Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/richdocuments.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulius Härtl <jus@bitgrid.net>2022-04-21 10:29:22 +0300
committerbackportbot[bot] <backportbot[bot]@users.noreply.github.com>2022-04-25 18:14:48 +0300
commita2d03d944062ff8b01de3b5c7e6a5ad554de422f (patch)
tree7d3c77a07bec7facab0ba197885a87eb89d44c6d
parentfc52df73749e7e64caf806cb2559681e2598643f (diff)
Add app config to enable trusted domain list usagebackport/2161/stable23
Signed-off-by: Julius Härtl <jus@bitgrid.net>
-rw-r--r--docs/federated-editing.md6
-rw-r--r--lib/AppConfig.php18
-rw-r--r--lib/Service/FederationService.php16
3 files changed, 31 insertions, 9 deletions
diff --git a/docs/federated-editing.md b/docs/federated-editing.md
index f7b2103f..41bed128 100644
--- a/docs/federated-editing.md
+++ b/docs/federated-editing.md
@@ -37,3 +37,9 @@ Collabora by default only allows embedding from the same remote that the initial
Assuming gs1.example.com and gs2.example.com are Nextcloud servers:
coolconfig set net.frame_ancestors "*.example.com"
+
+## Trusted hosts
+
+By default, trusted hosts of Nextcloud will not be allowed for federated editing. This can be enabled through the following app config value:
+
+ occ config:app:set richdocuments federation_use_trusted_domains --value="yes"
diff --git a/lib/AppConfig.php b/lib/AppConfig.php
index bcb2ef9d..9a9bec66 100644
--- a/lib/AppConfig.php
+++ b/lib/AppConfig.php
@@ -16,6 +16,10 @@ use \OCP\IConfig;
class AppConfig {
+ public const FEDERATION_USE_TRUSTED_DOMAINS = 'federation_use_trusted_domains';
+
+ public const SYSTEM_GS_TRUSTED_HOSTS = 'gs.trustedHosts';
+
private $defaults = [
'wopi_url' => '',
'timeout' => 15,
@@ -107,4 +111,18 @@ class AppConfig {
return $result;
}
+ /**
+ * Returns a list of trusted domains from the gs.trustedHosts config
+ */
+ public function getTrustedDomains(): array {
+ return $this->config->getSystemValue(self::SYSTEM_GS_TRUSTED_HOSTS, []);
+ }
+
+ /**
+ * Returns if federation trusted domains should be always allowed for federated editing
+ */
+ public function isTrustedDomainAllowedForFederation(): bool {
+ return $this->config->getAppValue(Application::APPNAME, self::FEDERATION_USE_TRUSTED_DOMAINS, 'no') === 'yes';
+ }
+
}
diff --git a/lib/Service/FederationService.php b/lib/Service/FederationService.php
index f8d3e5f7..ac541f54 100644
--- a/lib/Service/FederationService.php
+++ b/lib/Service/FederationService.php
@@ -26,11 +26,10 @@ namespace OCA\Richdocuments\Service;
use OCA\Federation\TrustedServers;
use OCA\Files_Sharing\External\Storage as SharingExternalStorage;
+use OCA\Richdocuments\AppConfig;
use OCA\Richdocuments\Db\Direct;
use OCA\Richdocuments\Db\Wopi;
-use OCA\Richdocuments\Db\WopiMapper;
use OCA\Richdocuments\TokenManager;
-use OCP\AppFramework\Http\RedirectResponse;
use OCP\AppFramework\QueryException;
use OCP\Files\File;
use OCP\Files\InvalidPathException;
@@ -38,7 +37,6 @@ use OCP\Files\NotFoundException;
use OCP\Http\Client\IClientService;
use OCP\ICache;
use OCP\ICacheFactory;
-use OCP\IConfig;
use OCP\ILogger;
use OCP\IRequest;
use OCP\IURLGenerator;
@@ -54,8 +52,8 @@ class FederationService {
private $logger;
/** @var TrustedServers */
private $trustedServers;
- /** @var IConfig */
- private $config;
+ /** @var AppConfig */
+ private $appConfig;
/** @var TokenManager */
private $tokenManager;
/** @var IRequest */
@@ -63,12 +61,12 @@ class FederationService {
/** @var IURLGenerator */
private $urlGenerator;
- public function __construct(ICacheFactory $cacheFactory, IClientService $clientService, ILogger $logger, TokenManager $tokenManager, IConfig $config, IRequest $request, IURLGenerator $urlGenerator) {
+ public function __construct(ICacheFactory $cacheFactory, IClientService $clientService, ILogger $logger, TokenManager $tokenManager, AppConfig $appConfig, IRequest $request, IURLGenerator $urlGenerator) {
$this->cache = $cacheFactory->createDistributed('richdocuments_remote/');
$this->clientService = $clientService;
$this->logger = $logger;
$this->tokenManager = $tokenManager;
- $this->config = $config;
+ $this->appConfig = $appConfig;
$this->request = $request;
$this->urlGenerator = $urlGenerator;
try {
@@ -114,13 +112,13 @@ class FederationService {
$domainWithPort = parse_url($domainWithPort, PHP_URL_HOST) . ($port ? ':' . $port : '');
}
- if ($this->trustedServers !== null && $this->trustedServers->isTrustedServer($domainWithPort)) {
+ if ($this->appConfig->isTrustedDomainAllowedForFederation() && $this->trustedServers !== null && $this->trustedServers->isTrustedServer($domainWithPort)) {
return true;
}
$domain = $this->getDomainWithoutPort($domainWithPort);
- $trustedList = array_merge($this->config->getSystemValue('gs.trustedHosts', []), [$this->request->getServerHost()]);
+ $trustedList = array_merge($this->appConfig->getTrustedDomains(), [$this->request->getServerHost()]);
if (!is_array($trustedList)) {
return false;
}