Commit Graph

140 Commits

Author SHA1 Message Date
Isaac Connor 3f9564c10a Merge branch 'master' into storageareas 2019-03-19 10:37:35 -04:00
Isaac Connor 2c1c9fe6cd fix missing ZM namespaces 2019-03-19 09:23:35 -04:00
Isaac Connor 1d3af44d02 Fix namespace Warning 2019-03-19 09:13:56 -04:00
Isaac Connor 520c41da23 Merge ../ZoneMinder.connortechnology.bad into storageareas 2019-03-18 14:40:03 -04:00
Isaac Connor 9482207f5c revert namespace stuff in index.php 2019-03-18 11:24:28 -04:00
Isaac Connor 190142b24c Merge branch 'master' into storageareas 2019-03-01 17:47:07 -05:00
Isaac Connor 78513e22fd When doing an OPTIONS just do CORS and exit. if xmlHttpRequest don't do a redirect login. Do a failed auth header and quit 2019-03-01 17:27:08 -05:00
Isaac Connor fd310c0f0a Merge branch 'master' into storageareas 2019-02-22 11:33:47 -05:00
Isaac Connor 2b90bf15a6
Improve session (#2487)
* Introduce ZM_COOKIE_LIFETIME which sets the life of the SESSION cookie, instead of using what is in php.ini

* Use zm specific session functions, which are now located in includes/session.php.  Be more agressive about clearing session on logout.

* Move session code to includes/session.php

* remove duplicate line

* Move is_session_open to session.php.  Move code to clear a session into session.php

* improve debug line when there is a problem updating config entry

* split description into description and help text for COOKIE_LIFETIME

* Remove redirect on line.  We do it in javascript on postlogin view so that we can say logging in before switching to console

* If there is a username in the session, then we are logged in, but we need to load the user object from the db.  We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request.

* Use session_regenerate_id instead of our broken code to do the same

* Move auth code to includes/auth.php

* add autocomplete tags to username and password inputs

* Don't redirect to login if we are already viewing login.  Put auth before including skin includes

* need to include session.php in auth.php

* update to php namespace
2019-02-22 09:43:38 -05:00
Isaac Connor 8dd8888975
Php namespace (#2537)
* experiment with namespaces on the Server class

* experiment with namespaces on the Server class

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects
2019-02-22 09:19:07 -05:00
Isaac Connor 555cb4780d Merge branch 'master' into storageareas 2019-02-10 12:37:45 -05:00
Isaac Connor ee3a0c1fd1 fix validateForm running on monitor cancel due to lack of type=button on cancel button 2019-02-08 09:55:32 -05:00
Isaac Connor d08a6fcc7c Don't redirect to login if we are already viewing login. Put auth before including skin includes 2019-02-05 12:32:24 -05:00
Isaac Connor b6b4a21dbe Move auth code to includes/auth.php 2019-02-05 11:45:58 -05:00
Isaac Connor 4e9ce3c5b7 Move session code to includes/session.php 2019-01-30 11:05:36 -05:00
Isaac Connor 58d3583722 clean up and reduce depth of some logic 2019-01-23 11:18:30 -05:00
Matt N 6bb5aa1b87 More inline JS / nonce conversions (#2415)
* monitor.php: Add nonce and move <script> inside </body>

* export_functions.php: Untested: Add @nonce to <script>

* blank.php: Add @nonce to <script> and add to CSP enforced views

* Enforce CSP on login and privacy views

* group.php: Add nonce and move <script> inside </body>

* filter.php: Add @nonce to <script>

* Fix updateButtons argument on the filter page upon change and page load

* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
Matt N d33fec9c3f Add a CSP script-src policy with nonce-source and convert more inline event handlers (#2413)
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy

* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'

Only handle ones that don't return a value.

* Use @data-on-click to attach inline click event handlers with no args and no return value

* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument

* Enforce a script-src CSP on views without inline JS

* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
Andrew Bauer 07d8ac1d49 implement timezone check function (#2387)
* implement timezone check function

* remove comment

* also check if the timezone is valid

* whitespace
2019-01-15 09:05:11 -05:00
Isaac Connor dbe9817bc8 Split actions.php into individual files per view 2019-01-04 09:26:34 -05:00
Andrew Bauer 3258d8e590 remove ZM_DIR_IMAGES (#2374) 2018-12-29 09:52:58 -05:00
Andrew Bauer 8d74354fcb
Merge pull request #2242 from connortechnology/cleanup_auth
Cleanup auth
2018-12-12 20:53:24 -06:00
Isaac Connor 702143e51b Create a function called getBodyTopHTML that outputs the body tag and anything else that should go at the top.
Things like the we require javascript message, and any other messages like error messages.
Use this on the monitor and console view to stick an error message at the top when saving a monitor fails.

This is a pretty quick, crude implementation.
2018-11-07 12:33:54 -05:00
Isaac Connor a3d0cb42ea Move GOOGLE RECAPCHA to includes/auth.php, clean login actions. 2018-10-09 10:05:50 -04:00
Pliable Pixels 4d626dfb4e allow username&password even if AUTH_HASH is enabled (#2231) 2018-10-08 17:28:03 -04:00
Isaac Connor efda26121b allow login by username&password in request 2018-10-02 16:59:05 -04:00
Isaac Connor 623d31edae Don't do csrf for view=image 2018-08-31 11:58:17 -04:00
Isaac Connor 0823b28712 whitespace changes. Make Privacy test an else so that PRIVACY checks don't happen if not logged in 2018-08-31 10:37:11 -04:00
Andrew Bauer 8f0fb0843a Add Privacy Statement (#2194)
* initial implementation of privacy popup

* split the privacy text and run it through translate

* change style of toggle button, validate the form

* fix copy/paste error

* fix typos

* display privacy view inline rather than popup

* display privacy inline if show_privacy flag set

* redirect to console after selection is made

* typo

* css formatting

* update privacy verbiage

* create and load default.php

* fix typos

* fix erroneous copy/paste
2018-08-30 13:25:02 -04:00
Isaac Connor 15a6eb7e78
Revert "Add Privacy Statement (#2176)" (#2179)
This reverts commit 56f4d768c2.
2018-08-13 15:33:43 -04:00
Andrew Bauer 56f4d768c2 Add Privacy Statement (#2176)
* initial implementation of privacy popup

* split the privacy text and run it through translate

* change style of toggle button, validate the form

* fix copy/paste error

* fix typos

* display privacy view inline rather than popup

* display privacy inline if show_privacy flag set

* redirect to console after selection is made

* typo

* css formatting

* update privacy verbiage

* push privacy text to all language files
2018-08-13 15:23:44 -04:00
Isaac Connor 43827953cd test for existence of HTTP_X_FORWARDED_PROTO 2018-07-12 15:04:54 -04:00
Isaac Connor eb610cd3a1 rewrite the HTTP_X_FORWARDED_PROTO test to just make it part of the if instead of modifying SERVER['HTTPS'] 2018-07-12 11:38:58 -04:00
Mike Brown 6a5ff83848 Adding support for HTTP_X_FORWARDED_PROTO 2018-07-11 21:01:37 -05:00
Isaac Connor 3109536dda Alternate fix for video generation under csrf. Now we just turn off output buffering (discarding contents before sending the avi 2018-06-06 11:55:51 -04:00
Isaac cc27ce7ee9 Turn off csrf for archive downloading, which prevents out of memeory 2018-05-18 15:50:45 +02:00
Isaac Connor dcfd9a60bc close the session earlier 2018-04-14 22:26:47 -04:00
Isaac Connor 53ce8c008a move auth functions into it's own file 2018-04-06 14:36:23 -04:00
Isaac Connor a9f4b7899a move session closing higher up before actions.php. 2018-03-20 12:18:29 -07:00
Isaac Connor b390633f70 Fix authHash generation 2018-01-31 14:58:01 -05:00
Isaac Connor c59751713b fix redirect 2018-01-28 17:31:00 -05:00
Isaac Connor 8a4b17fb50 turn into a url instead of boolean. Use it to refresh the options page on change so that changes are instantly noticable 2018-01-28 15:13:57 -05:00
Isaac Connor bb9d640c01 use instead of ['request'] to fix behaviour when request has been emptied due to failed auth 2018-01-26 12:56:38 -05:00
Isaac 5865bbfb12 turn off debugging 2018-01-24 23:07:21 +01:00
Isaac 06c9266c62 use snapshot.jpg more 2018-01-22 03:27:01 +01:00
Isaac Connor cb70a3627f Fixes to montagereview and only load event data when in History mode 2017-11-28 14:50:21 -05:00
Isaac Connor c0e49b65ef stop writing env to /tmp/env 2017-11-24 15:38:07 -05:00
Isaac Connor 4b92a788f7 fix filter execute 2017-11-24 15:37:50 -05:00
Isaac Connor b5491102ef Fix saving MontageLayouts 2017-10-30 20:21:16 -04:00
Isaac Connor a6c790b374 use a shared include for the filters bar 2017-10-30 07:37:08 -07:00