Alexander Ebert [Mon, 20 Sep 2021 13:58:51 +0000 (15:58 +0200)]
Enable `X-Frame-Options` for the WCFSetup
This has the side effect of suppressing `SameSite=none` for the cookies, which fails on insecure connections because this attribute value is valid for secure cookies only.
Resolves #4499
Follow up for
2a9d48c4badc4de2e0f2d2fc73c3af2bee39cce8
Alexander Ebert [Mon, 20 Sep 2021 13:31:54 +0000 (15:31 +0200)]
Enable `X-Frame-Options` for the WCFSetup
This has the side effect of suppressing `SameSite=none` for the cookies, which fails on insecure connections because this attribute value is valid for secure cookies only.
Resolves #4499
Alexander Ebert [Mon, 20 Sep 2021 12:17:50 +0000 (14:17 +0200)]
Skip the default cover photo when rebuilding users
Fixes #4500
Tim Düsterhus [Mon, 20 Sep 2021 11:37:54 +0000 (13:37 +0200)]
Set the XSRF-Token cookie to SameSite=lax
As it turns out, `strict` is too strict for some use cases of the average user,
as it might suppress the cookie when the user researches something while
writing a post and ultimately comes back to the community via an external link.
This request will not have the XSRF-Token cookie attached due to violating the
`strict` policy, resulting in WoltLab Suite sending a fresh cookie in response.
This will then invalidate the token stored in the form where the user is in the
process of writing their post, ultimately resulting in an error message.
The `SameSite` value is meant as a defense in depth measure to protect the user
even if they current token leaked in some way. Reducing the strictness does not
reduce the security in a measurable way.
Marcel Werk [Fri, 17 Sep 2021 12:15:30 +0000 (14:15 +0200)]
Typo
Alexander Ebert [Sat, 11 Sep 2021 15:07:28 +0000 (17:07 +0200)]
Merge branch '5.3' into 5.4
Alexander Ebert [Sat, 11 Sep 2021 15:05:59 +0000 (17:05 +0200)]
Merge pull request #4496 from mutec/tagfieldfdp1
fix id of `CustomFormDataProcessor` in `TagFormField`
mutec [Fri, 10 Sep 2021 14:49:57 +0000 (16:49 +0200)]
fix id of `CustomFormDataProcessor` in `TagFormField`
the id was `acl` which seems to be a copy paste-mistake
Alexander Ebert [Thu, 9 Sep 2021 11:47:17 +0000 (13:47 +0200)]
Incorrect code style
Alexander Ebert [Thu, 9 Sep 2021 11:42:47 +0000 (13:42 +0200)]
Adjusted the `tab_width` for *.css/*.scss
Alexander Ebert [Thu, 9 Sep 2021 11:35:31 +0000 (13:35 +0200)]
Explicitly reduce the indent size of *.css/*.scss
Alexander Ebert [Thu, 9 Sep 2021 09:58:15 +0000 (11:58 +0200)]
Merge branch '5.3' into 5.4
Alexander Ebert [Thu, 9 Sep 2021 09:58:00 +0000 (11:58 +0200)]
Merge branch '5.2' into 5.3
Alexander Ebert [Thu, 9 Sep 2021 09:56:06 +0000 (11:56 +0200)]
Merge branch '5.3' into 5.4
Alexander Ebert [Thu, 9 Sep 2021 09:50:40 +0000 (11:50 +0200)]
Merge pull request #4495 from Fabii547/patch-79
Fix writing `runStandalone` attribute to package.xml
Alexander Ebert [Thu, 9 Sep 2021 09:47:02 +0000 (11:47 +0200)]
Merge pull request #4493 from WoltLab/5.3-aclformfieldcleanup
Reset ACL field values within form cleanup
Fabii547 [Thu, 9 Sep 2021 08:28:36 +0000 (10:28 +0200)]
Fix writing `runStandalone` attribute to package.xml
Alexander Ebert [Wed, 8 Sep 2021 13:38:46 +0000 (15:38 +0200)]
Release 5.4.7
Alexander Ebert [Wed, 8 Sep 2021 12:13:30 +0000 (14:13 +0200)]
Release 5.3.14
Alexander Ebert [Wed, 8 Sep 2021 12:05:13 +0000 (14:05 +0200)]
Incorrect use of spaces for indentation in <5.4
Alexander Ebert [Sun, 8 Aug 2021 09:29:26 +0000 (11:29 +0200)]
Sandbox `foreachVars` in templates
Nesting the same template inside a `foreach` loop that is also accessed inside the nested call will overwrite the values from the outer template due to identical identifiers being used.
The sandbox did not protected `$this->foreachVars` despite being stateful.
See #4431
Fixes #4444
joshuaruesweg [Wed, 8 Sep 2021 11:53:42 +0000 (13:53 +0200)]
Reset ACL field values within form cleanup
joshuaruesweg [Wed, 8 Sep 2021 11:51:29 +0000 (13:51 +0200)]
Remove empty lines
Alexander Ebert [Tue, 7 Sep 2021 21:01:22 +0000 (23:01 +0200)]
Release 5.4.7 RC 2
Alexander Ebert [Tue, 7 Sep 2021 21:00:29 +0000 (23:00 +0200)]
Replaced a hard-wired color value, Safari fix
Alexander Ebert [Tue, 7 Sep 2021 11:33:58 +0000 (13:33 +0200)]
Release 5.4.7 RC 1
Alexander Ebert [Tue, 7 Sep 2021 11:32:43 +0000 (13:32 +0200)]
Merge branch '5.4' of https://github.com/WoltLab/WCF into 5.4
WoltLab [Tue, 7 Sep 2021 11:30:44 +0000 (11:30 +0000)]
Updating minified JavaScript files
Alexander Ebert [Tue, 7 Sep 2021 11:28:49 +0000 (13:28 +0200)]
Removed the upgrade instructions for 5.3.*
This greatly reduces the size of the update packages. Upgrade from 5.3 will still work, but will upgrade to 5.4.6 only and then apply the remaining updates.
Alexander Ebert [Tue, 7 Sep 2021 11:21:01 +0000 (13:21 +0200)]
Check against the current menu item during editing only
Joshua Rüsweg [Sat, 4 Sep 2021 10:24:10 +0000 (12:24 +0200)]
Merge pull request #4491 from Fighter456/devtools-language-fix
Fix miswording in language variable of devtools
Dennis Kraffczyk [Sat, 4 Sep 2021 10:11:50 +0000 (12:11 +0200)]
Fix miswording in language variable of devtools
The german language variable `wcf.acp.pip.page.name.description` uses the word `Boxname` but is used in the `PagePackageInstallationPlugin`.
Marcel Werk [Thu, 2 Sep 2021 13:55:21 +0000 (15:55 +0200)]
Merge branch '5.3' into 5.4
Marcel Werk [Thu, 2 Sep 2021 13:54:36 +0000 (15:54 +0200)]
New link format for Facebook videos
Alexander Ebert [Tue, 31 Aug 2021 20:31:14 +0000 (22:31 +0200)]
`exif` was not listed as a required extension
Alexander Ebert [Tue, 31 Aug 2021 20:29:15 +0000 (22:29 +0200)]
Typo (missing comma)
Alexander Ebert [Tue, 31 Aug 2021 20:04:47 +0000 (22:04 +0200)]
Merge pull request #4487 from WoltLab/npm
Upgrade npm dependencies
Alexander Ebert [Tue, 31 Aug 2021 14:52:04 +0000 (16:52 +0200)]
Release 5.4.6
Alexander Ebert [Tue, 31 Aug 2021 14:33:48 +0000 (16:33 +0200)]
Release 5.4.5
Alexander Ebert [Tue, 31 Aug 2021 14:20:29 +0000 (16:20 +0200)]
Release 5.4.5
Alexander Ebert [Tue, 31 Aug 2021 13:57:40 +0000 (15:57 +0200)]
Merge branch '5.3' into 5.4
Alexander Ebert [Tue, 31 Aug 2021 12:49:21 +0000 (14:49 +0200)]
Release 5.3.13
WoltLab [Tue, 31 Aug 2021 12:35:22 +0000 (12:35 +0000)]
Updating minified JavaScript files
Alexander Ebert [Tue, 31 Aug 2021 12:32:44 +0000 (14:32 +0200)]
Merge branch '5.2' into 5.3
Alexander Ebert [Tue, 31 Aug 2021 11:40:31 +0000 (13:40 +0200)]
Release 5.2.15
Alexander Ebert [Tue, 31 Aug 2021 11:31:31 +0000 (13:31 +0200)]
Merge branch '3.1' into 5.2
Alexander Ebert [Tue, 31 Aug 2021 10:32:33 +0000 (12:32 +0200)]
Release 3.1.23
Tim Düsterhus [Mon, 30 Aug 2021 10:33:04 +0000 (12:33 +0200)]
Satisfy eslint
Tim Düsterhus [Mon, 30 Aug 2021 10:08:35 +0000 (12:08 +0200)]
Run prettier
Tim Düsterhus [Mon, 30 Aug 2021 09:50:56 +0000 (11:50 +0200)]
Upgrade TypeScript
Tim Düsterhus [Mon, 30 Aug 2021 09:48:16 +0000 (11:48 +0200)]
Update all npm dependendencies except TypeScript itself
Alexander Ebert [Fri, 27 Aug 2021 10:43:18 +0000 (12:43 +0200)]
Release 5.4.5 RC 1
WoltLab [Fri, 27 Aug 2021 09:38:25 +0000 (09:38 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Fri, 27 Aug 2021 09:26:53 +0000 (11:26 +0200)]
Add placeholder to the 'path' input in DevtoolsProjectAddForm
Tim Düsterhus [Fri, 27 Aug 2021 09:23:49 +0000 (11:23 +0200)]
Add description to the path input in DevtoolsProjectAddForm
Resolves #4479
Tim Düsterhus [Fri, 27 Aug 2021 09:03:25 +0000 (11:03 +0200)]
Revert "Remove erroneous DatabasePackageInstallationPlugin::getDefaultFilename()"
This had the unintended side-effect of no longer listing the database PIP
within the “Sync” view of dev tools. This will need to be revisited (#4480).
This reverts commit
d5b180155d5805bda7e3132df2f4fde6627a49db.
Alexander Ebert [Thu, 26 Aug 2021 14:31:32 +0000 (16:31 +0200)]
Merge pull request #4478 from ilouHD/patch-2
Update de.xml
ilou [Thu, 26 Aug 2021 14:26:25 +0000 (16:26 +0200)]
Update de.xml
fixed some typos when creating a new project using the devtools-gui in the german language.
Regarding the item `wcf.acp.devtools.project.isApplication.description` I'm unsure, why template-folders are mentioned explicitly. As I know they're the same as in plugins/projects, which are no applications.
Alexander Ebert [Thu, 26 Aug 2021 14:06:18 +0000 (16:06 +0200)]
Incorrect alignment of positioned elements when they are hidden
The calculation did not consider the `display` attribute, causing the elements dimensions to be considered as `0x0` for the purpose of the calculation.
See https://community.woltlab.com/thread/291896-beitragsoptionen-verschoben/
Alexander Ebert [Thu, 26 Aug 2021 12:45:28 +0000 (14:45 +0200)]
Reset the floating code box header when the sticky page header is hidden
See https://community.woltlab.com/thread/291977-sticky-code-header-w%C3%A4hrend-antwort-unsch%C3%B6n/
Tim Düsterhus [Thu, 26 Aug 2021 10:11:39 +0000 (12:11 +0200)]
Drop obsolete update scripts for 5.4.2 -> 5.4.3
Tim Düsterhus [Thu, 26 Aug 2021 10:06:39 +0000 (12:06 +0200)]
Remove erroneous DatabasePackageInstallationPlugin::getDefaultFilename()
Tim Düsterhus [Thu, 26 Aug 2021 08:32:39 +0000 (10:32 +0200)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Thu, 26 Aug 2021 08:30:59 +0000 (10:30 +0200)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Thu, 26 Aug 2021 08:30:10 +0000 (10:30 +0200)]
Merge branch '3.1' into 5.2
Tim Düsterhus [Thu, 26 Aug 2021 08:29:10 +0000 (10:29 +0200)]
Fix return type comment for AbstractDatabaseObjectAction::getSingleObject()
Tim Düsterhus [Wed, 25 Aug 2021 11:52:15 +0000 (13:52 +0200)]
Clean up control and data flow in UserFormField::validate()
Tim Düsterhus [Wed, 25 Aug 2021 11:48:44 +0000 (13:48 +0200)]
Fix typo in en.xml
Tim Düsterhus [Wed, 25 Aug 2021 11:47:33 +0000 (13:47 +0200)]
Fix error message for nonExistent user in UserFormField
Tim Düsterhus [Wed, 25 Aug 2021 11:39:38 +0000 (13:39 +0200)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Wed, 25 Aug 2021 11:37:43 +0000 (13:37 +0200)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Wed, 25 Aug 2021 11:36:54 +0000 (13:36 +0200)]
Correctly handle null values in UserFormField::validate()
Closes #4471
Co-authored-by: Fabii547 <Fabii547@users.noreply.github.com>
Tim Düsterhus [Wed, 25 Aug 2021 11:32:55 +0000 (13:32 +0200)]
Simplify UserFormField's form data processor using `\array_column()`
Tim Düsterhus [Wed, 25 Aug 2021 11:25:31 +0000 (13:25 +0200)]
Make requirement validation more readable in UserFormField::validate()
Tim Düsterhus [Wed, 25 Aug 2021 11:21:07 +0000 (13:21 +0200)]
Return explicit `null` in UserFormField::getSaveValue()
Tim Düsterhus [Wed, 25 Aug 2021 08:37:13 +0000 (10:37 +0200)]
Add missing 'not' in error message in AbstractFormFieldDecorator
Tim Düsterhus [Wed, 25 Aug 2021 07:19:28 +0000 (09:19 +0200)]
Trim trailing whitespace in Core/Ui/Object/Action.ts
Alexander Ebert [Tue, 24 Aug 2021 21:53:37 +0000 (23:53 +0200)]
Prevent the default action of a toggle button
Alexander Ebert [Tue, 24 Aug 2021 21:23:55 +0000 (23:23 +0200)]
Prevent the menu item itself being selected as its parent item
See https://community.woltlab.com/thread/291999-men%C3%BCpunkt-verschwindet-wenn-%C3%BCbergeordneter-men%C3%BCpunkt-der-gleiche-ist/
Alexander Ebert [Tue, 24 Aug 2021 21:15:20 +0000 (23:15 +0200)]
Match mentions later because they are less specific
Parts like `@example` can legitimately appears as part of a link that gets auto-detected.
This issue was discovered when an URL was pasted that happens to also match a user that is named `document`. The "offending" URL was: `https://developer.mozilla.org/de/docs/Web/CSS/@document`
The `@document` is recognized as part of a mention because the forward slash is a valid token that matches the boundary condition (`\b`) of the regex for mentions.
See https://community.woltlab.com/thread/292020-automatische-link-umwandlung-schl%C3%A4gt-fehlt/
Alexander Ebert [Tue, 24 Aug 2021 16:10:20 +0000 (18:10 +0200)]
Improved phrasing of merging user accounts
https://community.woltlab.com/thread/292121-merging-user-accounts/
Alexander Ebert [Tue, 24 Aug 2021 15:52:44 +0000 (17:52 +0200)]
Improved phrasing
https://community.woltlab.com/thread/292111-typo-verbesserung-types-of-content-und-by-zu-of/
Alexander Ebert [Tue, 24 Aug 2021 15:47:31 +0000 (17:47 +0200)]
Reset the page cache when modifying the app landing pages
Fixes #4475
Alexander Ebert [Tue, 24 Aug 2021 15:17:21 +0000 (17:17 +0200)]
Recommend the maintenance mode while rebuilding data
Closes #4419
Tim Düsterhus [Tue, 24 Aug 2021 14:44:05 +0000 (16:44 +0200)]
Exclude banned users from list of users awaiting approval
WoltLab [Tue, 24 Aug 2021 12:28:06 +0000 (12:28 +0000)]
Updating minified JavaScript files
WoltLab [Tue, 24 Aug 2021 09:49:26 +0000 (09:49 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Mon, 23 Aug 2021 14:30:28 +0000 (16:30 +0200)]
Merge pull request #4473 from WoltLab/samesite
Set SameSite=none when embedding into frames is allowed
Tim Düsterhus [Mon, 23 Aug 2021 14:15:52 +0000 (16:15 +0200)]
Set SameSite=none when embedding into frames is allowed
Resolves #4428
Tim Düsterhus [Fri, 20 Aug 2021 13:52:15 +0000 (15:52 +0200)]
Merge pull request #4470 from WoltLab/oauth2-state-clear
Ensure that the OAuth 2 state parameter is cleared in all cases
Tim Düsterhus [Fri, 20 Aug 2021 13:16:46 +0000 (15:16 +0200)]
Ensure that the OAuth 2 state parameter is cleared in all cases
Alexander Ebert [Fri, 20 Aug 2021 13:09:50 +0000 (15:09 +0200)]
Missing phrases for validation errors in the app management
Tim Düsterhus [Fri, 20 Aug 2021 09:50:14 +0000 (11:50 +0200)]
Merge pull request #4467 from WoltLab/coverPhoto-worker
Fix handling of cover photos in UserRebuildDataWorker
Peter Lohse [Fri, 20 Aug 2021 09:19:23 +0000 (11:19 +0200)]
Add AbstractFormFieldDecorator (#4469)
Tim Düsterhus [Fri, 20 Aug 2021 07:35:35 +0000 (09:35 +0200)]
Remove records of unreadable cover photos in UserRebuildDataWorker
This is a clean fix of
c3ebf8b995927b826072cfcc72d08a9ebd93f878.
Tim Düsterhus [Fri, 20 Aug 2021 07:31:14 +0000 (09:31 +0200)]
Check `coverPhotoHasWebP` in UserRebuildDataWorker
This is already checked in `->createWebpVariant()`, but with the `->update()`
added in the previous commit this saves some work.
Tim Düsterhus [Fri, 20 Aug 2021 07:30:32 +0000 (09:30 +0200)]
Update `coverPhotoHasWebP` in UserRebuilDataWorker
Tim Düsterhus [Fri, 20 Aug 2021 07:20:51 +0000 (09:20 +0200)]
Use ->getLocation() in UserCoverPhoto::createWebpVariant()
This partially reapplies
c3ebf8b995927b826072cfcc72d08a9ebd93f878 which was
reverted in
300312306b2858b6b9f474a30814fe16c3e1854c.
Tim Düsterhus [Fri, 20 Aug 2021 07:19:28 +0000 (09:19 +0200)]
Revert "Skip cover photos that cannot be read"
This should rather be cleanly fixed within the UserRebuildDataWorker, while
also updating the database on failure.
This reverts commit
c3ebf8b995927b826072cfcc72d08a9ebd93f878.
Tim Düsterhus [Thu, 19 Aug 2021 14:43:57 +0000 (16:43 +0200)]
Fix check whether a non-owned index is being dropped in DatabaseTableChangeProcessor
The reproducer and fix is effectively identical to the one in
d7f721d6f920d66f75102723b504d89e57a8c9ff.
Package A: Installs KEY someIndex (`UNIQUE`)
Package B: Installs UNIQUE KEY someIndex2 (`UNIQUE`)
Package B: Drops UNIQUE KEY someIndex2 (`UNIQUE`)
It was erroneously detected that Package B would drop the index owned by
Package A. The actual dropping logic was already correct, just the safety check
was incorrect.