Commit Graph

172 Commits

Author SHA1 Message Date
Isaac Connor f85efc17b4 Add samesite when setting cookie for skin and css 2021-06-08 13:09:30 -04:00
Isaac Connor 7aa625ea8e Don't both loading all the Object code until after auth. 2021-04-12 15:59:31 -04:00
Isaac Connor 284837d536 quotes, spaces. Also move setting redirect to to where we actually do the redirect so that actions can remove the redirect if there was an error to report. 2021-03-21 09:19:21 -04:00
Isaac Connor 0bb4afa0bc The test for xmlhttprequest is bogus. chrome jquery JSON requests don't send it. Replace with a test for instead. So now only redirect on proper html views. 2021-03-13 12:11:55 -05:00
Isaac Connor c6cf1da47d Merge branch 'master' into zma_to_thread 2021-01-11 17:08:44 -05:00
Isaac Connor 10c0a6617c Return Debug to a regular function to match other logging functions. Since we switched to using namespaces we no longer clash with cake_php. 2020-10-14 10:39:25 -04:00
Andrew Bauer 0f263407a5 make redirect conditional on previous view 2020-10-12 10:32:25 -05:00
Isaac Connor 70b73048cc add csrf checks to frames view 2020-09-02 18:11:53 -04:00
Isaac Connor 29ab186a7e put generating the view html into an ob_start/ob_end_flush so that we can do things like re-open sessions in the middle of generating content. Only send CSP headers on html content. 2020-09-02 13:58:24 -04:00
Isaac Connor 0a3ad719cd Merge branch 'master' into filter_pre_post 2020-08-17 18:30:44 -04:00
Isaac Connor ea4edcbc94 Make a global so tht we can use it in export_functions 2020-08-16 20:08:14 -04:00
Isaac Connor 0a383c02c4 Better debugging of REQUEST/POST vars 2020-06-23 22:20:07 -04:00
Isaac Connor ebfae1f855 turn off debug 2020-05-01 13:17:39 -04:00
Isaac Connor da94985508 add back global servers 2020-04-10 11:14:09 -04:00
Isaac Connor e06912a995 Merge branch 'release-1.34' 2020-03-21 15:28:27 -04:00
Isaac Connor d3df0defc9 Support missing openssl_random_pseudo_bytes by using alternate functions 2020-03-21 15:28:18 -04:00
Isaac Connor 8eee5cc222 Add global array so that we only do it once. 2020-03-04 11:03:30 -05:00
Isaac Connor 6456d52b97 Merge branch 'fix_user_lang' 2020-02-27 17:43:51 -05:00
Isaac Connor d371da7b4f including the language files must come after auth in order to user the user's language setting 2020-02-27 17:42:02 -05:00
Isaac Connor dab5c520fe Merge branch 'master' into add_alarmed_zone_to_filters 2020-02-19 14:20:08 -05:00
Isaac Connor 600dbba8c5 We don't need to set date_default_timezone_get 2020-02-11 13:23:53 -05:00
Isaac Connor 6345ecc479 remove debug 2020-01-23 17:04:33 -05:00
Isaac Connor 9d41334e8f Merge branch 'master' into add_alarmed_zone_to_filters 2020-01-22 13:45:37 -05:00
Isaac Connor dbdb13efd7 Instead of passing query string in form post variables, store it in session so that it survives redirects. Fixes #2811 2020-01-20 11:02:43 -05:00
Isaac Connor e39a95d761 Add AlarmedZoned to filters, work on fixing filter behaviour in js. Enable viewing filter results in montagereview 2019-12-18 19:06:10 -05:00
Isaac Connor d02aee64e4 Add setting of timezone to Options/Config instead of php.ini 2019-10-02 09:07:18 -04:00
Isaac Connor ff8e9fa072 Don't glob skins dir and css dirs unless our skin or css is invalid. 2019-09-17 12:07:10 -04:00
Isaac Connor 25198e0eb0 move session_close to after auth so that whatever we do with the session in auth gets saved 2019-09-04 17:53:59 -04:00
Isaac Connor ef5497cba8 If we have an ajax request, don't do actions. 2019-08-29 11:26:14 -04:00
Isaac Connor 84492f29b1
Fix token auth sessions (#2676)
* If token is present do token based auth and do not do anything with session

* update HostController.  Use config constants, don't use sessions

* Remove Session from the components list

* spacing

* Remove Session from App Components list.

* Move APIEnabled check to the api from auth.php

* Rework auth.  login using username and password only occurs on login action now.  Including auth.php should not touch the session.  auth_hash logins no longer touch the session.  replace userLogin with a function called validateUser which matches the semantics of validateToken.

* remove debugging

* Add session storage if stateful query param is on, but only for LEGACY_API_AUTH

* fix mUser to username, etc.

* shuffle lines

* use  instead of session when generating auth hash.

* Add docs regarding the use of cookies and stateful query param

* Only open/close session if we are clearing a session var

* Use zm_session_start instead of session_start

* Should use zm_session_start instead of session_start

* document that zm_session_start should be called previously to session_regenerate_id

* Don't actually write out the session when generating auth hashes.  Means they should never actually persist.

* More backticking of SQL

* add .. to fix #2686

* Use material icons for sort because they look nicer

* fix typo

* have to add authhash to session on login

* restore username&password login for all urls

* fix

* fixes
2019-08-20 09:46:53 -04:00
Isaac Connor 1103928ed7 only call check_timezone on console for efficiency in all other requests 2019-08-15 15:16:20 -04:00
Isaac Connor 940338ea12 namespace escape Error calls 2019-04-29 12:51:02 -04:00
Isaac Connor 3f9564c10a Merge branch 'master' into storageareas 2019-03-19 10:37:35 -04:00
Isaac Connor 2c1c9fe6cd fix missing ZM namespaces 2019-03-19 09:23:35 -04:00
Isaac Connor 1d3af44d02 Fix namespace Warning 2019-03-19 09:13:56 -04:00
Isaac Connor 520c41da23 Merge ../ZoneMinder.connortechnology.bad into storageareas 2019-03-18 14:40:03 -04:00
Isaac Connor 9482207f5c revert namespace stuff in index.php 2019-03-18 11:24:28 -04:00
Isaac Connor 190142b24c Merge branch 'master' into storageareas 2019-03-01 17:47:07 -05:00
Isaac Connor 78513e22fd When doing an OPTIONS just do CORS and exit. if xmlHttpRequest don't do a redirect login. Do a failed auth header and quit 2019-03-01 17:27:08 -05:00
Isaac Connor fd310c0f0a Merge branch 'master' into storageareas 2019-02-22 11:33:47 -05:00
Isaac Connor 2b90bf15a6
Improve session (#2487)
* Introduce ZM_COOKIE_LIFETIME which sets the life of the SESSION cookie, instead of using what is in php.ini

* Use zm specific session functions, which are now located in includes/session.php.  Be more agressive about clearing session on logout.

* Move session code to includes/session.php

* remove duplicate line

* Move is_session_open to session.php.  Move code to clear a session into session.php

* improve debug line when there is a problem updating config entry

* split description into description and help text for COOKIE_LIFETIME

* Remove redirect on line.  We do it in javascript on postlogin view so that we can say logging in before switching to console

* If there is a username in the session, then we are logged in, but we need to load the user object from the db.  We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request.

* Use session_regenerate_id instead of our broken code to do the same

* Move auth code to includes/auth.php

* add autocomplete tags to username and password inputs

* Don't redirect to login if we are already viewing login.  Put auth before including skin includes

* need to include session.php in auth.php

* update to php namespace
2019-02-22 09:43:38 -05:00
Isaac Connor 8dd8888975
Php namespace (#2537)
* experiment with namespaces on the Server class

* experiment with namespaces on the Server class

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects
2019-02-22 09:19:07 -05:00
Isaac Connor 555cb4780d Merge branch 'master' into storageareas 2019-02-10 12:37:45 -05:00
Isaac Connor ee3a0c1fd1 fix validateForm running on monitor cancel due to lack of type=button on cancel button 2019-02-08 09:55:32 -05:00
Isaac Connor d08a6fcc7c Don't redirect to login if we are already viewing login. Put auth before including skin includes 2019-02-05 12:32:24 -05:00
Isaac Connor b6b4a21dbe Move auth code to includes/auth.php 2019-02-05 11:45:58 -05:00
Isaac Connor 4e9ce3c5b7 Move session code to includes/session.php 2019-01-30 11:05:36 -05:00
Isaac Connor 58d3583722 clean up and reduce depth of some logic 2019-01-23 11:18:30 -05:00
Matt N 6bb5aa1b87 More inline JS / nonce conversions (#2415)
* monitor.php: Add nonce and move <script> inside </body>

* export_functions.php: Untested: Add @nonce to <script>

* blank.php: Add @nonce to <script> and add to CSP enforced views

* Enforce CSP on login and privacy views

* group.php: Add nonce and move <script> inside </body>

* filter.php: Add @nonce to <script>

* Fix updateButtons argument on the filter page upon change and page load

* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
Matt N d33fec9c3f Add a CSP script-src policy with nonce-source and convert more inline event handlers (#2413)
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy

* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'

Only handle ones that don't return a value.

* Use @data-on-click to attach inline click event handlers with no args and no return value

* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument

* Enforce a script-src CSP on views without inline JS

* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00