When hitting the `/contactsmenu/contacts` endpoint with the `dav.system_addressbook_exposed` config switch set to `"no"`, the system address book content is still listed in the response.
This ensure that we do not expose unexpectedly the system address book.
Signed-off-by: Louis Chmn <louis@chmn.me>
The Theming app injects the stylesheets for the different themes in the
"<header>" element of the page, and those stylesheets are then loaded by
the browser from a "Controller" (a plain "Controller", not an
"OCSController"). The stylesheets, in turn, may also get some images
(like the background) also from the "Controller".
When handling a request to "index.php" it is checked whether the user is
logged in and, if not, a login is tried. A disabled user is explicitly
seen as not logged in, so a login is always tried in that case, but
disabled users are also explicitly prevented to log in, so the login
also fails. Due to that trying to get any of the themed stylesheets or
images with a disabled account (to be able to show the "Account
disabled" error page) fails with an HTTP status 401.
To solve that, and to avoid touching this basic logic as much as
possible, the login exception is now ignored (if the user is disabled)
for some specific requests to the Theming app.
The clouds.jpg file was not available in stable30, so the file and its
license were copied from the commit that introduced them in newer
branches, 19ce362896.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
A filename must be less or equal 255 characters, but when adding the
`.part` and `.ocfiletransfer` extensions we might overflow this limit.
So we should also use filename hashes for uploading when the file has a
long filename, similar like when we are uploading to the user storage
directly.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
When a user receives a share with share-permissions but also with
download restrictions (hide download or the modern download permission attribute),
then re-shares of that share must always also include those restrictions.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Given:
User creates a link or email share with permissions=4 (create only = file drop).
Problem:
Currently the permissions are automatically extended to permissions = 5
(READ + CREATE). Work around was to create the share and directly update
it.
Solution:
Respect what the user is requesting, create a file drop share.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
When we need to check the log condition for a user matches,
there is a risk that something on the way checks the log level
and would result in an infinite loop.
So we simply check if it's a nested call and use the default
warning level in that case.
Signed-off-by: Joas Schilling <coding@schilljs.com>
`GET` should be allowed even without Ajax header to allow downloading files,
or show files in the viewer. All other requests could be guarded, but this should not.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
When updating global storages and user storages a property is not
updated by "StoragesService::updateStorage()" if the value matches the
unmodified placeholder. However, userglobal storages are not updated
through the "StoragesService"; as only the authentication mechanism is
updated it is directly done with "saveBackendOptions()" in
"IUserProvided" or "UserGlobalAuth". Due to this the unmodified
placeholder value needs to be explicitly checked in those cases and
replaced by the actual value (note that in this case it is not possible
to just skip updating a specific property).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
As the external storage uses the Nextcloud server itself the number of
workers of the PHP process running the Nextcloud server had to be
increased. Otherwise if a request is sent for the external storage while
handling a request from the integration tests a deadlock would occur.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Allow clients to access the new filename validation options
and make frontend name validation possible.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Kate <26026535+provokateurin@users.noreply.github.com>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
