Tim Düsterhus [Tue, 26 Jan 2021 09:11:15 +0000 (10:11 +0100)]
Remove useless WCFSetup workaround in SessionHandler::needsReauthentication()
Apparently I did not conduct my testing properly yesterday and piled on
non-effective workarounds for the WCFSetup issue. This one is particularly bad,
because I inverted the condition, disabling reauthentication everywhere, except
in WCFSetup.
Thus this patch removes this buggy workaround again.
see
ff5d8cec55f0a953a353165b2d996f84a56838f6
see
4b5f3b084ef062b48eaba18b3f497ba89743ddcd
Alexander Ebert [Mon, 25 Jan 2021 18:36:08 +0000 (19:36 +0100)]
The compression quality was not applied in Imagick
Tim Düsterhus [Mon, 25 Jan 2021 18:13:46 +0000 (19:13 +0100)]
Fix the cookie refresh after WCFSetup
We need to set user_session, as acp_session is gone.
Tim Düsterhus [Mon, 25 Jan 2021 18:13:14 +0000 (19:13 +0100)]
Move the call to registerReauthentication() to WCFSetup
This was forgotten in the previous commit.
Tim Düsterhus [Mon, 25 Jan 2021 18:04:17 +0000 (19:04 +0100)]
Unbreak WCFSetup
Alexander Ebert [Mon, 25 Jan 2021 16:18:28 +0000 (17:18 +0100)]
Dynamic WebP avatars (#3889)
Matthias Schmidt [Mon, 25 Jan 2021 15:31:07 +0000 (16:31 +0100)]
Replace usage of `setObjectTitles()` with `replaceLinks()`
See #3881
Matthias Schmidt [Mon, 25 Jan 2021 15:26:13 +0000 (16:26 +0100)]
Use `UserProfileRuntimeCache` instead of `UserProfile::getUserProfiles()`
See #3880
Alexander Ebert [Mon, 25 Jan 2021 15:25:16 +0000 (16:25 +0100)]
New UI design for the list of attachments (#3890)
* New UI design for the list of attachments
* Exchange the icon on focus (a11y)
* Improved a11y for attachments
* Inconsistent indentation
* Consistent use of whitespaces
* Fix indentation in en.xml
Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com>
Matthias Schmidt [Mon, 25 Jan 2021 15:13:11 +0000 (16:13 +0100)]
Replace usage of `LikeHandler` with `ReactionHandler`
… whereever possible.
Matthias Schmidt [Mon, 25 Jan 2021 14:53:14 +0000 (15:53 +0100)]
Stop using `TLegacyUserPropertyAccess`
See #3880
Matthias Schmidt [Mon, 25 Jan 2021 14:30:10 +0000 (15:30 +0100)]
Add dev tools description for flood control object type definition
See #3892
Matthias Schmidt [Mon, 25 Jan 2021 14:22:58 +0000 (15:22 +0100)]
Add button to delete missing phrases logs for phrases existing now (#3896)
Replaces #3716
Marcel Werk [Mon, 25 Jan 2021 14:11:20 +0000 (15:11 +0100)]
Merge pull request #3893 from WoltLab/deprecate-gravatar
Deprecate Gravatar support
Tim Düsterhus [Mon, 25 Jan 2021 14:02:43 +0000 (15:02 +0100)]
Add SCSS Prettiering to .git-blame-ignore-revs
Tim Düsterhus [Mon, 25 Jan 2021 14:02:18 +0000 (15:02 +0100)]
Use prettier for SCSS (#3895)
Tim Düsterhus [Mon, 25 Jan 2021 13:45:19 +0000 (14:45 +0100)]
Add PHPDoc to update scripts
Tim Düsterhus [Mon, 25 Jan 2021 13:34:34 +0000 (14:34 +0100)]
Deprecate Gravatar support
Resolves #3658
Tim Düsterhus [Wed, 8 Jul 2020 12:50:28 +0000 (14:50 +0200)]
Fix parsing of packageName / packageDescription in PackageArchive
Previously a lowercase key remained in the returned array.
Tim Düsterhus [Mon, 25 Jan 2021 12:58:46 +0000 (13:58 +0100)]
Merge branch '5.3'
Tim Düsterhus [Mon, 25 Jan 2021 12:58:27 +0000 (13:58 +0100)]
Tim Düsterhus [Mon, 25 Jan 2021 12:54:58 +0000 (13:54 +0100)]
Tim Düsterhus [Mon, 25 Jan 2021 12:45:21 +0000 (13:45 +0100)]
Add previous commit to .git-blame-ignore-revs
Tim Düsterhus [Mon, 25 Jan 2021 12:44:53 +0000 (13:44 +0100)]
Fix bad merge in EventListenerPackageInstallationPlugin
Tim Düsterhus [Mon, 25 Jan 2021 12:05:50 +0000 (13:05 +0100)]
Apply the wcf1_event_listener database migration in 5.4 as well
see
d836d365d30d44c6140dda17f82b9bd245db03e9
Tim Düsterhus [Mon, 25 Jan 2021 12:03:52 +0000 (13:03 +0100)]
Merge branch '5.3'
Tim Düsterhus [Mon, 25 Jan 2021 12:02:31 +0000 (13:02 +0100)]
Reformat update_com.woltlab.wcf_5.3.3_db.php to use Tabs
Code style for 5.3 expects tabs, not spaces. PHP CodeSniffer complains.
Tim Düsterhus [Mon, 25 Jan 2021 12:01:23 +0000 (13:01 +0100)]
Merge branch '5.3'
Tim Düsterhus [Mon, 25 Jan 2021 11:58:17 +0000 (12:58 +0100)]
Tim Düsterhus [Mon, 25 Jan 2021 11:53:30 +0000 (12:53 +0100)]
Revert "Reformat EventListenerPackageInstallationPlugin to PSR-12"
This reverts commit
9faac4ad4b5d27f9159e531b645ed3f4088adb3a.
Tim Düsterhus [Mon, 25 Jan 2021 11:50:20 +0000 (12:50 +0100)]
Merge pull request #3891 from WoltLab/content-type
Fix content-type response headers
Tim Düsterhus [Mon, 25 Jan 2021 10:45:11 +0000 (11:45 +0100)]
Deprecate ACPSession DBO
Tim Düsterhus [Mon, 25 Jan 2021 10:42:32 +0000 (11:42 +0100)]
Remove obsolete `$session` property from SessionHandler
This property was unused.
Tim Düsterhus [Mon, 25 Jan 2021 10:06:05 +0000 (11:06 +0100)]
Fix content-type for style export
- Use proper application/gzip
- Remove useless charset
Tim Düsterhus [Mon, 25 Jan 2021 10:03:58 +0000 (11:03 +0100)]
Add `charset=UTF-8` to `Content-Type` header
Resolves #3856
Tim Düsterhus [Mon, 25 Jan 2021 09:06:15 +0000 (10:06 +0100)]
Set ->autoFocus() for UserPasswordField in ReauthenticationForm
Tim Düsterhus [Mon, 25 Jan 2021 09:04:44 +0000 (10:04 +0100)]
Add .git-blame-ignore-revs
This is for use with `blame.ignoreRevsFile` in git.
Tim Düsterhus [Mon, 25 Jan 2021 08:18:19 +0000 (09:18 +0100)]
Merge branch '5.2' into 5.3
Tim Düsterhus [Mon, 25 Jan 2021 08:17:56 +0000 (09:17 +0100)]
Whitelist `array_fill` in enterprise mode
Alexander Ebert [Sun, 24 Jan 2021 14:07:13 +0000 (15:07 +0100)]
Merge branch 'reactions-mobile-ux'
Alexander Ebert [Sun, 24 Jan 2021 12:40:16 +0000 (13:40 +0100)]
Display the reaction button on mobile
See #3888
Matthias Schmidt [Sun, 24 Jan 2021 12:17:55 +0000 (13:17 +0100)]
Merge branch '5.3'
Matthias Schmidt [Sun, 24 Jan 2021 12:15:24 +0000 (13:15 +0100)]
Support `environment=all` in event listener PIP GUI
Matthias Schmidt [Sun, 24 Jan 2021 12:13:38 +0000 (13:13 +0100)]
Reformat EventListenerPackageInstallationPlugin to PSR-12
Matthias Schmidt [Sun, 24 Jan 2021 12:02:22 +0000 (13:02 +0100)]
Support `environment=all` for event listeners in database
See #3145
Matthias Schmidt [Sun, 24 Jan 2021 11:53:33 +0000 (12:53 +0100)]
Convert plain links to user profiles to titled links with username
Close #3657
Matthias Schmidt [Sun, 24 Jan 2021 11:47:13 +0000 (12:47 +0100)]
Fix `IDatabaseTableColumn::renameTo()` for PHP < 8
Alexander Ebert [Sat, 23 Jan 2021 15:11:33 +0000 (16:11 +0100)]
Rogue whitespace
Alexander Ebert [Sat, 23 Jan 2021 14:52:22 +0000 (15:52 +0100)]
Inconsistent function names and missing types
Tim Düsterhus [Fri, 22 Jan 2021 17:47:40 +0000 (18:47 +0100)]
Apply PSR-12 code style (#3886)
* Apply PSR-12 code style
* Replaces remaining tabs with spaces in `ViewableMedia::getElementTag()`
* Reformat SQL queries using spaces
* Do not use `use function`
phpcs and phpcs-fixer do not agree on how they should be ordered.
* Disable buggy phpcs rules
* Fix PHPDoc placement in install / update scripts
* Ignore more unfixable errors
* Fix a bunch of line length violations
* Fix a bunch of line length violations
* Fix a bunch of line length violations
* Fix a bunch of line length violations
* Fix a bunch of line length violations
* Fix a bunch of line length violations
* Fix a bunch of line length violations
* Fix a bunch of line length violations
* Code style adjustments
* Fix PHPStorm comment stupidity
* Make phpcs happy
* Code style adjustments
* Make phpcs happy
* Stop touching install.php, test.php and core.functions.php using phpcs-fixer
* Properly ignore core.functions.php for phpcs
Co-authored-by: Matthias Schmidt <gravatronics@live.com>
Co-authored-by: Alexander Ebert <ebert@woltlab.com>
Matthias Schmidt [Fri, 22 Jan 2021 14:12:43 +0000 (15:12 +0100)]
Fix `Ui/Message/Manager.getPermission()` for permissions with dashes
Matthias Schmidt [Thu, 21 Jan 2021 15:46:49 +0000 (16:46 +0100)]
Tim Düsterhus [Thu, 21 Jan 2021 15:12:36 +0000 (16:12 +0100)]
Make phpcs happy with PasswordUtil
Tim Düsterhus [Thu, 21 Jan 2021 15:03:17 +0000 (16:03 +0100)]
Merge remote-tracking branch 'origin/master'
Tim Düsterhus [Thu, 21 Jan 2021 15:02:54 +0000 (16:02 +0100)]
Merge branch '5.3'
Tim Düsterhus [Thu, 21 Jan 2021 15:02:28 +0000 (16:02 +0100)]
Merge pull request #3884 from WoltLab/password-phpbb-combined
Add support for phpBB's combined hash
Tim Düsterhus [Wed, 30 Sep 2020 09:39:25 +0000 (11:39 +0200)]
Add support for phpBB's combined hash
Co-authored-by: Alexander Ebert <ebert@woltlab.com>
Tim Düsterhus [Thu, 21 Jan 2021 11:45:06 +0000 (12:45 +0100)]
Merge pull request #3858 from WoltLab/session-merge
Merge Frontend and ACP sessions
Tim Düsterhus [Thu, 21 Jan 2021 11:28:54 +0000 (12:28 +0100)]
Remove __reauthenticationLoginAs.tpl from syncTemplates.json
They intentionally differ in contents.
Tim Düsterhus [Thu, 21 Jan 2021 11:24:15 +0000 (12:24 +0100)]
Add logout and change user hint to Reauthentication in ACP
Tim Düsterhus [Thu, 21 Jan 2021 10:49:13 +0000 (11:49 +0100)]
Fix SessionHandler::getCookieTimestep()
The previous commit
563510e451c4b9da820a68006b327413b23d0c30 did not actually
use the $window variable in the division.
Tim Düsterhus [Thu, 21 Jan 2021 10:48:12 +0000 (11:48 +0100)]
Extend the USER_SESSION_LIFETIME to 60 days
Tim Düsterhus [Thu, 21 Jan 2021 10:03:58 +0000 (11:03 +0100)]
Add com.woltlab.wcf_5.4_session_3_migrate_session.php
Tim Düsterhus [Wed, 20 Jan 2021 16:22:16 +0000 (17:22 +0100)]
Use a separate reauthentication soft limit within the ACP
As of right now the soft limit in the frontend and in the ACP match up. However
in developer mode the soft limit will be extended to the hard limit.
Tim Düsterhus [Wed, 20 Jan 2021 15:25:32 +0000 (16:25 +0100)]
Clear reauthentication in ACP logout
This will kill access to the ACP without invalidating the frontend session. By
redirecting to the frontend the user can easily perform a full logout.
Tim Düsterhus [Wed, 20 Jan 2021 15:19:34 +0000 (16:19 +0100)]
Add SessionHandler::clearReauthentication()
Tim Düsterhus [Wed, 20 Jan 2021 14:57:24 +0000 (15:57 +0100)]
Add a scoped session variable store
This prevents the frontend and ACP from sharing session variables. Most notably
a reauthentication in the frontend does not extend to the ACP.
Tim Düsterhus [Wed, 20 Jan 2021 14:56:47 +0000 (15:56 +0100)]
Re-add SessionHandler::$isACP
This attribute is going to be used to implement a scoped session variable
store.
Tim Düsterhus [Fri, 8 Jan 2021 15:58:12 +0000 (16:58 +0100)]
Register reauthentication after authenticating in LoginForm and MFAuthenticationForm
Tim Düsterhus [Fri, 8 Jan 2021 15:54:26 +0000 (16:54 +0100)]
Require a reauthentication in WCFACP::initAuth()
Tim Düsterhus [Fri, 8 Jan 2021 14:59:12 +0000 (15:59 +0100)]
Remove the userID from the session cookie
It was only added to support the username suggestion in the ACP login.
Tim Düsterhus [Fri, 8 Jan 2021 14:55:45 +0000 (15:55 +0100)]
Make SessionHandler::getParsedCookieData() private
This method was newly introced in 5.4 to support the username suggestion during ACP login.
Tim Düsterhus [Fri, 8 Jan 2021 14:54:37 +0000 (15:54 +0100)]
Remove logic to set the preferred username in ACP's login
By the removal of the session separation this will always be empty (otherwise
the user would already be logged in).
Tim Düsterhus [Fri, 8 Jan 2021 15:47:02 +0000 (16:47 +0100)]
Drop wcf1_acp_session when upgrading from 5.3
Tim Düsterhus [Fri, 8 Jan 2021 15:14:21 +0000 (16:14 +0100)]
Remove wcf1_acp_session from install.sql
Tim Düsterhus [Fri, 8 Jan 2021 15:05:02 +0000 (16:05 +0100)]
Remove ACP sessions from GDPR export
They'll always be empty anyway.
Tim Düsterhus [Wed, 20 Jan 2021 16:10:30 +0000 (17:10 +0100)]
Remove SessionHandler::ACP_SESSION_LIFETIME
This constant is unused as of the previous commit.
Tim Düsterhus [Wed, 20 Jan 2021 16:08:50 +0000 (17:08 +0100)]
Remove pruning of ACP sessions
The table always is empty since the previous commits, so the pruning is no longer required.
Tim Düsterhus [Wed, 20 Jan 2021 15:35:46 +0000 (16:35 +0100)]
Remove the `isAcpSession` property from \wcf\system\session\Session
This property always was `false` since the removal of the distinction between
frontend and ACP sessions.
Tim Düsterhus [Fri, 8 Jan 2021 14:52:10 +0000 (15:52 +0100)]
Remove SessionHandler methods to delete ACP sessions
They were both introduced and deprecated in 5.4.
Tim Düsterhus [Fri, 8 Jan 2021 14:51:38 +0000 (15:51 +0100)]
Remove calls to SessionHandler::deleteAcpSessionsExcept()
This method was deprecated in the previous commit.
Tim Düsterhus [Fri, 8 Jan 2021 14:50:45 +0000 (15:50 +0100)]
Remove SessionHandler::$isACP
Since the previous commit this is always `false`.
Tim Düsterhus [Fri, 8 Jan 2021 14:35:28 +0000 (15:35 +0100)]
Force SessionHandler::$isACP to be false
This causes the ACP to reuse the frontend session. This improves the user
experience for enabled multi-factor authentication, because the ACP will no
longer require both the password *and* an additional MFA code when the user's
web browser is already authenticated in the frontend.
Additionally it will allow to simplify the whole session handling logic, due to
the future removal of several code branches.
This removal of the branches is not yet done to keep this commit simple.
As of right now the ACP will have reduced security compared to the situation in
5.3, because no passwords will be asked either. This will also be fixed in a
future commit by using the reauthentication framework.
Tim Düsterhus [Thu, 21 Jan 2021 08:39:15 +0000 (09:39 +0100)]
Merge branch '5.3'
Tim Düsterhus [Thu, 21 Jan 2021 08:33:22 +0000 (09:33 +0100)]
Set 'stream' to `true` for Guzzle in `HTTPRequest`
This is required to properly support the 'maxLength' option on endless streams
(such as a web radio). Without setting 'stream' to `true`, Guzzle attempts to
download the entire response body before returning from `->send()`.
Tim Düsterhus [Wed, 20 Jan 2021 16:05:15 +0000 (17:05 +0100)]
Fix disabling of session ACP expiration in debug + dev mode
While this was properly accounted for in SessionHandler::prune() it was not
when loading the session.
Tim Düsterhus [Wed, 20 Jan 2021 16:03:14 +0000 (17:03 +0100)]
Fix pruning of ACP sessions
This fixes a copy and paste mistake in
6096fe159bbcae95b54abe0cfdb8eba0774dffc5.
This mistake did not introduce a security issue, because the session timeout is
also checked when loading the session, instead of just relying on the cronjob
pruning the session.
Tim Düsterhus [Wed, 20 Jan 2021 15:22:33 +0000 (16:22 +0100)]
Add missing PHPDoc tags for new SessionHandler methods
- Add missing `@since` tags.
- Add useful `@see` tags.
Tim Düsterhus [Wed, 20 Jan 2021 15:15:54 +0000 (16:15 +0100)]
Merge pull request #3883 from WoltLab/access-log-clean
Clean up ACP session log processing
Tim Düsterhus [Fri, 8 Jan 2021 15:11:59 +0000 (16:11 +0100)]
Consider an ACP session to be expired after 15 minutes in SessionAccessLogListener
Tim Düsterhus [Fri, 8 Jan 2021 15:08:56 +0000 (16:08 +0100)]
Stop accessing wcf1_acp_session in ACP session log
This access was only used to full the `active` property which is unused.
Joshua Rüsweg [Wed, 20 Jan 2021 14:46:44 +0000 (15:46 +0100)]
Merge pull request #3873 from WoltLab/user-online-performance
Fix performance of user online list
joshuaruesweg [Tue, 12 Jan 2021 13:45:33 +0000 (14:45 +0100)]
Fix performance of user online list
If the UserStorageHandler has to load all users that are online, this is quite resource intensive in larger communities and the query is very slow. The UserStorageHandler must actually be loaded so that the permissions of the users can be checked to see if they can make themselves invisible. We switch off this check with this commit and assume that users who cannot change this setting are always online.
WoltLab [Wed, 20 Jan 2021 12:15:24 +0000 (12:15 +0000)]
Updating minified JavaScript files
Alexander Ebert [Wed, 20 Jan 2021 12:13:58 +0000 (13:13 +0100)]
Merge branch '5.2' into 5.3
WoltLab [Wed, 20 Jan 2021 12:12:17 +0000 (12:12 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Wed, 20 Jan 2021 09:06:43 +0000 (10:06 +0100)]
Fix the ACP session cookie value after WCFSetup
WCFSetup was not adjusted when making the changes to the cookie format.
see
3b07fad7445f10555cc367eadedb9543565e4943
Tim Düsterhus [Tue, 19 Jan 2021 13:55:52 +0000 (14:55 +0100)]
Fix typo in de.xml
Tim Düsterhus [Tue, 19 Jan 2021 13:25:22 +0000 (14:25 +0100)]
Mark multi-factor methods as final
There is no good reason why anyone should be allowed to inherit from these
classes, especially since all the methods are either public or private (and not
protected).
Tim Düsterhus [Tue, 19 Jan 2021 10:16:35 +0000 (11:16 +0100)]
Move permission checks for Multifactor forms into checkPermissions()
This avoids issues with requestReauthentication() being called for guests.
I verified that none of the actual processing happens before the
checkPermissions() check.