diff options
| author | Julius Härtl <jus@bitgrid.net> | 2022-04-21 10:29:22 +0300 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2022-04-25 18:14:48 +0300 |
| commit | a2d03d944062ff8b01de3b5c7e6a5ad554de422f (patch) | |
| tree | 7d3c77a07bec7facab0ba197885a87eb89d44c6d | |
| parent | fc52df73749e7e64caf806cb2559681e2598643f (diff) | |
Add app config to enable trusted domain list usagebackport/2161/stable23
Signed-off-by: Julius Härtl <jus@bitgrid.net>
| -rw-r--r-- | docs/federated-editing.md | 6 | ||||
| -rw-r--r-- | lib/AppConfig.php | 18 | ||||
| -rw-r--r-- | lib/Service/FederationService.php | 16 |
3 files changed, 31 insertions, 9 deletions
diff --git a/docs/federated-editing.md b/docs/federated-editing.md index f7b2103f..41bed128 100644 --- a/docs/federated-editing.md +++ b/docs/federated-editing.md @@ -37,3 +37,9 @@ Collabora by default only allows embedding from the same remote that the initial Assuming gs1.example.com and gs2.example.com are Nextcloud servers: coolconfig set net.frame_ancestors "*.example.com" + +## Trusted hosts + +By default, trusted hosts of Nextcloud will not be allowed for federated editing. This can be enabled through the following app config value: + + occ config:app:set richdocuments federation_use_trusted_domains --value="yes" diff --git a/lib/AppConfig.php b/lib/AppConfig.php index bcb2ef9d..9a9bec66 100644 --- a/lib/AppConfig.php +++ b/lib/AppConfig.php @@ -16,6 +16,10 @@ use \OCP\IConfig; class AppConfig { + public const FEDERATION_USE_TRUSTED_DOMAINS = 'federation_use_trusted_domains'; + + public const SYSTEM_GS_TRUSTED_HOSTS = 'gs.trustedHosts'; + private $defaults = [ 'wopi_url' => '', 'timeout' => 15, @@ -107,4 +111,18 @@ class AppConfig { return $result; } + /** + * Returns a list of trusted domains from the gs.trustedHosts config + */ + public function getTrustedDomains(): array { + return $this->config->getSystemValue(self::SYSTEM_GS_TRUSTED_HOSTS, []); + } + + /** + * Returns if federation trusted domains should be always allowed for federated editing + */ + public function isTrustedDomainAllowedForFederation(): bool { + return $this->config->getAppValue(Application::APPNAME, self::FEDERATION_USE_TRUSTED_DOMAINS, 'no') === 'yes'; + } + } diff --git a/lib/Service/FederationService.php b/lib/Service/FederationService.php index f8d3e5f7..ac541f54 100644 --- a/lib/Service/FederationService.php +++ b/lib/Service/FederationService.php @@ -26,11 +26,10 @@ namespace OCA\Richdocuments\Service; use OCA\Federation\TrustedServers; use OCA\Files_Sharing\External\Storage as SharingExternalStorage; +use OCA\Richdocuments\AppConfig; use OCA\Richdocuments\Db\Direct; use OCA\Richdocuments\Db\Wopi; -use OCA\Richdocuments\Db\WopiMapper; use OCA\Richdocuments\TokenManager; -use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\QueryException; use OCP\Files\File; use OCP\Files\InvalidPathException; @@ -38,7 +37,6 @@ use OCP\Files\NotFoundException; use OCP\Http\Client\IClientService; use OCP\ICache; use OCP\ICacheFactory; -use OCP\IConfig; use OCP\ILogger; use OCP\IRequest; use OCP\IURLGenerator; @@ -54,8 +52,8 @@ class FederationService { private $logger; /** @var TrustedServers */ private $trustedServers; - /** @var IConfig */ - private $config; + /** @var AppConfig */ + private $appConfig; /** @var TokenManager */ private $tokenManager; /** @var IRequest */ @@ -63,12 +61,12 @@ class FederationService { /** @var IURLGenerator */ private $urlGenerator; - public function __construct(ICacheFactory $cacheFactory, IClientService $clientService, ILogger $logger, TokenManager $tokenManager, IConfig $config, IRequest $request, IURLGenerator $urlGenerator) { + public function __construct(ICacheFactory $cacheFactory, IClientService $clientService, ILogger $logger, TokenManager $tokenManager, AppConfig $appConfig, IRequest $request, IURLGenerator $urlGenerator) { $this->cache = $cacheFactory->createDistributed('richdocuments_remote/'); $this->clientService = $clientService; $this->logger = $logger; $this->tokenManager = $tokenManager; - $this->config = $config; + $this->appConfig = $appConfig; $this->request = $request; $this->urlGenerator = $urlGenerator; try { @@ -114,13 +112,13 @@ class FederationService { $domainWithPort = parse_url($domainWithPort, PHP_URL_HOST) . ($port ? ':' . $port : ''); } - if ($this->trustedServers !== null && $this->trustedServers->isTrustedServer($domainWithPort)) { + if ($this->appConfig->isTrustedDomainAllowedForFederation() && $this->trustedServers !== null && $this->trustedServers->isTrustedServer($domainWithPort)) { return true; } $domain = $this->getDomainWithoutPort($domainWithPort); - $trustedList = array_merge($this->config->getSystemValue('gs.trustedHosts', []), [$this->request->getServerHost()]); + $trustedList = array_merge($this->appConfig->getTrustedDomains(), [$this->request->getServerHost()]); if (!is_array($trustedList)) { return false; } |