/** * This runs all the security checks before a method call. The * security checks are determined by inspecting the controller method * annotations * @param string $controller the controllername or string * @param string $methodName the name of the method * @throws SecurityException when a security check fails */ public function beforeController($controller, $methodName) { // this will set the current navigation entry of the app, use this only // for normal HTML requests and not for AJAX requests $this->navigationManager->setActiveEntry($this->appName); // security checks $isPublicPage = $this->reflector->hasAnnotation('PublicPage'); if (!$isPublicPage) { if (!$this->isLoggedIn) { throw new SecurityException('Current user is not logged in', Http::STATUS_UNAUTHORIZED); } if (!$this->reflector->hasAnnotation('NoAdminRequired')) { if (!$this->isAdminUser) { throw new SecurityException('Logged in user must be an admin', Http::STATUS_FORBIDDEN); } } } // CSRF check - also registers the CSRF token since the session may be closed later Util::callRegister(); if (!$this->reflector->hasAnnotation('NoCSRFRequired')) { if (!$this->request->passesCSRFCheck()) { throw new SecurityException('CSRF check failed', Http::STATUS_PRECONDITION_FAILED); } } /** * FIXME: Use DI once available * Checks if app is enabled (also inclues a check whether user is allowed to access the resource) * The getAppPath() check is here since components such as settings also use the AppFramework and * therefore won't pass this check. */ if (\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) { throw new SecurityException('App is not enabled', Http::STATUS_PRECONDITION_FAILED); } }
/** * Constructor * * @param string $app app providing the template * @param string $name of the template file (without suffix) * @param string $renderAs If $renderAs is set, OC_Template will try to * produce a full page in the according layout. For * now, $renderAs can be set to "guest", "user" or * "admin". * @param bool $registerCall = true */ public function __construct($app, $name, $renderAs = "", $registerCall = true) { // Read the selected theme from the config file self::initTemplateEngine($renderAs); $theme = OC_Util::getTheme(); $requestToken = OC::$server->getSession() && $registerCall ? \OCP\Util::callRegister() : ''; $parts = explode('/', $app); // fix translation when app is something like core/lostpassword $l10n = \OC::$server->getL10N($parts[0]); $themeDefaults = new OC_Defaults(); list($path, $template) = $this->findTemplate($theme, $app, $name); // Set the private data $this->renderAs = $renderAs; $this->path = $path; $this->app = $app; parent::__construct($template, $requestToken, $l10n, $themeDefaults); }
$tmpl->printPage(); exit; } } else { // Check if item id is set in session if (!\OC::$server->getSession()->exists('public_link_authenticated') || \OC::$server->getSession()->get('public_link_authenticated') !== $linkItem['id']) { // Prompt for password OCP\Util::addStyle('files_sharing', 'authenticate'); $tmpl = new OCP\Template('files_sharing', 'authenticate', 'guest'); $tmpl->assign('URL', $url); $tmpl->printPage(); exit; } } } // render template $tmpl = new \OCP\Template('gallery', 'public', 'base'); OCP\Util::addScript('gallery', 'album'); OCP\Util::addScript('gallery', 'gallery'); OCP\Util::addScript('gallery', 'thumbnail'); OCP\Util::addStyle('gallery', 'public'); $tmpl->assign('token', $token); $tmpl->assign('requesttoken', \OCP\Util::callRegister()); $tmpl->assign('displayName', $ownerDisplayName); $tmpl->assign('albumName', $albumName); $tmpl->printPage(); exit; } } $tmpl = new OCP\Template('', '404', 'guest'); $tmpl->printPage();
/** * Supplies an attribute to the logout hyperlink. The default behaviour * is to return an href with '?logout=true' appended. However, it can * supply any attribute(s) which are valid for <a>. * * @return string with one or more HTML attributes. */ public static function getLogoutAttribute() { $backend = self::findFirstActiveUsedBackend(); if ($backend) { return $backend->getLogoutAttribute(); } $logoutUrl = \OC::$server->getURLGenerator()->linkToRouteAbsolute('core.login.logout', ['requesttoken' => \OCP\Util::callRegister()]); return 'href="' . $logoutUrl . '"'; }
/** * Supplies an attribute to the logout hyperlink. The default behaviour * is to return an href with '?logout=true' appended. However, it can * supply any attribute(s) which are valid for <a>. * * @return string with one or more HTML attributes. */ public static function getLogoutAttribute() { $backend = self::findFirstActiveUsedBackend(); if ($backend) { return $backend->getLogoutAttribute(); } return 'href="' . link_to('', 'index.php') . '?logout=true&requesttoken=' . urlencode(\OCP\Util::callRegister()) . '"'; }
$c = $app->getContainer(); // It is not necessary to activate Shibboleth backend // for these URLs. The list comes from here: // https://doc.owncloud.com/server/8.2/admin_manual/enterprise_user_management/user_auth_shibboleth.html#apache-configuration $nonShibUrls = '^/' . '(status.php' . '|remote.php' . '|index.php/s/' . '|public.php' . '|cron.php' . '|core/img/' . '|index.php/apps/files_sharing/ajax/publicpreview.php$' . '|index.php/apps/files/ajax/upload.php$' . '|apps/files/templates/fileexists.html$' . '|index.php/apps/files/ajax/mimeicon.php$' . '|apps/gallery/templates/slideshow.html$' . '|index.php/apps/gallery/ajax/getimages.php' . '|index.php/apps/gallery/ajax/thumbnail.php' . '|index.php/apps/gallery/ajax/image.php' . '|.*\\.css$' . '|.*\\.js$' . '|.*\\.woff$' . '|index.php/settings/personal/changepassword' . '|ocs' . ')'; $nonShibRegex = '/' . str_replace('/', '\\/', $nonShibUrls) . '/i'; $request = $c->query('Request'); $requestUri = $request->getRequestUri(); if (!\OC::$CLI && !preg_match($nonShibRegex, $requestUri)) { // Register itself as User Backend $c->query('UserManager')->registerBackend($c->query('UserBackend')); // Register Hooks $c->query('UserHooks')->register(); $c->query('UserHooks')->registerPostSetPassword(); // Prepare login URL with possible redirect URL $urlGen = $c->query('URLGenerator'); $urlParams = $request->getParams(); if (array_key_exists('redirect_url', $urlParams)) { $loginRoute = $urlGen->linkToRoute('user_shib.session.login', array('redirect_url' => $urlParams['redirect_url'], 'requesttoken' => \OCP\Util::callRegister())); } else { $loginRoute = $urlGen->linkToRoute('user_shib.session.login', array('requesttoken' => \OCP\Util::callRegister())); } // Templates registration // TODO: Couldn't find an \OCP way for achieving this \OC_App::registerLogIn(array('name' => 'Shibboleth Login', 'href' => $loginRoute)); \OCP\App::registerAdmin($c->query('AppName'), 'admin'); \OCP\App::registerPersonal($c->query('AppName'), 'personal'); } elseif ($requestUri === '/index.php/settings/personal/changepassword') { // Register only Non-Shib Hook for password setting $c->query('UserHooks')->registerPostSetPassword(); }
/** * Creates an attribute which is added to the logout hyperlink. It can * supply any attribute(s) which are valid for <a>. * * @return string with one or more HTML attributes. */ public function getLogoutAttribute() { return 'href="' . link_to('', 'index.php') . '?logout=true&requesttoken=' . urlencode(\OCP\Util::callRegister()) . '"'; }