| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
If regeneration is on, the token is recreated after the first AJAX
submit and subsequent ajax submits or normal form submits break. By
disabling it here, we limit potential security issues to only this page,
but it also only works if the user does not submit any other forms while
they are on the AJAX page.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
There are no more MB related functions used in the application code base
so this can go away. It was used by the plain text API which has been
removed in v2.0.0.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Documentation says that the variable can be set from the controller,
but it's protected and thus throws and exception. Good documentation is
hard to come by...
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
We actually don't need to hide this from the user. The error should be
shown rather than a blank page being returned.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Previously the login box in the navigation would redirect to the
current page, but this page will throw an error in the case of the
registration page since that's the page with the invition key and that
key is no longer valid.
Fix this by redirecting to the $redirect_uri and ensure that this value
is set for all requests.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
This mainly tries to prevent problems when file cron is run with an old
database.
Tools is whitelisted for the future, if there are cron jobs in tools
they will need to check the migrations themselves.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
This is only needed for clients not yet using api keys.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
This is the first of hopefully more classes using namespaces and proper
classes that can be used as objects rather than CI's singleton
approach. The namespace is mainly used to gain nice autoloading
capabilities and it's not really yet used for separation.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
This is necessary to prevent migrations from running multiple times in
parallel. A git hook can be used to run this after checkout so impact
should be fairly low.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
TL;DR: Allows us to show a proper error page if encryption_key is
missing from the config.
muser->logged_in() can load the session class which will die if
encryption_key is not set in the config causing an error to be
displayed.
Because the header is also loaded when we display an error
loading the class will be tried again. CI maintains an array with
information which classes have been tried to be loaded and will simply
return true without loading again.
muser->logged_in() will then try to access $this->session which doesn't
exist. Since all of this happens when we are already in the header the
error message appears in the navigation being hard to read.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Stateless clients (cli client and clients using api keys) can't reclaim
IDs (no cookie) so they should be required to log in asap and they will
always get an error if they didn't log in.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Otherwise we get an error in the Security class trying to access
$_SERVER["REQUEST_METHOD"].
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
|
|
Signed-off-by: Florian Pritz <bluewind@server-speed.net>
|
|
|
