From 9be62570ee283f9c39ccc67b29de5f6df7e46d7d Mon Sep 17 00:00:00 2001 From: provokateurin Date: Thu, 25 Jul 2024 13:14:50 +0200 Subject: [PATCH] refactor(theming): Replace security annotations with respective attributes Signed-off-by: provokateurin --- .../theming/lib/Controller/IconController.php | 17 +++++------ .../lib/Controller/ThemingController.php | 30 +++++++++++-------- .../lib/Controller/UserThemeController.php | 19 +++++------- 3 files changed, 33 insertions(+), 33 deletions(-) diff --git a/apps/theming/lib/Controller/IconController.php b/apps/theming/lib/Controller/IconController.php index acbb24e0883be..bdd5a43ddc3c6 100644 --- a/apps/theming/lib/Controller/IconController.php +++ b/apps/theming/lib/Controller/IconController.php @@ -12,6 +12,8 @@ use OCP\App\IAppManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoCSRFRequired; +use OCP\AppFramework\Http\Attribute\PublicPage; use OCP\AppFramework\Http\DataDisplayResponse; use OCP\AppFramework\Http\FileDisplayResponse; use OCP\AppFramework\Http\NotFoundResponse; @@ -50,9 +52,6 @@ public function __construct( } /** - * @PublicPage - * @NoCSRFRequired - * * Get a themed icon * * @param string $app ID of the app @@ -63,6 +62,8 @@ public function __construct( * 200: Themed icon returned * 404: Themed icon not found */ + #[PublicPage] + #[NoCSRFRequired] public function getThemedIcon(string $app, string $image): Response { if ($app !== 'core' && !$this->appManager->isEnabledForUser($app)) { $app = 'core'; @@ -87,9 +88,6 @@ public function getThemedIcon(string $app, string $image): Response { /** * Return a 32x32 favicon as png * - * @PublicPage - * @NoCSRFRequired - * * @param string $app ID of the app * @return DataDisplayResponse|FileDisplayResponse|NotFoundResponse * @throws \Exception @@ -97,6 +95,8 @@ public function getThemedIcon(string $app, string $image): Response { * 200: Favicon returned * 404: Favicon not found */ + #[PublicPage] + #[NoCSRFRequired] public function getFavicon(string $app = 'core'): Response { if ($app !== 'core' && !$this->appManager->isEnabledForUser($app)) { $app = 'core'; @@ -133,9 +133,6 @@ public function getFavicon(string $app = 'core'): Response { /** * Return a 512x512 icon for touch devices * - * @PublicPage - * @NoCSRFRequired - * * @param string $app ID of the app * @return DataDisplayResponse|FileDisplayResponse|NotFoundResponse * @throws \Exception @@ -143,6 +140,8 @@ public function getFavicon(string $app = 'core'): Response { * 200: Touch icon returned * 404: Touch icon not found */ + #[PublicPage] + #[NoCSRFRequired] public function getTouchIcon(string $app = 'core'): Response { if ($app !== 'core' && !$this->appManager->isEnabledForUser($app)) { $app = 'core'; diff --git a/apps/theming/lib/Controller/ThemingController.php b/apps/theming/lib/Controller/ThemingController.php index 8fdb020e61490..ba0703a41c8dc 100644 --- a/apps/theming/lib/Controller/ThemingController.php +++ b/apps/theming/lib/Controller/ThemingController.php @@ -8,10 +8,15 @@ use InvalidArgumentException; use OCA\Theming\ImageManager; use OCA\Theming\Service\ThemesService; +use OCA\Theming\Settings\Admin; use OCA\Theming\ThemingDefaults; use OCP\App\IAppManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting; +use OCP\AppFramework\Http\Attribute\BruteForceProtection; +use OCP\AppFramework\Http\Attribute\NoCSRFRequired; +use OCP\AppFramework\Http\Attribute\PublicPage; use OCP\AppFramework\Http\DataDisplayResponse; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\FileDisplayResponse; @@ -66,12 +71,12 @@ public function __construct( } /** - * @AuthorizedAdminSetting(settings=OCA\Theming\Settings\Admin) * @param string $setting * @param string $value * @return DataResponse * @throws NotPermittedException */ + #[AuthorizedAdminSetting(Admin::class)] public function updateStylesheet($setting, $value) { $value = trim($value); $error = null; @@ -146,12 +151,12 @@ public function updateStylesheet($setting, $value) { } /** - * @AuthorizedAdminSetting(settings=OCA\Theming\Settings\Admin) * @param string $setting * @param mixed $value * @return DataResponse * @throws NotPermittedException */ + #[AuthorizedAdminSetting(Admin::class)] public function updateAppMenu($setting, $value) { $error = null; switch ($setting) { @@ -195,10 +200,10 @@ private function isValidUrl(string $url): bool { } /** - * @AuthorizedAdminSetting(settings=OCA\Theming\Settings\Admin) * @return DataResponse * @throws NotPermittedException */ + #[AuthorizedAdminSetting(Admin::class)] public function uploadImage(): DataResponse { $key = $this->request->getParam('key'); if (!in_array($key, self::VALID_UPLOAD_KEYS, true)) { @@ -275,12 +280,12 @@ public function uploadImage(): DataResponse { /** * Revert setting to default value - * @AuthorizedAdminSetting(settings=OCA\Theming\Settings\Admin) * * @param string $setting setting which should be reverted * @return DataResponse * @throws NotPermittedException */ + #[AuthorizedAdminSetting(Admin::class)] public function undo(string $setting): DataResponse { $value = $this->themingDefaults->undo($setting); @@ -298,11 +303,11 @@ public function undo(string $setting): DataResponse { /** * Revert all theming settings to their default values - * @AuthorizedAdminSetting(settings=OCA\Theming\Settings\Admin) * * @return DataResponse * @throws NotPermittedException */ + #[AuthorizedAdminSetting(Admin::class)] public function undoAll(): DataResponse { $this->themingDefaults->undoAll(); $this->appManager->setDefaultApps([]); @@ -319,8 +324,6 @@ public function undoAll(): DataResponse { } /** - * @PublicPage - * @NoCSRFRequired * @NoSameSiteCookieRequired * * Get an image @@ -333,6 +336,8 @@ public function undoAll(): DataResponse { * 200: Image returned * 404: Image not found */ + #[PublicPage] + #[NoCSRFRequired] public function getImage(string $key, bool $useSvg = true) { try { $file = $this->imageManager->getImage($key, $useSvg); @@ -356,8 +361,6 @@ public function getImage(string $key, bool $useSvg = true) { } /** - * @NoCSRFRequired - * @PublicPage * @NoSameSiteCookieRequired * @NoTwoFactorRequired * @@ -371,6 +374,8 @@ public function getImage(string $key, bool $useSvg = true) { * 200: Stylesheet returned * 404: Theme not found */ + #[PublicPage] + #[NoCSRFRequired] public function getThemeStylesheet(string $themeId, bool $plain = false, bool $withCustomCss = false) { $themes = $this->themesService->getThemes(); if (!in_array($themeId, array_keys($themes))) { @@ -407,10 +412,6 @@ public function getThemeStylesheet(string $themeId, bool $plain = false, bool $w } /** - * @NoCSRFRequired - * @PublicPage - * @BruteForceProtection(action=manifest) - * * Get the manifest for an app * * @param string $app ID of the app @@ -420,6 +421,9 @@ public function getThemeStylesheet(string $themeId, bool $plain = false, bool $w * 200: Manifest returned * 404: App not found */ + #[PublicPage] + #[NoCSRFRequired] + #[BruteForceProtection('manifest')] public function getManifest(string $app): JSONResponse { $cacheBusterValue = $this->config->getAppValue('theming', 'cachebuster', '0'); if ($app === 'core' || $app === 'settings') { diff --git a/apps/theming/lib/Controller/UserThemeController.php b/apps/theming/lib/Controller/UserThemeController.php index 33c6c5c8a3b5c..bef0f38f598c0 100644 --- a/apps/theming/lib/Controller/UserThemeController.php +++ b/apps/theming/lib/Controller/UserThemeController.php @@ -15,6 +15,8 @@ use OCA\Theming\Service\ThemesService; use OCA\Theming\ThemingDefaults; use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\NoCSRFRequired; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\FileDisplayResponse; use OCP\AppFramework\Http\JSONResponse; @@ -59,8 +61,6 @@ public function __construct(string $appName, } /** - * @NoAdminRequired - * * Enable theme * * @param string $themeId the theme ID @@ -70,6 +70,7 @@ public function __construct(string $appName, * * 200: Theme enabled successfully */ + #[NoAdminRequired] public function enableTheme(string $themeId): DataResponse { $theme = $this->validateTheme($themeId); @@ -79,8 +80,6 @@ public function enableTheme(string $themeId): DataResponse { } /** - * @NoAdminRequired - * * Disable theme * * @param string $themeId the theme ID @@ -90,6 +89,7 @@ public function enableTheme(string $themeId): DataResponse { * * 200: Theme disabled successfully */ + #[NoAdminRequired] public function disableTheme(string $themeId): DataResponse { $theme = $this->validateTheme($themeId); @@ -128,15 +128,14 @@ private function validateTheme(string $themeId): ITheme { } /** - * @NoAdminRequired - * @NoCSRFRequired - * * Get the background image * @return FileDisplayResponse|NotFoundResponse * * 200: Background image returned * 404: Background image not found */ + #[NoAdminRequired] + #[NoCSRFRequired] public function getBackground(): Http\Response { $file = $this->backgroundService->getBackground(); if ($file !== null) { @@ -148,14 +147,13 @@ public function getBackground(): Http\Response { } /** - * @NoAdminRequired - * * Delete the background * * @return JSONResponse * * 200: Background deleted successfully */ + #[NoAdminRequired] public function deleteBackground(): JSONResponse { $currentVersion = (int)$this->config->getUserValue($this->userId, Application::APP_ID, 'userCacheBuster', '0'); $this->backgroundService->deleteBackgroundImage(); @@ -168,8 +166,6 @@ public function deleteBackground(): JSONResponse { } /** - * @NoAdminRequired - * * Set the background * * @param string $type Type of background @@ -180,6 +176,7 @@ public function deleteBackground(): JSONResponse { * 200: Background set successfully * 400: Setting background is not possible */ + #[NoAdminRequired] public function setBackground(string $type = BackgroundService::BACKGROUND_DEFAULT, string $value = '', ?string $color = null): JSONResponse { $currentVersion = (int)$this->config->getUserValue($this->userId, Application::APP_ID, 'userCacheBuster', '0');