Tim Düsterhus [Mon, 27 Sep 2021 13:11:01 +0000 (15:11 +0200)]
Update fileDelete.xml
This adds files where git detected a rename and thus did not report a deletion.
joshuaruesweg [Mon, 27 Sep 2021 11:57:04 +0000 (13:57 +0200)]
Merge branch '5.4'
joshuaruesweg [Mon, 27 Sep 2021 11:16:31 +0000 (13:16 +0200)]
Fix removing reactions on guests content
Since MySQL 8 the deletion of reactions on contents created by guests might fail. The ReactionHandler tries to update the likesReceived column for a non-existent user, sending the empty string as the userID. Recent versions of MySQL 8 error out with MySQL error 1292. The following MySQL bug appears to be related:
https://bugs.mysql.com/bug.php?id=101806
Tim Düsterhus [Mon, 27 Sep 2021 10:34:48 +0000 (12:34 +0200)]
Merge remote-tracking branch 'origin/master'
Tim Düsterhus [Mon, 27 Sep 2021 10:34:34 +0000 (12:34 +0200)]
Merge branch '5.4'
Tim Düsterhus [Mon, 27 Sep 2021 09:52:06 +0000 (11:52 +0200)]
Merge pull request #4528 from WoltLab/json-error-max-length
Truncate the maximum length of the input JSON in error message when failing to decode
Tim Düsterhus [Mon, 27 Sep 2021 09:44:24 +0000 (11:44 +0200)]
Truncate the maximum length of the input JSON in error message when failing to decode
Stop this from bloating the error log in case of huge responses.
Tim Düsterhus [Mon, 27 Sep 2021 09:19:46 +0000 (11:19 +0200)]
Merge pull request #4527 from WoltLab/search-index-manager-create-return
Remove return value for AbstractSearchIndexManager::createSearchIndex()
Tim Düsterhus [Mon, 27 Sep 2021 08:45:30 +0000 (10:45 +0200)]
Remove return value for AbstractSearchIndexManager::createSearchIndex()
Returning this boolean value does not appear to be useful at all, as there is
no reason why the state after this method finishes should be that the INDEX
does not actually exist (except in case of an Exception). Whether or not it
previously existed is irrelevant.
In fact this method is `protected` and the return value is not used at all,
thus it is safe to remove this requirement.
Tim Düsterhus [Mon, 27 Sep 2021 08:42:26 +0000 (10:42 +0200)]
Merge pull request #4514 from WoltLab/recommend-x64
Recommend 64-bit PHP during WCFSetup
Tim Düsterhus [Mon, 27 Sep 2021 08:32:14 +0000 (10:32 +0200)]
Merge pull request #4526 from WoltLab/session-cookie-lifetime
Decrease the session cookie lifetime leeway to 1 week
Tim Düsterhus [Mon, 27 Sep 2021 08:30:13 +0000 (10:30 +0200)]
Simplify the 64-bit check in WCFSetup
Tim Düsterhus [Mon, 27 Sep 2021 08:03:13 +0000 (10:03 +0200)]
Decrease the session cookie lifetime leeway to 1 week
With the increase of the user session lifetime to 2 months, simply multiplying
by two results in an excessive cookie lifetime.
Decrease this to a constant leeway of 1 week. If the cookie in the browser
expires, the session on the server should be long gone, even for wildly
incorrect local clocks.
Joshua Rüsweg [Mon, 27 Sep 2021 07:50:54 +0000 (09:50 +0200)]
Merge pull request #4525 from WoltLab/session-device-icon
Move Session::getDeviceIcon() into UserAgent::getDeviceIcon()
Tim Düsterhus [Fri, 24 Sep 2021 14:29:03 +0000 (16:29 +0200)]
Move Session::getDeviceIcon() into UserAgent::getDeviceIcon()
This method does not really belong into the Session class.
Tim Düsterhus [Fri, 24 Sep 2021 14:03:12 +0000 (16:03 +0200)]
Transmit XSRF-Token in body in User/Session/Delete.ts
Sensitive information should not be transmitted within the URI.
Tim Düsterhus [Fri, 24 Sep 2021 13:59:51 +0000 (15:59 +0200)]
Merge pull request #4523 from WoltLab/xsrf-token-javascript
Add TypeScript function to retrieve the XSRF-TOKEN
Tim Düsterhus [Fri, 24 Sep 2021 13:30:02 +0000 (15:30 +0200)]
Merge branch '5.4'
Tim Düsterhus [Fri, 24 Sep 2021 13:27:48 +0000 (15:27 +0200)]
Validate the XSRF-Token in DeleteSessionAction
This is not necessarily required, because the `sessionID` already contains high
entropy. However the JavaScript code already provides the XSRF-Token, so let's
validate it for completeness.
Tim Düsterhus [Fri, 24 Sep 2021 13:07:15 +0000 (15:07 +0200)]
Do not import getXsrfToken() as a standalone function
Tim Düsterhus [Fri, 24 Sep 2021 12:57:55 +0000 (14:57 +0200)]
Remove use of SID_ARG_2ND constant in acpSessionLog
This was effectively dead code, because `->hasProtectedURI()` always returns
`false` since ages, as the `?page=` and `?form=` parameters are gone.
Tim Düsterhus [Fri, 24 Sep 2021 12:51:45 +0000 (14:51 +0200)]
Add TypeScript function to retrieve the XSRF-TOKEN
This is intended to ease future changes, e.g. by allowing the code to always
retrieve the latest token from the cookie, instead of relying on the
effectively immutable value set at page load. In the long run this will also
allow to reduce the number of globals on the `window` object.
On the PHP side the use of the `SECURITY_TOKEN` constants have already been
deprecated in 5.4.
see #3609
see
3f6a261b1e6a3804370eb1e2a046ea6c666dbedd
Tim Düsterhus [Fri, 24 Sep 2021 12:46:22 +0000 (14:46 +0200)]
Merge branch '5.4'
Tim Düsterhus [Fri, 24 Sep 2021 12:34:39 +0000 (14:34 +0200)]
Remove SECURITY_TOKEN* constants from constants.php
These were effectively deprecated in
3f6a261b1e6a3804370eb1e2a046ea6c666dbedd.
Tim Düsterhus [Fri, 24 Sep 2021 12:33:48 +0000 (14:33 +0200)]
Remove SID* constants from constants.php
These were removed in
8a35fd6de81f1138456fb777eb57d4b3907c0c66.
Tim Düsterhus [Fri, 24 Sep 2021 10:33:51 +0000 (12:33 +0200)]
Remove INullableFormField from SourceCodeFormField
This field is not actually nullable (it does not handle `isNullable()`), I
assume this to be a copy and paste error.
Alexander Ebert [Fri, 24 Sep 2021 09:13:32 +0000 (11:13 +0200)]
Release 5.4.8
Tim Düsterhus [Fri, 24 Sep 2021 08:14:53 +0000 (10:14 +0200)]
Merge branch '5.4'
Alexander Ebert [Fri, 24 Sep 2021 07:37:56 +0000 (09:37 +0200)]
Release 5.4.8 dev 2
Tim Düsterhus [Thu, 23 Sep 2021 13:09:05 +0000 (15:09 +0200)]
Remove duplication of AJAX test in WCFACP::initAuth()
Tim Düsterhus [Thu, 23 Sep 2021 12:36:00 +0000 (14:36 +0200)]
Merge identical catch blocks in ImageProxyAction
Marcel Werk [Thu, 23 Sep 2021 12:21:29 +0000 (14:21 +0200)]
Removed obsolete code
Tim Düsterhus [Thu, 23 Sep 2021 12:05:22 +0000 (14:05 +0200)]
Merge remote-tracking branch 'origin/master'
Tim Düsterhus [Thu, 23 Sep 2021 12:05:02 +0000 (14:05 +0200)]
Merge branch '5.4'
Tim Düsterhus [Thu, 23 Sep 2021 11:33:54 +0000 (13:33 +0200)]
Merge pull request #4516 from WoltLab/xsrf-token-error
Improve phrasing for XSRF token error messages
Tim Düsterhus [Thu, 23 Sep 2021 11:33:48 +0000 (13:33 +0200)]
Merge pull request #4515 from WoltLab/deprecate-abstract-secure-page
Deprecate AbstractSecurePage
Tim Düsterhus [Thu, 23 Sep 2021 10:47:15 +0000 (12:47 +0200)]
Improve phrasing in wcf.ajax.error.sessionExpired
see #4501
Tim Düsterhus [Thu, 23 Sep 2021 10:44:32 +0000 (12:44 +0200)]
Improve phrasing in wcf.global.form.error.securityToken
see #4501
Tim Düsterhus [Thu, 23 Sep 2021 10:38:05 +0000 (12:38 +0200)]
Deprecate AbstractSecurePage
Tim Düsterhus [Thu, 23 Sep 2021 08:33:23 +0000 (10:33 +0200)]
Recommend 64-bit PHP during WCFSetup
Resolves #4512
Tim Düsterhus [Thu, 23 Sep 2021 07:24:18 +0000 (09:24 +0200)]
Replace use of `StringUtil::split()` by `\mb_str_split()`
Tim Düsterhus [Thu, 23 Sep 2021 07:23:48 +0000 (09:23 +0200)]
Deprecated `StringUtil::split()`
Resolves #4513
Alexander Ebert [Wed, 22 Sep 2021 16:35:39 +0000 (18:35 +0200)]
Release 5.4.8 dev 1
WoltLab [Wed, 22 Sep 2021 16:11:07 +0000 (16:11 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Wed, 22 Sep 2021 14:08:49 +0000 (16:08 +0200)]
Update pelago/emogrifier to 6.0
Tim Düsterhus [Wed, 22 Sep 2021 13:45:17 +0000 (15:45 +0200)]
Merge branch '5.4'
Tim Düsterhus [Wed, 22 Sep 2021 13:20:59 +0000 (15:20 +0200)]
Merge pull request #4510 from WoltLab/wcfsetup-https
Check whether WCFSetup is accessed using HTTPS
Tim Düsterhus [Wed, 22 Sep 2021 13:18:12 +0000 (15:18 +0200)]
Merge pull request #4509 from WoltLab/str-x-with
Deprecate StringUtil::(starts|ends)With()
Tim Düsterhus [Wed, 22 Sep 2021 13:08:47 +0000 (15:08 +0200)]
Check whether WCFSetup is accessed using HTTPS
Resolves #4502
Tim Düsterhus [Wed, 22 Sep 2021 12:55:44 +0000 (14:55 +0200)]
Fix typo in setup_en.xml
Tim Düsterhus [Wed, 22 Sep 2021 12:33:56 +0000 (14:33 +0200)]
Sort neededFilesPattern in install.php
Tim Düsterhus [Wed, 22 Sep 2021 12:28:26 +0000 (14:28 +0200)]
Inline error handler and exception handler in install.php
Tim Düsterhus [Wed, 22 Sep 2021 12:23:35 +0000 (14:23 +0200)]
Synchronize error handling in install.php with core.functions.php
The previous error handling:
a) was buggy. It failed during stack trace printing under certain
circumstances.
b) was outdated with regard to the design.
Tim Düsterhus [Wed, 22 Sep 2021 11:59:54 +0000 (13:59 +0200)]
Avoid the use of $_REQUEST in install.php
Tim Düsterhus [Wed, 22 Sep 2021 11:45:40 +0000 (13:45 +0200)]
Remove useless file_exists() check for composer autoloader in install.php
The autoloader must exist at that point.
Tim Düsterhus [Wed, 22 Sep 2021 10:37:07 +0000 (12:37 +0200)]
Remove unnamespaced IPrintableException from install.php
Tim Düsterhus [Wed, 22 Sep 2021 10:33:58 +0000 (12:33 +0200)]
Clean up `$prefix` generation in install.php
Tim Düsterhus [Wed, 22 Sep 2021 10:33:17 +0000 (12:33 +0200)]
Remove unused methods from BasicFileUtil in install.php
Tim Düsterhus [Wed, 22 Sep 2021 10:30:54 +0000 (12:30 +0200)]
Remove `is_countable` polyfill from install.php
see
a178c052b8ecc5b1306607955702d6acf2ac254e
Tim Düsterhus [Wed, 22 Sep 2021 10:30:10 +0000 (12:30 +0200)]
Remove `escapeString()` from install.php
see
270ed434d4dc8a44862b38715b826f63943bfcb0
Tim Düsterhus [Wed, 22 Sep 2021 09:56:37 +0000 (11:56 +0200)]
Replace use of `StringUtil::endsWith()` by `\str_ends_with()`
Tim Düsterhus [Wed, 22 Sep 2021 09:54:14 +0000 (11:54 +0200)]
Replace use of `StringUtil::startsWith()` by `\str_starts_with()`
Tim Düsterhus [Wed, 22 Sep 2021 09:59:11 +0000 (11:59 +0200)]
Deprecate `StringUtil::(starts|ends)With()`
`\str_starts_with()` and `\str_ends_with()` are both polyfilled by
`symfony/polyfill-php80`.
Tim Düsterhus [Wed, 22 Sep 2021 10:20:39 +0000 (12:20 +0200)]
Run php-cs-fixer using PHP 8.0
Tim Düsterhus [Wed, 22 Sep 2021 09:05:05 +0000 (11:05 +0200)]
Merge pull request #4507 from WoltLab/polyfill
Use Symfony's PHP polyfills
Tim Düsterhus [Wed, 22 Sep 2021 09:01:41 +0000 (11:01 +0200)]
Merge pull request #4508 from WoltLab/search-index-manager-cleanup
Remove add() and update() from ISearchIndexManager
Marcel Werk [Wed, 22 Sep 2021 08:57:09 +0000 (10:57 +0200)]
Incorrect type comparison when the legacy mysql extension is been used
Tim Düsterhus [Wed, 22 Sep 2021 08:36:53 +0000 (10:36 +0200)]
Remove add() and update() from ISearchIndexManager
These methods are long-deprecated, remove them from the interface to not force
search engine authors to implement these.
It is expected that code consuming the search API uses the `SearchIndexManager`
class instead of directly accessing a specific `*SearchIndexManager`. The
`SearchIndexManager` only uses `->set()` on the underlying actual
`*SearchIndexManager`. Thus no compatibility break is expected.
Tim Düsterhus [Wed, 22 Sep 2021 07:57:33 +0000 (09:57 +0200)]
Satisfy the PHP syntax check in GitHub Actions
The PHP 7.3 polyfill fails for PHP 7.3, because of a duplicate class
declaration. This file is not actually loaded in new PHP versions, thus we can
ignore it.
Tim Düsterhus [Tue, 21 Sep 2021 15:40:15 +0000 (17:40 +0200)]
Remove custom `is_countable` polyfill from core.functions.php
This is provided by symfony/polyfill-php73.
Tim Düsterhus [Tue, 21 Sep 2021 15:39:52 +0000 (17:39 +0200)]
Add symfony/polyfill-php73 and symfony/polyfill-php74
Tim Düsterhus [Tue, 21 Sep 2021 15:39:14 +0000 (17:39 +0200)]
Deprecate the escapeString() helper (#4506)
Developers are strongly encouraged to use prepared statements. If this is not
possible for compatibility reasons, they should use the `->escapeString()`
method directly.
Deprecating the helper ultimately allows cleaning up core.functions.php which
has become a dumping ground for all type of stuff over time.
Co-authored-by: Alexander Ebert <ebert@woltlab.com>
Tim Düsterhus [Tue, 21 Sep 2021 15:11:41 +0000 (17:11 +0200)]
Stop using the `escapeString` helper in MysqlSearchEngine
Tim Düsterhus [Tue, 21 Sep 2021 14:58:37 +0000 (16:58 +0200)]
Merge branch '5.4'
Tim Düsterhus [Tue, 21 Sep 2021 14:58:07 +0000 (16:58 +0200)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Tue, 21 Sep 2021 14:56:26 +0000 (16:56 +0200)]
Merge branch '5.4'
Marcel Werk [Tue, 21 Sep 2021 14:53:14 +0000 (16:53 +0200)]
Merge pull request #4497 from max-m/patch-categoryMultiSelectOptionType
Make `categoryMultiSelectOptionType.tpl` behave like `categoryOptionList.tpl`
Tim Düsterhus [Tue, 21 Sep 2021 14:31:17 +0000 (16:31 +0200)]
Take the array key into account when checking whether an unnamed KEY matches in DatabaseTableChangeProcessor
The reproducer effectively matches
d7f721d6f920d66f75102723b504d89e57a8c9ff, except that the KEY
is unnamed.
Previously the update would silently fail to do anything. Now the update fails
loudly, because it attempts to create another index with an existing name. This
is no different behavior compared to an INDEX collision of two unnamed indices
`(a, b)`, `(a, c)`. The developer will be clearly alerted of this issue and can
take appropriate measures to avoid it, e.g. by using explicit names.
see #4434
Marcel Werk [Tue, 21 Sep 2021 14:38:48 +0000 (16:38 +0200)]
Merge pull request #4504 from WoltLab/notification-cleanup
Increase defaultvalue of user_cleanup_notification_lifetime to 31 days
Alexander Ebert [Tue, 21 Sep 2021 13:23:24 +0000 (15:23 +0200)]
Skip desktop notifications on Android
Notifications are not supported outside of the context of service workers.
See https://community.woltlab.com/thread/292374-chrome-android-failed-to-construct-notification-illegal-constructor/
Tim Düsterhus [Tue, 21 Sep 2021 12:57:28 +0000 (14:57 +0200)]
Increase defaultvalue of user_cleanup_notification_lifetime to 31 days
A notification lifetime of just 2 weeks is insufficient, because it might
easily result in an user losing important notifications over their summer
vacation.
As an example: If a user checks out on a Friday afternoon and checks in on a
Monday morning 2 weeks later, they'll have lost any notifications arriving on
the first weekend weekend. If their vacation is even longer, e.g. due to a
public holiday, they'll also lose non-weekend notifications.
Increase the lifetime to 31 days. This spans a range from a Friday afternoon
until the Monday afternoon 4 weeks later. This should be sufficiently long for
pretty much all types of vacation.
The old default of 14 days dates back to December 2014 in commit
5cdf8c0338381d1c880bd07d46bb7fcbbde09b61.
Tim Düsterhus [Tue, 21 Sep 2021 12:55:00 +0000 (14:55 +0200)]
Increase the minvalue for the user_*_lifetime options to 1 day
A value of 0 is not useful, because deletion is completely unpredictable.
Joshua Rüsweg [Tue, 21 Sep 2021 10:44:18 +0000 (12:44 +0200)]
Merge pull request #4503 from WoltLab/5.5-get-subscribers-helper-method
Add method to get all subscribers of an object
joshuaruesweg [Tue, 21 Sep 2021 09:23:51 +0000 (11:23 +0200)]
Add method to get all subscribers of an object
Tim Düsterhus [Tue, 21 Sep 2021 09:00:35 +0000 (11:00 +0200)]
Merge branch '5.4'
Tim Düsterhus [Tue, 21 Sep 2021 08:59:22 +0000 (10:59 +0200)]
Do not error during validation of TOTP codes if an invalid device is selected
Tim Düsterhus [Tue, 21 Sep 2021 08:55:15 +0000 (10:55 +0200)]
Merge branch '5.4'
Tim Düsterhus [Tue, 21 Sep 2021 08:54:46 +0000 (10:54 +0200)]
Do not pass `null` to `|encodeJS`
This breaks in PHP 8.1.
Tim Düsterhus [Mon, 20 Sep 2021 16:56:59 +0000 (18:56 +0200)]
Enable npm caching for all GitHub Actions jobs
see
1a0841ca4d71142ba6d8adfce914bbaa90c41bb4
Tim Düsterhus [Mon, 20 Sep 2021 16:56:16 +0000 (18:56 +0200)]
Merge branch '5.4'
Tim Düsterhus [Mon, 20 Sep 2021 16:51:04 +0000 (18:51 +0200)]
Fix TypeScript code style
Tim Düsterhus [Mon, 20 Sep 2021 16:50:03 +0000 (18:50 +0200)]
Fix SCSS code style
Tim Düsterhus [Mon, 20 Sep 2021 16:47:42 +0000 (18:47 +0200)]
Use well-specified node.js for Prettier jobs in GitHub Actions
Tim Düsterhus [Mon, 20 Sep 2021 16:44:54 +0000 (18:44 +0200)]
Update GitHub Actions to node.js 16
Alexander Ebert [Mon, 20 Sep 2021 16:25:10 +0000 (18:25 +0200)]
Skip bogus selection changes
Alexander Ebert [Mon, 20 Sep 2021 16:20:28 +0000 (18:20 +0200)]
Skip the check for the caret position if the selection is invalid
Alexander Ebert [Mon, 20 Sep 2021 15:48:46 +0000 (17:48 +0200)]
Merge branch '5.3' into 5.4
Alexander Ebert [Mon, 20 Sep 2021 15:48:31 +0000 (17:48 +0200)]
Incorrect gradient value in Safari
https://community.woltlab.com/thread/292475-mainmenushowprevious-mainmenushownext-safari-farbunterschied-fehler/
Tim Düsterhus [Mon, 20 Sep 2021 15:15:31 +0000 (17:15 +0200)]
Update npm dependencies
Tim Düsterhus [Mon, 20 Sep 2021 14:53:32 +0000 (16:53 +0200)]
Merge branch '5.4'