedFrameDomain(implode(' ', Security::getAllowedIframeDomains())); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired * @PublicPage */ public function webRTC() { $params = ['is_guest' => $this->userid === null]; $response = new TemplateResponse(Settings::APP_ID, 'webrtc', $params, $this->userid === null ? 'empty' : 'user'); // Allow to embed iframes $csp = new ContentSecurityPolicy(); //$csp->addAllowedFrameDomain('*'); $csp->addAllowedFrameDomain(implode(' ', Security::getAllowedIframeDomains())); $response->setContentSecurityPolicy($csp); return $response; }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $params = array('user' => $this->userId); $response = new TemplateResponse('ownmnote', 'main', $params); $ocVersion = \OCP\Util::getVersion(); if ($ocVersion[0] > 8 || $ocVersion[0] == 8 && $ocVersion[1] >= 1) { $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('data:'); $response->setContentSecurityPolicy($csp); } return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { if (substr(\OC_Util::getHumanVersion(), 0, 3) != '8.0') { // OC >= 8.1 $response = new TemplateResponse('passwords', 'main'); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('https://icons.duckduckgo.com'); $csp->addAllowedImageDomain('https://www.google.com'); $response->setContentSecurityPolicy($csp); return $response; } else { // OC =< 8.0.4 return new TemplateResponse('passwords', 'main'); } }
/** * @NoAdminRequired * @NoCSRFRequired * * @return TemplateResponse */ public function index() { $lastViewedNote = (int) $this->settings->getUserValue($this->userId, $this->appName, 'notesLastViewedNote'); // check if note exists try { $this->notesService->get($lastViewedNote, $this->userId); } catch (NoteDoesNotExistException $ex) { $lastViewedNote = 0; } $response = new TemplateResponse($this->appName, 'main', ['lastViewedNote' => $lastViewedNote]); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('*'); $response->setContentSecurityPolicy($csp); return $response; }
public function testGetPolicyDisallowChildSrcDomainMultipleStakes() { $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'"; $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com'); $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com'); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $conf = \OCP\CONFIG::getUserValue(\OCP\User::getUser(), 'firstpassmanrun', 'show', 1); $params = array('user' => $this->userId); $conf = $this->userId === 'test' ? 1 : $conf; if ($conf == 1) { \OCP\Util::addscript('passman', 'firstrun'); $exampleItems = array(); $exampleItems[0] = array('label' => 'Item 1', 'tags' => array(array('text' => 'Example tag'), array('text' => 'Example tag 2'))); $exampleItems[1] = array('label' => 'Item 2', 'tags' => array(array('text' => 'Example tag 2'), array('text' => 'Example tag 3'))); foreach ($exampleItems as $key => $val) { $this->itemAPI->create('', '', '', '', '', $val['label'], '', '', '', '', $val['tags'], array()); } } $response = new TemplateResponse('passman', 'main', $params); $csp = new ContentSecurityPolicy(); $csp->addAllowedObjectDomain('\'self\''); $csp->addAllowedImageDomain('data:'); $response->setContentSecurityPolicy($csp); return $response; // templates/main.php }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { \OC::$server->getNavigationManager()->setActiveEntry('documents_index'); $maxUploadFilesize = \OCP\Util::maxUploadFilesize("/"); $response = new TemplateResponse('documents', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'useUnstable' => $this->settings->getAppValue('documents', 'unstable', 'false'), 'savePath' => $this->settings->getUserValue($this->uid, 'documents', 'save_path', '/'), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes')]); $policy = new ContentSecurityPolicy(); //$policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedConnectDomain('ws://' . $_SERVER['SERVER_NAME'] . ':9980'); $policy->addAllowedImageDomain('*'); $policy->allowInlineScript(true); $policy->addAllowedFontDomain('data:'); $response->setContentSecurityPolicy($policy); return $response; }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showPad($file, $dir) { /* Retrieve file content to find pad’s URL */ $content = \OC\Files\Filesystem::file_get_contents($dir . "/" . $file); preg_match('/URL=(.*)$/', $content, $matches); $url = $matches[1]; $title = $file; /* Not totally sure that this is the right way to proceed… * * First we decode the URL (to avoid double encode), then we * replace spaces with underscore (as they are converted as * such by Etherpad), then we encode the URL properly (and we * avoid to urlencode() the protocol scheme). * * Magic urlencode() function was stolen from this answer on * StackOverflow: <http://stackoverflow.com/a/7974253>. */ $url = urldecode($url); $url = str_replace(' ', '_', $url); $url = preg_replace_callback('#://([^/]+)/([^?]+)#', function ($match) { return '://' . $match[1] . '/' . join('/', array_map('rawurlencode', explode('/', $match[2]))); }, $url); $params = ['urlGenerator' => $this->urlGenerator, 'url' => $url, 'title' => $title]; $response = new TemplateResponse($this->appName, 'viewer', $params, 'blank'); /* Allow Etherpad and Ethercalc domains to the * Content-Security-frame- list. * * This feature was introduced in ownCloud 8.1. */ $policy = new ContentSecurityPolicy(); $appConfig = \OC::$server->getAppConfig(); $policy->addAllowedFrameDomain($appConfig->getValue('ownpad', 'ownpad_etherpad_host', '')); $policy->addAllowedFrameDomain($appConfig->getValue('ownpad', 'ownpad_ethercalc_host', '')); $response->setContentSecurityPolicy($policy); return $response; }
public function testConfigureStacked() { $expectedPolicy = "default-src 'none';script-src 'self' script.owncloud.org;style-src 'self' style.owncloud.org;img-src 'self' img.owncloud.org;font-src 'self' font.owncloud.org;connect-src 'self' connect.owncloud.org;media-src 'self' media.owncloud.org;object-src objects.owncloud.org;frame-src frame.owncloud.org;child-src child.owncloud.org"; $this->contentSecurityPolicy->allowInlineStyle(false) ->allowEvalScript(false) ->addAllowedScriptDomain('script.owncloud.org') ->addAllowedStyleDomain('style.owncloud.org') ->addAllowedFontDomain('font.owncloud.org') ->addAllowedImageDomain('img.owncloud.org') ->addAllowedConnectDomain('connect.owncloud.org') ->addAllowedMediaDomain('media.owncloud.org') ->addAllowedObjectDomain('objects.owncloud.org') ->addAllowedChildSrcDomain('child.owncloud.org') ->addAllowedFrameDomain('frame.owncloud.org'); $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy()); }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showReader() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'reader', $params, 'blank'); $csp = new ContentSecurityPolicy(); $csp->addAllowedChildSrcDomain('\'self\''); $csp->addAllowedFrameDomain('\'self\''); $csp->addAllowedStyleDomain('blob:'); $csp->addAllowedImageDomain('blob:'); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired * * @param int $accountId * @param string $folderId * @param string $messageId * @return \OCA\Mail\Http\HtmlResponse */ public function getHtmlBody($accountId, $folderId, $messageId) { try { $mailBox = $this->getFolder($accountId, $folderId); $m = $mailBox->getMessage($messageId, true); $html = $m->getHtmlBody($accountId, $folderId, $messageId, function ($cid) use($m) { $match = array_filter($m->attachments, function ($a) use($cid) { return $a['cid'] === $cid; }); $match = array_shift($match); if (is_null($match)) { return null; } return $match['id']; }); $htmlResponse = new HtmlResponse($html); // Harden the default security policy // FIXME: Remove once ownCloud 8.1 is a requirement for the mail app if (class_exists('\\OCP\\AppFramework\\Http\\ContentSecurityPolicy')) { $policy = new ContentSecurityPolicy(); $policy->allowEvalScript(false); $policy->disallowScriptDomain('\'self\''); $policy->disallowConnectDomain('\'self\''); $policy->disallowFontDomain('\'self\''); $policy->disallowMediaDomain('\'self\''); $htmlResponse->setContentSecurityPolicy($policy); } // Enable caching $htmlResponse->cacheFor(60 * 60); $htmlResponse->addHeader('Pragma', 'cache'); return $htmlResponse; } catch (\Exception $ex) { return new TemplateResponse($this->appName, 'error', ['message' => $ex->getMessage()], 'none'); } }
/** * Adds the domain "data:" to the allowed image domains * this function is called by reference * * @param TemplateResponse $response */ private function addContentSecurityToResponse($response) { $csp = new Http\ContentSecurityPolicy(); $csp->addAllowedFontDomain("data:"); $response->setContentSecurityPolicy($csp); }
/** * CAUTION: the @Stuff turns off security checks; for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $uploadLimit = Util::uploadLimit(); $params = ['user' => $this->userId, 'uploadLimit' => $uploadLimit]; /** @var ContentSecurityPolicy $csp */ $csp = new ContentSecurityPolicy(); $csp->addAllowedConnectDomain('*'); /** @var TemplateResponse $response */ if (isset($_SESSION['targetType']) && $_SESSION['targetType'] == TargetType::PROJECT) { $response = new TemplateResponse('pkdrive', 'container', $params); } else { $response = new TemplateResponse('pkdrive', 'target', $params); } $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $wopiRemote = $this->appConfig->getAppValue('wopi_url'); if (($parts = parse_url($wopiRemote)) && isset($parts['scheme']) && isset($parts['host'])) { $webSocketProtocol = "ws://"; if ($parts['scheme'] == "https") { $webSocketProtocol = "wss://"; } $webSocket = sprintf("%s%s%s", $webSocketProtocol, $parts['host'], isset($parts['port']) ? ":" . $parts['port'] : ""); } else { return $this->responseError($this->l10n->t('Collabora Online: Invalid URL "%s".', array($wopiRemote)), $this->l10n->t('Please ask your administrator to check the Collabora Online server setting.')); } \OC::$server->getNavigationManager()->setActiveEntry('richdocuments_index'); $maxUploadFilesize = \OCP\Util::maxUploadFilesize("/"); $response = new TemplateResponse('richdocuments', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes'), 'wopi_url' => $webSocket]); $policy = new ContentSecurityPolicy(); $policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote); /* frame-src is deprecated on Firefox, but Safari wants it! */ $policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote); $policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote); $policy->addAllowedConnectDomain($webSocket); $policy->addAllowedImageDomain('*'); $policy->allowInlineScript(true); $policy->addAllowedFontDomain('data:'); $response->setContentSecurityPolicy($policy); return $response; }
/** * @PublicPage * @NoCSRFRequired * * @param string $token * @param string $path * @return TemplateResponse|RedirectResponse */ public function showShare($token, $path = '') { \OC_User::setIncognitoMode(true); // Check whether share exists $linkItem = Share::getShareByToken($token, false); if ($linkItem === false) { return new NotFoundResponse(); } $shareOwner = $linkItem['uid_owner']; $originalSharePath = $this->getPath($token); // Share is password protected - check whether the user is permitted to access the share if (isset($linkItem['share_with']) && !Helper::authenticate($linkItem)) { return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate', array('token' => $token))); } if (Filesystem::isReadable($originalSharePath . $path)) { $getPath = Filesystem::normalizePath($path); $originalSharePath .= $path; } else { throw new OCP\Files\NotFoundException(); } $file = basename($originalSharePath); $shareTmpl = []; $shareTmpl['displayName'] = User::getDisplayName($shareOwner); $shareTmpl['filename'] = $file; $shareTmpl['directory_path'] = $linkItem['file_target']; $shareTmpl['mimetype'] = Filesystem::getMimeType($originalSharePath); $shareTmpl['previewSupported'] = \OC::$server->getPreviewManager()->isMimeSupported($shareTmpl['mimetype']); $shareTmpl['dirToken'] = $linkItem['token']; $shareTmpl['sharingToken'] = $token; $shareTmpl['server2serversharing'] = Helper::isOutgoingServer2serverShareEnabled(); $shareTmpl['protected'] = isset($linkItem['share_with']) ? 'true' : 'false'; $shareTmpl['dir'] = ''; $nonHumanFileSize = \OC\Files\Filesystem::filesize($originalSharePath); $shareTmpl['nonHumanFileSize'] = $nonHumanFileSize; $shareTmpl['fileSize'] = \OCP\Util::humanFileSize($nonHumanFileSize); // Show file list if (Filesystem::is_dir($originalSharePath)) { $shareTmpl['dir'] = $getPath; $maxUploadFilesize = Util::maxUploadFilesize($originalSharePath); $freeSpace = Util::freeSpace($originalSharePath); $uploadLimit = Util::uploadLimit(); $folder = new Template('files', 'list', ''); $folder->assign('dir', $getPath); $folder->assign('dirToken', $linkItem['token']); $folder->assign('permissions', \OCP\Constants::PERMISSION_READ); $folder->assign('isPublic', true); $folder->assign('publicUploadEnabled', 'no'); $folder->assign('uploadMaxFilesize', $maxUploadFilesize); $folder->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); $folder->assign('freeSpace', $freeSpace); $folder->assign('uploadLimit', $uploadLimit); // PHP upload limit $folder->assign('usedSpacePercent', 0); $folder->assign('trash', false); $shareTmpl['folder'] = $folder->fetchPage(); } $shareTmpl['downloadURL'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.downloadShare', array('token' => $token)); $shareTmpl['maxSizeAnimateGif'] = $this->config->getSystemValue('max_filesize_animated_gifs_public_sharing', 10); $csp = new OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedFrameDomain('\'self\''); $response = new TemplateResponse($this->appName, 'public', $shareTmpl, 'base'); $response->setContentSecurityPolicy($csp); return $response; }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showLibreOnline() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'online', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('*'); $policy->addAllowedScriptDomain("*"); $policy->addAllowedConnectDomain("*"); $policy->addAllowedStyleDomain("*"); $policy->addAllowedMediaDomain("*"); $policy->addAllowedFontDomain('*'); $policy->addAllowedImageDomain('*'); $policy->addAllowedFrameDomain('*'); $policy->addAllowedObjectDomain('*'); $policy->allowInlineScript(True); $policy->allowInlineStyle(True); $policy->allowEvalScript(True); $response->setContentSecurityPolicy($policy); return $response; }
public function testIndexWithRegularBrowser() { $this->request->expects($this->once())->method('isUserAgent')->with(['/MSIE 8.0/'])->will($this->returnValue(false)); $this->viewController->expects($this->once())->method('getStorageInfo')->will($this->returnValue(['relative' => 123, 'owner' => 'MyName', 'ownerDisplayName' => 'MyDisplayName'])); $this->config->expects($this->any())->method('getAppValue')->will($this->returnArgument(2)); $nav = new Template('files', 'appnavigation'); $nav->assign('navigationItems', [0 => ['id' => 'files', 'appname' => 'files', 'script' => 'list.php', 'order' => 0, 'name' => new \OC_L10N_String(new \OC_L10N('files'), 'All files', []), 'active' => false, 'icon' => ''], 1 => ['id' => 'favorites', 'appname' => 'files', 'script' => 'simplelist.php', 'order' => 5, 'name' => null, 'active' => false, 'icon' => ''], 2 => ['id' => 'sharingin', 'appname' => 'files_sharing', 'script' => 'list.php', 'order' => 10, 'name' => new \OC_L10N_String(new \OC_L10N('files_sharing'), 'Shared with you', []), 'active' => false, 'icon' => ''], 3 => ['id' => 'sharingout', 'appname' => 'files_sharing', 'script' => 'list.php', 'order' => 15, 'name' => new \OC_L10N_String(new \OC_L10N('files_sharing'), 'Shared with others', []), 'active' => false, 'icon' => ''], 4 => ['id' => 'sharinglinks', 'appname' => 'files_sharing', 'script' => 'list.php', 'order' => 20, 'name' => new \OC_L10N_String(new \OC_L10N('files_sharing'), 'Shared by link', []), 'active' => false, 'icon' => ''], 5 => ['id' => 'trashbin', 'appname' => 'files_trashbin', 'script' => 'list.php', 'order' => 50, 'name' => new \OC_L10N_String(new \OC_L10N('files_trashbin'), 'Deleted files', []), 'active' => false, 'icon' => '']]); $expected = new Http\TemplateResponse('files', 'index', ['usedSpacePercent' => 123, 'owner' => 'MyName', 'ownerDisplayName' => 'MyDisplayName', 'isPublic' => false, 'mailNotificationEnabled' => 'no', 'mailPublicNotificationEnabled' => 'no', 'allowShareWithLink' => 'yes', 'appNavigation' => $nav, 'appContents' => [0 => ['id' => 'files', 'content' => null], 1 => ['id' => 'favorites', 'content' => null], 2 => ['id' => 'sharingin', 'content' => null], 3 => ['id' => 'sharingout', 'content' => null], 4 => ['id' => 'sharinglinks', 'content' => null], 5 => ['id' => 'trashbin', 'content' => null]]]); $policy = new Http\ContentSecurityPolicy(); $policy->addAllowedFrameDomain('\'self\''); $expected->setContentSecurityPolicy($policy); $this->assertEquals($expected, $this->viewController->index('MyDir', 'MyView')); }
/** * @NoCSRFRequired * @NoAdminRequired * * @param string $dir * @param string $view * @return TemplateResponse * @throws \OCP\Files\NotFoundException */ public function index($dir = '', $view = '') { $nav = new \OCP\Template('files', 'appnavigation', ''); // Load the files we need \OCP\Util::addStyle('files', 'files'); \OCP\Util::addStyle('files', 'upload'); \OCP\Util::addStyle('files', 'mobile'); \OCP\Util::addscript('files', 'app'); \OCP\Util::addscript('files', 'file-upload'); \OCP\Util::addscript('files', 'newfilemenu'); \OCP\Util::addscript('files', 'jquery.iframe-transport'); \OCP\Util::addscript('files', 'jquery.fileupload'); \OCP\Util::addscript('files', 'jquery-visibility'); \OCP\Util::addscript('files', 'fileinfomodel'); \OCP\Util::addscript('files', 'filesummary'); \OCP\Util::addscript('files', 'breadcrumb'); \OCP\Util::addscript('files', 'filelist'); \OCP\Util::addscript('files', 'search'); \OCP\Util::addScript('files', 'favoritesfilelist'); \OCP\Util::addScript('files', 'tagsplugin'); \OCP\Util::addScript('files', 'favoritesplugin'); \OCP\Util::addScript('files', 'detailfileinfoview'); \OCP\Util::addScript('files', 'detailtabview'); \OCP\Util::addScript('files', 'mainfileinfodetailview'); \OCP\Util::addScript('files', 'detailsview'); \OCP\Util::addStyle('files', 'detailsView'); \OC_Util::addVendorScript('core', 'handlebars/handlebars'); \OCP\Util::addscript('files', 'fileactions'); \OCP\Util::addscript('files', 'fileactionsmenu'); \OCP\Util::addscript('files', 'files'); \OCP\Util::addscript('files', 'keyboardshortcuts'); \OCP\Util::addscript('files', 'navigation'); // if IE8 and "?dir=path&view=someview" was specified, reformat the URL to use a hash like "#?dir=path&view=someview" $isIE8 = $this->request->isUserAgent([Request::USER_AGENT_IE_8]); if ($isIE8 && ($dir !== '' || $view !== '')) { $dir = !empty($dir) ? $dir : '/'; $view = !empty($view) ? $view : 'files'; $hash = '#?dir=' . \OCP\Util::encodePath($dir); if ($view !== 'files') { $hash .= '&view=' . urlencode($view); } return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index') . $hash); } // mostly for the home storage's free space // FIXME: Make non static $storageInfo = $this->getStorageInfo(); \OCA\Files\App::getNavigationManager()->add(['id' => 'favorites', 'appname' => 'files', 'script' => 'simplelist.php', 'order' => 5, 'name' => $this->l10n->t('Favorites')]); $navItems = \OCA\Files\App::getNavigationManager()->getAll(); usort($navItems, function ($item1, $item2) { return $item1['order'] - $item2['order']; }); $nav->assign('navigationItems', $navItems); $contentItems = []; // render the container content for every navigation item foreach ($navItems as $item) { $content = ''; if (isset($item['script'])) { $content = $this->renderScript($item['appname'], $item['script']); } $contentItem = []; $contentItem['id'] = $item['id']; $contentItem['content'] = $content; $contentItems[] = $contentItem; } $this->eventDispatcher->dispatch('OCA\\Files::loadAdditionalScripts'); $params = []; $params['usedSpacePercent'] = (int) $storageInfo['relative']; $params['owner'] = $storageInfo['owner']; $params['ownerDisplayName'] = $storageInfo['ownerDisplayName']; $params['isPublic'] = false; $params['mailNotificationEnabled'] = $this->config->getAppValue('core', 'shareapi_allow_mail_notification', 'no'); $params['mailPublicNotificationEnabled'] = $this->config->getAppValue('core', 'shareapi_allow_public_notification', 'no'); $params['allowShareWithLink'] = $this->config->getAppValue('core', 'shareapi_allow_links', 'yes'); $params['appNavigation'] = $nav; $params['appContents'] = $contentItems; $this->navigationManager->setActiveEntry('files_index'); $response = new TemplateResponse($this->appName, 'index', $params); $policy = new ContentSecurityPolicy(); $policy->addAllowedFrameDomain('\'self\''); $response->setContentSecurityPolicy($policy); return $response; }
/** * @PublicPage * @NoCSRFRequired * * @param string $token * @param string $path * @return TemplateResponse|RedirectResponse * @throws NotFoundException */ public function showShare($token, $path = '') { \OC_User::setIncognitoMode(true); // Check whether share exists try { $share = $this->shareManager->getShareByToken($token); } catch (\OC\Share20\Exception\ShareNotFound $e) { return new NotFoundResponse(); } // Share is password protected - check whether the user is permitted to access the share if ($share->getPassword() !== null && !$this->linkShareAuth($share)) { return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate', array('token' => $token))); } // We can't get the path of a file share if ($share->getNode() instanceof \OCP\Files\File && $path !== '') { throw new NotFoundException(); } $rootFolder = null; if ($share->getNode() instanceof \OCP\Files\Folder) { /** @var \OCP\Files\Folder $rootFolder */ $rootFolder = $share->getNode(); try { $path = $rootFolder->get($path); } catch (\OCP\Files\NotFoundException $e) { throw new NotFoundException(); } } $shareTmpl = []; $shareTmpl['displayName'] = $share->getShareOwner()->getDisplayName(); $shareTmpl['owner'] = $share->getShareOwner()->getUID(); $shareTmpl['filename'] = $share->getNode()->getName(); $shareTmpl['directory_path'] = $share->getTarget(); $shareTmpl['mimetype'] = $share->getNode()->getMimetype(); $shareTmpl['previewSupported'] = $this->previewManager->isMimeSupported($share->getNode()->getMimetype()); $shareTmpl['dirToken'] = $token; $shareTmpl['sharingToken'] = $token; $shareTmpl['server2serversharing'] = Helper::isOutgoingServer2serverShareEnabled(); $shareTmpl['protected'] = $share->getPassword() !== null ? 'true' : 'false'; $shareTmpl['dir'] = ''; $shareTmpl['nonHumanFileSize'] = $share->getNode()->getSize(); $shareTmpl['fileSize'] = \OCP\Util::humanFileSize($share->getNode()->getSize()); // Show file list if ($share->getNode() instanceof \OCP\Files\Folder) { $shareTmpl['dir'] = $rootFolder->getRelativePath($path->getPath()); /* * The OC_Util methods require a view. This just uses the node API */ $freeSpace = $share->getNode()->getStorage()->free_space($share->getNode()->getInternalPath()); if ($freeSpace !== \OCP\Files\FileInfo::SPACE_UNKNOWN) { $freeSpace = max($freeSpace, 0); } else { $freeSpace = INF > 0 ? INF : PHP_INT_MAX; // work around https://bugs.php.net/bug.php?id=69188 } $uploadLimit = Util::uploadLimit(); $maxUploadFilesize = min($freeSpace, $uploadLimit); $folder = new Template('files', 'list', ''); $folder->assign('dir', $rootFolder->getRelativePath($path->getPath())); $folder->assign('dirToken', $token); $folder->assign('permissions', \OCP\Constants::PERMISSION_READ); $folder->assign('isPublic', true); $folder->assign('publicUploadEnabled', 'no'); $folder->assign('uploadMaxFilesize', $maxUploadFilesize); $folder->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); $folder->assign('freeSpace', $freeSpace); $folder->assign('uploadLimit', $uploadLimit); // PHP upload limit $folder->assign('usedSpacePercent', 0); $folder->assign('trash', false); $shareTmpl['folder'] = $folder->fetchPage(); } $shareTmpl['downloadURL'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.downloadShare', array('token' => $token)); $shareTmpl['maxSizeAnimateGif'] = $this->config->getSystemValue('max_filesize_animated_gifs_public_sharing', 10); $shareTmpl['previewEnabled'] = $this->config->getSystemValue('enable_previews', true); $csp = new OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedFrameDomain('\'self\''); $response = new TemplateResponse($this->appName, 'public', $shareTmpl, 'base'); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoCSRFRequired * @param string $category * @return TemplateResponse */ public function viewApps($category = '') { $categoryId = $this->getCategory($category); if ($categoryId === self::CAT_ENABLED) { // Do not use an arbitrary input string, because we put the category in html $category = 'enabled'; } $params = []; $params['experimentalEnabled'] = $this->config->getSystemValue('appstore.experimental.enabled', false); $params['category'] = $category; $params['appstoreEnabled'] = $this->config->getSystemValue('appstoreenabled', true) === true; $this->navigationManager->setActiveEntry('core_apps'); $templateResponse = new TemplateResponse($this->appName, 'apps', $params, 'user'); $policy = new ContentSecurityPolicy(); $policy->addAllowedImageDomain('https://apps.owncloud.com'); $templateResponse->setContentSecurityPolicy($policy); return $templateResponse; }
public function testViewApps() { $this->config ->expects($this->once()) ->method('getSystemValue') ->with('appstore.experimental.enabled', false); $this->navigationManager ->expects($this->once()) ->method('setActiveEntry') ->with('core_apps'); $policy = new ContentSecurityPolicy(); $policy->addAllowedImageDomain('https://apps.owncloud.com'); $expected = new TemplateResponse('settings', 'apps', ['experimentalEnabled' => false], 'user'); $expected->setContentSecurityPolicy($policy); $this->assertEquals($expected, $this->appSettingsController->viewApps()); }