(feat) added AngularJS's XSRF support (#3246)
parent
2da7a04bac
commit
582baf2960
1
NEWS
1
NEWS
|
@ -5,6 +5,7 @@ New features
|
|||
- [core] new database structure options to make SOGo use a total of nine tables
|
||||
- [core] new user-based rate-limiting support for all SOGo requests (#3188)
|
||||
- [web] toolbar of all-day events can be expanded to display all events
|
||||
- [web] added AngularJS's XSRF support (#3246)
|
||||
|
||||
Enhancements
|
||||
- [web] updated Angular Material to version 1.0.6
|
||||
|
|
|
@ -65,6 +65,7 @@
|
|||
|
||||
- (BOOL) uixDebugEnabled;
|
||||
- (BOOL) easDebugEnabled;
|
||||
- (BOOL) xsrfValidationEnabled;
|
||||
|
||||
- (NSString *) pageTitle;
|
||||
- (NSString *) helpURL;
|
||||
|
|
|
@ -430,6 +430,18 @@ _injectConfigurationFromFile (NSMutableDictionary *defaultsDict,
|
|||
return [self boolForKey: @"SOGoEASDebugEnabled"];
|
||||
}
|
||||
|
||||
- (BOOL) xsrfValidationEnabled
|
||||
{
|
||||
id o;
|
||||
|
||||
if (!(o = [self objectForKey: @"SOGoXSRFValidationEnabled"]))
|
||||
{
|
||||
return YES;
|
||||
}
|
||||
|
||||
return [o boolValue];
|
||||
}
|
||||
|
||||
- (NSString *) pageTitle
|
||||
{
|
||||
return [self stringForKey: @"SOGoPageTitle"];
|
||||
|
|
|
@ -21,7 +21,7 @@ CommonUI_OBJC_FILES += \
|
|||
UIxTopnavToolbar.m \
|
||||
UIxToolbar.m \
|
||||
\
|
||||
WODirectAction+SOGo.m \
|
||||
SOGoDirectAction.m \
|
||||
|
||||
CommonUI_RESOURCE_FILES += \
|
||||
product.plist
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* WODirectAction+SOGo.h - this file is part of SOGo
|
||||
/* SOGoDirectAction.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2015 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -26,7 +26,7 @@
|
|||
@class NSString;
|
||||
@class WOResponse, WOResourceManager;
|
||||
|
||||
@interface WODirectAction (SOGoExtension)
|
||||
@interface SOGoDirectAction : WODirectAction
|
||||
|
||||
- (WOResponse *) responseWithStatus: (unsigned int) status;
|
||||
- (WOResponse *) responseWithStatus: (unsigned int) status
|
|
@ -1,6 +1,6 @@
|
|||
/* WODirectAction+SOGo.m - this file is part of SOGo
|
||||
/* SOGoDirectAction - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2015 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -26,15 +26,19 @@
|
|||
|
||||
#import <SoObjects/SOGo/NSObject+Utilities.h>
|
||||
#import <SoObjects/SOGo/NSDictionary+Utilities.h>
|
||||
#import <SoObjects/SOGo/NSString+Crypto.h>
|
||||
#import <SoObjects/SOGo/NSString+Utilities.h>
|
||||
#import <SoObjects/SOGo/SOGoSession.h>
|
||||
#import <SoObjects/SOGo/SOGoSystemDefaults.h>
|
||||
#import <SoObjects/SOGo/SOGoWebAuthenticator.h>
|
||||
|
||||
#import <NGExtensions/NSObject+Logs.h>
|
||||
|
||||
#import "WODirectAction+SOGo.h"
|
||||
#import "SOGoDirectAction.h"
|
||||
|
||||
static SoProduct *commonProduct = nil;
|
||||
|
||||
@implementation WODirectAction (SOGoExtension)
|
||||
@implementation SOGoDirectAction
|
||||
|
||||
+ (void) initialize
|
||||
{
|
||||
|
@ -205,4 +209,34 @@ static SoProduct *commonProduct = nil;
|
|||
return url;
|
||||
}
|
||||
|
||||
//
|
||||
// Protection against XSRF
|
||||
//
|
||||
- (id<WOActionResults>)performActionNamed:(NSString *)_actionName
|
||||
{
|
||||
SOGoWebAuthenticator *auth;
|
||||
NSString *value, *token;
|
||||
NSArray *creds;
|
||||
|
||||
if (![[SOGoSystemDefaults sharedSystemDefaults] xsrfValidationEnabled])
|
||||
return [super performActionNamed: _actionName];
|
||||
|
||||
// We grab the X-XSRF-TOKEN header
|
||||
token = [[context request] headerForKey: @"X-XSRF-TOKEN"];
|
||||
|
||||
// We compare it with our session key
|
||||
auth = [[WOApplication application]
|
||||
authenticatorInContext: context];
|
||||
value = [[context request]
|
||||
cookieValueForKey: [auth cookieNameInContext: context]];
|
||||
creds = [auth parseCredentials: value];
|
||||
|
||||
value = [SOGoSession valueForSessionKey: [creds lastObject]];
|
||||
|
||||
if ([token isEqualToString: [value asSHA1String]])
|
||||
return [super performActionNamed: _actionName];
|
||||
|
||||
return nil;
|
||||
}
|
||||
|
||||
@end
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxFolderActions.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2014 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -30,7 +30,9 @@
|
|||
@class SOGoGCSFolder;
|
||||
@class SOGoUserSettings;
|
||||
|
||||
@interface UIxFolderActions : WODirectAction
|
||||
#include "SOGoDirectAction.h"
|
||||
|
||||
@interface UIxFolderActions : SOGoDirectAction
|
||||
{
|
||||
SOGoGCSFolder *clientObject;
|
||||
LDAPUserManager *um;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxFolderActions.m - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2015 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -42,8 +42,6 @@
|
|||
|
||||
#import <Appointments/SOGoAppointmentFolder.h>
|
||||
|
||||
#import "WODirectAction+SOGo.h"
|
||||
|
||||
#import "UIxFolderActions.h"
|
||||
|
||||
@implementation UIxFolderActions
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
/* UIxObjectActions.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007 Inverse inc.
|
||||
*
|
||||
* Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -23,10 +21,11 @@
|
|||
#ifndef UIXOBJECTACTIONS_H
|
||||
#define UIXOBJECTACTIONS_H
|
||||
|
||||
#include "SOGoDirectAction.h"
|
||||
|
||||
@class WOResponse;
|
||||
|
||||
@interface UIxObjectActions : WODirectAction
|
||||
@interface UIxObjectActions : SOGoDirectAction
|
||||
|
||||
- (WOResponse *) addUserInAclsAction;
|
||||
|
||||
|
|
|
@ -30,8 +30,6 @@
|
|||
|
||||
#import <SOGo/NSDictionary+Utilities.h>
|
||||
|
||||
#import "WODirectAction+SOGo.h"
|
||||
|
||||
#import "UIxObjectActions.h"
|
||||
|
||||
@implementation UIxObjectActions
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
/* UIxParentFolderActions.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007 Inverse inc.
|
||||
*
|
||||
* Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -23,8 +21,9 @@
|
|||
#ifndef UIXPARENTFOLDERACTIONS_H
|
||||
#define UIXPARENTFOLDERACTIONS_H
|
||||
|
||||
#include "SOGoDirectAction.h"
|
||||
|
||||
@interface UIxParentFolderActions : WODirectAction
|
||||
@interface UIxParentFolderActions : SOGoDirectAction
|
||||
@end
|
||||
|
||||
#endif /* UIXPARENTFOLDERACTIONS_H */
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxParentFolderActions.m - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2015 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -29,8 +29,6 @@
|
|||
#import <SOGo/NSDictionary+Utilities.h>
|
||||
#import <SOGo/NSString+Utilities.h>
|
||||
|
||||
#import <UI/Common/WODirectAction+SOGo.h>
|
||||
|
||||
#import "UIxParentFolderActions.h"
|
||||
|
||||
@implementation UIxParentFolderActions
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
/* UIxContactActions.m - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2010 Inverse inc.
|
||||
*
|
||||
* Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
|
||||
* Copyright (C) 2010-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -30,7 +28,7 @@
|
|||
|
||||
#import <Contacts/SOGoContactGCSEntry.h>
|
||||
|
||||
#import <Common/WODirectAction+SOGo.h>
|
||||
#import <Common/SOGoDirectAction.h>
|
||||
|
||||
@interface NGVCard (SOGoActionCategory)
|
||||
|
||||
|
@ -80,7 +78,7 @@
|
|||
|
||||
@end
|
||||
|
||||
@interface UIxContactActions : WODirectAction
|
||||
@interface UIxContactActions : SOGoDirectAction
|
||||
|
||||
- (WOResponse *) setCategoryAction;
|
||||
- (WOResponse *) unsetCategoryAction;
|
||||
|
|
|
@ -1,34 +1,35 @@
|
|||
/*
|
||||
Copyright (C) 2004-2005 SKYRIX Software AG
|
||||
|
||||
This file is part of OpenGroupware.org.
|
||||
|
||||
OGo is free software; you can redistribute it and/or modify it under
|
||||
the terms of the GNU Lesser General Public License as published by the
|
||||
Free Software Foundation; either version 2, or (at your option) any
|
||||
later version.
|
||||
|
||||
OGo is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
|
||||
License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public
|
||||
License along with OGo; see the file COPYING. If not, write to the
|
||||
Free Software Foundation, 59 Temple Place - Suite 330, Boston, MA
|
||||
02111-1307, USA.
|
||||
Copyright (C) 2006-2016 Inverse inc.
|
||||
|
||||
This file is part of SOGo.
|
||||
|
||||
SOGo is free software; you can redistribute it and/or modify it under
|
||||
the terms of the GNU Lesser General Public License as published by the
|
||||
Free Software Foundation; either version 2, or (at your option) any
|
||||
later version.
|
||||
|
||||
SOGo is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
|
||||
License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public
|
||||
License along with SOGo; see the file COPYING. If not, write to the
|
||||
Free Software Foundation, 59 Temple Place - Suite 330, Boston, MA
|
||||
02111-1307, USA.
|
||||
*/
|
||||
|
||||
#ifndef __UIxContactsListActions_H__
|
||||
#define __UIxContactsListActions_H__
|
||||
|
||||
#import <Common/SOGoDirectAction.h>
|
||||
|
||||
@class NSDictionary;
|
||||
@class NSString;
|
||||
|
||||
@protocol SOGoContactObject;
|
||||
|
||||
@interface UIxContactsListActions : WODirectAction
|
||||
@interface UIxContactsListActions : SOGoDirectAction
|
||||
{
|
||||
NSDictionary *currentContact;
|
||||
|
||||
|
|
|
@ -37,9 +37,6 @@
|
|||
#import <EOControl/EOQualifier.h>
|
||||
#import <EOControl/EOSortOrdering.h>
|
||||
|
||||
#import <Common/WODirectAction+SOGo.h>
|
||||
|
||||
|
||||
#import <SOGo/SOGoUser.h>
|
||||
#import <SOGo/SOGoUserSettings.h>
|
||||
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
/* UIxMailPartICalActions.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007 Inverse inc.
|
||||
*
|
||||
* Author: Wolfgang Sourdeau <wsourdeau@inverse.ca>
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -23,12 +21,13 @@
|
|||
#ifndef UIXMAILPARTICALACTIONS_H
|
||||
#define UIXMAILPARTICALACTIONS_H
|
||||
|
||||
|
||||
@class iCalCalendar;
|
||||
@class SOGoMailBodyPart;
|
||||
@class WOResponse;
|
||||
|
||||
@interface UIxMailPartICalActions : WODirectAction
|
||||
#import <UI/Common/SOGoDirectAction.h>
|
||||
|
||||
@interface UIxMailPartICalActions : SOGoDirectAction
|
||||
|
||||
- (WOResponse *) acceptAction;
|
||||
- (WOResponse *) declineAction;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxMailPartICalActions.m - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2015 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -32,8 +32,6 @@
|
|||
|
||||
#import <NGCards/iCalCalendar.h>
|
||||
|
||||
#import <UI/Common/WODirectAction+SOGo.h>
|
||||
|
||||
#import <NGImap4/NGImap4EnvelopeAddress.h>
|
||||
|
||||
#import <Appointments/iCalEvent+SOGo.h>
|
||||
|
@ -239,7 +237,6 @@
|
|||
WOResponse *response;
|
||||
SOGoAppointmentObject *eventObject;
|
||||
iCalEvent *chosenEvent;
|
||||
//NSException *ex;
|
||||
|
||||
chosenEvent = [self _setupChosenEventAndEventObject: &eventObject];
|
||||
if (chosenEvent)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxMailAccountActions.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2013 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -21,10 +21,11 @@
|
|||
#ifndef UIXMAILACCOUNTACTIONS_H
|
||||
#define UIXMAILACCOUNTACTIONS_H
|
||||
|
||||
#import <UI/Common/SOGoDirectAction.h>
|
||||
|
||||
@class WOResponse;
|
||||
|
||||
@interface UIxMailAccountActions : WODirectAction
|
||||
@interface UIxMailAccountActions : SOGoDirectAction
|
||||
{
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxMailAccountActions.m - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2014 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -34,8 +34,6 @@
|
|||
#import <SOGo/SOGoDomainDefaults.h>
|
||||
#import <SOGo/SOGoUser.h>
|
||||
|
||||
#import "../Common/WODirectAction+SOGo.h"
|
||||
|
||||
#import "UIxMailAccountActions.h"
|
||||
|
||||
@implementation UIxMailAccountActions
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxMailActions.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2013 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -21,8 +21,9 @@
|
|||
#ifndef UIXMAILACTIONS_H
|
||||
#define UIXMAILACTIONS_H
|
||||
|
||||
#import <UI/Common/SOGoDirectAction.h>
|
||||
|
||||
@interface UIxMailActions : WODirectAction
|
||||
@interface UIxMailActions : SOGoDirectAction
|
||||
@end
|
||||
|
||||
#endif /* UIXMAILACTIONS_H */
|
||||
|
|
|
@ -37,8 +37,6 @@
|
|||
#import <SoObjects/SOGo/SOGoUserSettings.h>
|
||||
#import <SoObjects/SOGo/SOGoUserDefaults.h>
|
||||
|
||||
#import "../Common/WODirectAction+SOGo.h"
|
||||
|
||||
#import "UIxMailActions.h"
|
||||
|
||||
@implementation UIxMailActions
|
||||
|
|
|
@ -21,10 +21,11 @@
|
|||
#ifndef UIXMAILFOLDERACTIONS_H
|
||||
#define UIXMAILFOLDERACTIONS_H
|
||||
|
||||
#import <UI/Common/SOGoDirectAction.h>
|
||||
|
||||
@class WOResponse;
|
||||
|
||||
@interface UIxMailFolderActions : WODirectAction
|
||||
@interface UIxMailFolderActions : SOGoDirectAction
|
||||
|
||||
- (id <WOActionResults>) createFolderAction;
|
||||
- (WOResponse *) renameFolderAction;
|
||||
|
|
|
@ -38,8 +38,6 @@
|
|||
#import <SOGo/SOGoUser.h>
|
||||
#import <SOGo/SOGoUserSettings.h>
|
||||
|
||||
#import <UI/Common/WODirectAction+SOGo.h>
|
||||
|
||||
#import "UIxMailFolderActions.h"
|
||||
|
||||
@implementation UIxMailFolderActions
|
||||
|
@ -225,7 +223,6 @@
|
|||
SOGoUserSettings *us;
|
||||
WOResponse *response;
|
||||
NSException *error;
|
||||
|
||||
BOOL moved;
|
||||
|
||||
co = [self clientObject];
|
||||
|
@ -380,20 +377,20 @@
|
|||
response = nil;
|
||||
|
||||
if ([value length] > 0)
|
||||
{
|
||||
uids = [value componentsSeparatedByString: @","];
|
||||
response = [co archiveUIDs: uids
|
||||
inArchiveNamed: [self labelForKey: @"Saved Messages.zip" inContext: context]
|
||||
inContext: context];
|
||||
if (!response)
|
||||
response = [self responseWith204];
|
||||
}
|
||||
{
|
||||
uids = [value componentsSeparatedByString: @","];
|
||||
response = [co archiveUIDs: uids
|
||||
inArchiveNamed: [self labelForKey: @"Saved Messages.zip" inContext: context]
|
||||
inContext: context];
|
||||
if (!response)
|
||||
response = [self responseWith204];
|
||||
}
|
||||
else
|
||||
{
|
||||
jsonResponse = [NSDictionary dictionaryWithObject: [self labelForKey: @"Missing 'uid' parameter." inContext: context]
|
||||
forKey: @"message"];
|
||||
response = [self responseWithStatus: 500 andJSONRepresentation: jsonResponse];
|
||||
}
|
||||
{
|
||||
jsonResponse = [NSDictionary dictionaryWithObject: [self labelForKey: @"Missing 'uid' parameter." inContext: context]
|
||||
forKey: @"message"];
|
||||
response = [self responseWithStatus: 500 andJSONRepresentation: jsonResponse];
|
||||
}
|
||||
|
||||
return response;
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
/*
|
||||
Copyright (C) 2004-2005 SKYRIX Software AG
|
||||
Copyright (C) 2004-2014 Inverse inc
|
||||
Copyright (C) 2004-2016 Inverse inc
|
||||
|
||||
This file is part of SOGo.
|
||||
|
||||
|
@ -23,13 +22,14 @@
|
|||
#ifndef UIXMAILLISTACTIONS_H
|
||||
#define UIXMAILLISTACTIONS_H
|
||||
|
||||
|
||||
@class NSDictionary;
|
||||
@class EOQualifier;
|
||||
@class SOGoDateFormatter;
|
||||
@class UIxMailSizeFormatter;
|
||||
|
||||
@interface UIxMailListActions : WODirectAction
|
||||
#import <UI/Common/SOGoDirectAction.h>
|
||||
|
||||
@interface UIxMailListActions : SOGoDirectAction
|
||||
{
|
||||
NSArray *sortedUIDs; /* we always need to retrieve all anyway! */
|
||||
NSArray *messages;
|
||||
|
|
|
@ -58,7 +58,6 @@
|
|||
#import <SOGo/SOGoUserSettings.h>
|
||||
#import <SOGo/WOResourceManager+SOGo.h>
|
||||
|
||||
#import <UI/Common/WODirectAction+SOGo.h>
|
||||
#import <UI/MailPartViewers/UIxMailSizeFormatter.h>
|
||||
|
||||
#import "WOContext+UIxMailer.h"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxMailSourceView.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2015 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -21,8 +21,9 @@
|
|||
#ifndef UIXMAILSOURCEVIEW_H
|
||||
#define UIXMAILSOURCEVIEW_H
|
||||
|
||||
#import <UI/Common/SOGoDirectAction.h>
|
||||
|
||||
@interface UIxMailSourceView : WODirectAction
|
||||
@interface UIxMailSourceView : SOGoDirectAction
|
||||
|
||||
@end
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxMailSourceView.m - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2015 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -23,8 +23,6 @@
|
|||
|
||||
#import <SoObjects/Mailer/SOGoMailObject.h>
|
||||
|
||||
#import <UI/Common/WODirectAction+SOGo.h>
|
||||
|
||||
#import "UIxMailSourceView.h"
|
||||
|
||||
@implementation UIxMailSourceView
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
Copyright (C) 2014 Inverse inc.
|
||||
Copyright (C) 2014-2016 Inverse inc.
|
||||
|
||||
This file is part of SOGo.
|
||||
|
||||
|
@ -23,10 +23,11 @@
|
|||
#import <SOGo/SOGoCache.h>
|
||||
#import <SOGo/NSObject+Utilities.h>
|
||||
|
||||
#import <NGObjWeb/NSException+HTTP.h>
|
||||
#import <NGObjWeb/WOContext.h>
|
||||
#import <NGObjWeb/WODirectAction.h>
|
||||
#import <NGObjWeb/NSException+HTTP.h>
|
||||
#import <NGObjWeb/WOResponse.h>
|
||||
|
||||
#import <Common/WODirectAction+SOGo.h>
|
||||
#import <ActiveSync/SOGoActiveSyncDispatcher.h>
|
||||
|
||||
@interface SOGoMicrosoftActiveSyncActions : WODirectAction
|
||||
|
@ -47,7 +48,9 @@
|
|||
Class clazz;
|
||||
|
||||
request = (WORequest *)[context request];
|
||||
response = [self responseWithStatus: 200];
|
||||
response = [context response];
|
||||
[response setStatus: 200];
|
||||
[response setHeader: @"text/plain; charset=utf-8" forKey: @"content-type"];
|
||||
|
||||
bundle = [NSBundle bundleForClass: NSClassFromString(@"ActiveSyncProduct")];
|
||||
clazz = [bundle classNamed: @"SOGoActiveSyncDispatcher"];
|
||||
|
|
|
@ -36,6 +36,7 @@
|
|||
|
||||
#import <Appointments/SOGoAppointmentFolders.h>
|
||||
|
||||
#import <SOGo/NSString+Crypto.h>
|
||||
#import <SOGo/NSString+Utilities.h>
|
||||
#import <SOGo/SOGoBuild.h>
|
||||
#import <SOGo/SOGoCache.h>
|
||||
|
@ -170,14 +171,14 @@
|
|||
{
|
||||
WOResponse *response;
|
||||
WORequest *request;
|
||||
WOCookie *authCookie;
|
||||
WOCookie *authCookie, *xsrfCookie;
|
||||
SOGoWebAuthenticator *auth;
|
||||
SOGoAppointmentFolders *calendars;
|
||||
SOGoUserDefaults *ud;
|
||||
SOGoUser *loggedInUser;
|
||||
NSDictionary *params;
|
||||
NSString *username, *password, *language, *domain, *remoteHost;
|
||||
NSArray *supportedLanguages;
|
||||
NSArray *supportedLanguages, *creds;
|
||||
|
||||
SOGoPasswordPolicyError err;
|
||||
int expire, grace;
|
||||
|
@ -232,6 +233,13 @@
|
|||
inContext: context];
|
||||
[response addCookie: authCookie];
|
||||
|
||||
// We prepare the XSRF protection cookie
|
||||
creds = [auth parseCredentials: [authCookie value]];
|
||||
xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
|
||||
value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
|
||||
[xsrfCookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
|
||||
[response addCookie: xsrfCookie];
|
||||
|
||||
supportedLanguages = [[SOGoSystemDefaults sharedSystemDefaults]
|
||||
supportedLanguages];
|
||||
loggedInUser = [SOGoUser userWithLogin: username];
|
||||
|
@ -540,8 +548,8 @@
|
|||
- (WOResponse *) changePasswordAction
|
||||
{
|
||||
NSString *username, *domain, *password, *newPassword, *value;
|
||||
WOCookie *authCookie, *xsrfCookie;
|
||||
NSDictionary *message;
|
||||
WOCookie *authCookie;
|
||||
NSArray *creds;
|
||||
SOGoUserManager *um;
|
||||
SOGoPasswordPolicyError error;
|
||||
|
@ -592,6 +600,12 @@
|
|||
andPassword: newPassword
|
||||
inContext: context];
|
||||
[response addCookie: authCookie];
|
||||
|
||||
// We update the XSRF protection cookie
|
||||
creds = [auth parseCredentials: [authCookie value]];
|
||||
xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
|
||||
value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
|
||||
[response addCookie: xsrfCookie];
|
||||
}
|
||||
else
|
||||
response = [self _responseWithLDAPPolicyError: error];
|
||||
|
|
|
@ -455,8 +455,8 @@
|
|||
|
||||
- (id <WOActionResults>) logoffAction
|
||||
{
|
||||
SOGoWebAuthenticator *auth;
|
||||
NSString *userName, *value;
|
||||
SOGoWebAuthenticator *auth;
|
||||
WOResponse *response;
|
||||
NSCalendarDate *date;
|
||||
WOCookie *cookie;
|
||||
|
@ -486,6 +486,12 @@
|
|||
if (cookie)
|
||||
[response addCookie: cookie];
|
||||
|
||||
// We remove the XSRF cookie
|
||||
cookie = [WOCookie cookieWithName: @"XSRF-TOKEN" value: @"discard"];
|
||||
[cookie setPath: [NSString stringWithFormat: @"/%@/", [[context request] applicationName]]];
|
||||
[cookie setExpires: [date yesterday]];
|
||||
[response addCookie: cookie];
|
||||
|
||||
[response setHeader: [date rfc822DateString] forKey: @"Last-Modified"];
|
||||
[response setHeader: @"no-store, no-cache, must-revalidate,"
|
||||
@" max-age=0, post-check=0, pre-check=0"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxJSONPreferences.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2007-2015 Inverse inc.
|
||||
* Copyright (C) 2007-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -21,8 +21,9 @@
|
|||
#ifndef UIXJSONPREFERENCES_H
|
||||
#define UIXJSONPREFERENCES_H
|
||||
|
||||
#import <UI/Common/SOGoDirectAction.h>
|
||||
|
||||
@interface UIxJSONPreferences : WODirectAction
|
||||
@interface UIxJSONPreferences : SOGoDirectAction
|
||||
|
||||
@end
|
||||
|
||||
|
|
|
@ -35,8 +35,6 @@
|
|||
#import <SOGo/WOResourceManager+SOGo.h>
|
||||
#import <Mailer/SOGoMailLabel.h>
|
||||
|
||||
#import <UI/Common/WODirectAction+SOGo.h>
|
||||
|
||||
#import "UIxJSONPreferences.h"
|
||||
|
||||
static SoProduct *preferencesProduct = nil;
|
||||
|
|
|
@ -34,11 +34,14 @@
|
|||
#import <SOGo/NSCalendarDate+SOGo.h>
|
||||
#import <SOGo/NSDictionary+Utilities.h>
|
||||
#import <SOGo/NSObject+Utilities.h>
|
||||
#import <SOGo/NSString+Crypto.h>
|
||||
#import <SOGo/NSString+Utilities.h>
|
||||
#import <SOGo/SOGoBuild.h>
|
||||
#import <SOGo/SOGoSession.h>
|
||||
#import <SOGo/SOGoSystemDefaults.h>
|
||||
#import <SOGo/SOGoUser.h>
|
||||
#import <SOGo/SOGoUserFolder.h>
|
||||
#import <SOGo/SOGoWebAuthenticator.h>
|
||||
#import <SOGo/WOContext+SOGo.h>
|
||||
#import <SOGo/WOResourceManager+SOGo.h>
|
||||
|
||||
|
@ -763,4 +766,42 @@ static SoProduct *commonProduct = nil;
|
|||
return [sd uixDebugEnabled];
|
||||
}
|
||||
|
||||
//
|
||||
// Protection against XSRF
|
||||
//
|
||||
- (id<WOActionResults>)performActionNamed:(NSString *)_actionName
|
||||
{
|
||||
SOGoWebAuthenticator *auth;
|
||||
NSString *value, *token;
|
||||
NSArray *creds;
|
||||
|
||||
if (![[SOGoSystemDefaults sharedSystemDefaults] xsrfValidationEnabled])
|
||||
return [super performActionNamed: _actionName];
|
||||
|
||||
// If the action is 'connect' (or 'logoff'), we let it go as the token
|
||||
// needs to be created (or destroyed) during the session initialization
|
||||
if ([_actionName isEqualToString: @"connect"] ||
|
||||
[_actionName isEqualToString: @"logoff"])
|
||||
{
|
||||
return [super performActionNamed: _actionName];
|
||||
}
|
||||
|
||||
// We grab the X-XSRF-TOKEN header
|
||||
token = [[context request] headerForKey: @"X-XSRF-TOKEN"];
|
||||
|
||||
// We compare it with our session key
|
||||
auth = [[WOApplication application]
|
||||
authenticatorInContext: context];
|
||||
value = [[context request]
|
||||
cookieValueForKey: [auth cookieNameInContext: context]];
|
||||
creds = [auth parseCredentials: value];
|
||||
|
||||
value = [SOGoSession valueForSessionKey: [creds lastObject]];
|
||||
|
||||
if ([token isEqualToString: [value asSHA1String]])
|
||||
return [super performActionNamed: _actionName];
|
||||
|
||||
return nil;
|
||||
}
|
||||
|
||||
@end /* UIxComponent */
|
||||
|
|
|
@ -21,8 +21,9 @@
|
|||
#ifndef UIXAPPOINTMENTACTIONS_H
|
||||
#define UIXAPPOINTMENTACTIONS_H
|
||||
|
||||
#import <Common/SOGoDirectAction.h>
|
||||
|
||||
@interface UIxAppointmentActions : WODirectAction
|
||||
@interface UIxAppointmentActions : SOGoDirectAction
|
||||
|
||||
@end
|
||||
|
||||
|
|
|
@ -40,8 +40,6 @@
|
|||
#import <Appointments/SOGoAppointmentFolder.h>
|
||||
#import <Appointments/SOGoAppointmentFolders.h>
|
||||
|
||||
#import <Common/WODirectAction+SOGo.h>
|
||||
|
||||
#import "UIxAppointmentActions.h"
|
||||
|
||||
@implementation UIxAppointmentActions
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxCalListingActions.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2006-2015 Inverse inc.
|
||||
* Copyright (C) 2006-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -21,7 +21,7 @@
|
|||
#ifndef UIXCALLISTINGACTIONVIEW_H
|
||||
#define UIXCALLISTINGACTIONVIEW_H
|
||||
|
||||
#import <Common/WODirectAction+SOGo.h>
|
||||
#import <Common/SOGoDirectAction.h>
|
||||
|
||||
@class NSCalendarDate;
|
||||
@class NSMutableDictionary;
|
||||
|
@ -33,7 +33,7 @@
|
|||
@class WOResponse;
|
||||
@class WORequest;
|
||||
|
||||
@interface UIxCalListingActions : WODirectAction
|
||||
@interface UIxCalListingActions : SOGoDirectAction
|
||||
{
|
||||
NSMutableDictionary *componentsData;
|
||||
NSCalendarDate *startDate;
|
||||
|
|
|
@ -47,8 +47,6 @@
|
|||
#import <Appointments/SOGoAppointmentFolders.h>
|
||||
#import <Appointments/SOGoWebAppointmentFolder.h>
|
||||
|
||||
#import <UI/Common/WODirectAction+SOGo.h>
|
||||
|
||||
#import "NSArray+Scheduler.h"
|
||||
|
||||
#import "UIxCalListingActions.h"
|
||||
|
@ -638,7 +636,7 @@ static NSArray *tasksFields = nil;
|
|||
NSDictionary *data;
|
||||
NSEnumerator *folders;
|
||||
unsigned int browserTime, laterTime;
|
||||
|
||||
|
||||
// We look for alarms in the next 48 hours
|
||||
browserTime = [[[context request] formValueForKey: @"browserTime"] intValue];
|
||||
laterTime = browserTime + 60*60*48;
|
||||
|
@ -779,7 +777,7 @@ static NSArray *tasksFields = nil;
|
|||
unsigned int interval;
|
||||
BOOL isAllDay;
|
||||
NSString *sort, *ascending;
|
||||
|
||||
|
||||
[self _setupContext];
|
||||
[self saveFilterValue: @"EventsFilterState"];
|
||||
[self saveSortValue: @"EventsSortingState"];
|
||||
|
@ -1317,7 +1315,7 @@ _computeBlocksPosition (NSArray *blocks)
|
|||
NSString *calendarName, *calendarId;
|
||||
BOOL isAllDay;
|
||||
int i, j;
|
||||
|
||||
|
||||
[self _setupContext];
|
||||
|
||||
events = [self _fetchFields: eventsFields forComponentOfType: @"vevent"];
|
||||
|
@ -1486,7 +1484,7 @@ _computeBlocksPosition (NSArray *blocks)
|
|||
int statusCode;
|
||||
int startSecs;
|
||||
int endsSecs;
|
||||
|
||||
|
||||
filteredTasks = [NSMutableArray array];
|
||||
|
||||
[self _setupContext];
|
||||
|
@ -1573,9 +1571,8 @@ _computeBlocksPosition (NSArray *blocks)
|
|||
SOGoAppointmentFolder *folder;
|
||||
SOGoAppointmentFolders *co;
|
||||
NSArray *folders;
|
||||
|
||||
int i;
|
||||
|
||||
|
||||
co = [self clientObject];
|
||||
folders = [co subFolders];
|
||||
activeTasksByCalendars = [NSMutableDictionary dictionaryWithCapacity: [folders count]];
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxCalMainActions.h - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2009-2013 Inverse inc.
|
||||
* Copyright (C) 2009-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
@ -21,9 +21,9 @@
|
|||
#ifndef UIXCALMAINACTIONS_H
|
||||
#define UIXCALMAINACTIONS_H
|
||||
|
||||
#import <Common/WODirectAction+SOGo.h>
|
||||
#import <Common/SOGoDirectAction.h>
|
||||
|
||||
@interface UIxCalMainActions : WODirectAction
|
||||
@interface UIxCalMainActions : SOGoDirectAction
|
||||
|
||||
@end
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* UIxCalMainActions.m - this file is part of SOGo
|
||||
*
|
||||
* Copyright (C) 2009-2015 Inverse inc.
|
||||
* Copyright (C) 2009-2016 Inverse inc.
|
||||
*
|
||||
* This file is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
|
|
|
@ -151,11 +151,17 @@
|
|||
|
||||
changePassword: function(newPassword) {
|
||||
var d = $q.defer(),
|
||||
loginCookie = readLoginCookie();
|
||||
loginCookie = readLoginCookie(),
|
||||
xsrfCookie = $cookies.get('XSRF-TOKEN');
|
||||
|
||||
$cookies.remove('XSRF-TOKEN', {path: '/SOGo/'});
|
||||
|
||||
$http({
|
||||
method: 'POST',
|
||||
url: '/SOGo/so/changePassword',
|
||||
headers: {
|
||||
'X-XSRF-TOKEN' : xsrfCookie
|
||||
},
|
||||
data: {
|
||||
userName: loginCookie[0],
|
||||
password: loginCookie[1],
|
||||
|
@ -186,6 +192,8 @@
|
|||
perr = passwordPolicyConfig.PolicyPasswordUnknown;
|
||||
}
|
||||
|
||||
// Restore the cookie
|
||||
$cookies.put('XSRF-TOKEN', xsrfCookie, {path: '/SOGo/'});
|
||||
d.reject(error);
|
||||
});
|
||||
return d.promise;
|
||||
|
|
Loading…
Reference in New Issue