Tim Düsterhus [Fri, 18 Nov 2022 09:50:34 +0000 (10:50 +0100)]
Use `PackageArchive::getUpdateInstructionsFor()` in PackageInstallationNodeBuilder
Tim Düsterhus [Fri, 18 Nov 2022 09:12:36 +0000 (10:12 +0100)]
Shorten overly long line in PackageInstallationNodeBuilder
Tim Düsterhus [Fri, 18 Nov 2022 09:27:42 +0000 (10:27 +0100)]
Lazily filter update instructions in PackageArchive
As `$this->package` is effectively readonly, this is safe and will not change
the behavior.
Tim Düsterhus [Fri, 18 Nov 2022 09:41:54 +0000 (10:41 +0100)]
Fix downgrade prevention in PackageValidationArchive
This regressed in
5590bc1425b03e1f8d91610b7d3c52ccccb7d338, because
`PackageArchive::isValidUpdate()` checked not just the existence of the
instructions, but also the version numbers.
In practice this regression is only visible for wildcard update instructions,
because otherwise a valid instruction will simply not exist.
Tim Düsterhus [Fri, 18 Nov 2022 09:21:42 +0000 (10:21 +0100)]
Take a package version instead of a package in PackageArchive::getUpdateInstructionsFor()
Tim Düsterhus [Fri, 18 Nov 2022 08:59:49 +0000 (09:59 +0100)]
Add additional types to PackageInstallationNodeBuilder
Tim Düsterhus [Fri, 18 Nov 2022 08:57:36 +0000 (09:57 +0100)]
Add additional types to Install/UninstallPackageAction
Tim Düsterhus [Fri, 18 Nov 2022 08:53:25 +0000 (09:53 +0100)]
Drop redundant PHPDoc type in PackageInstallationStep
Tim Düsterhus [Thu, 17 Nov 2022 15:33:37 +0000 (16:33 +0100)]
Merge branch '5.5'
Tim Düsterhus [Thu, 17 Nov 2022 14:45:29 +0000 (15:45 +0100)]
Remove obsolete `requirejs` dependency from extra/
Tim Düsterhus [Thu, 17 Nov 2022 14:45:03 +0000 (15:45 +0100)]
Move `@woltlab/r.js` into dependencies from devDependencies
Tim Düsterhus [Thu, 17 Nov 2022 14:38:37 +0000 (15:38 +0100)]
Use explicit git+https URL for r.js
Tim Düsterhus [Thu, 17 Nov 2022 14:32:52 +0000 (15:32 +0100)]
Make use of `@woltlab/r.js`
Tim Düsterhus [Thu, 17 Nov 2022 14:32:25 +0000 (15:32 +0100)]
Install `@woltlab/r.js` in extra/
Alexander Ebert [Thu, 17 Nov 2022 11:44:23 +0000 (12:44 +0100)]
Release 5.5.7 dev 1
WoltLab [Thu, 17 Nov 2022 11:33:20 +0000 (11:33 +0000)]
Updating minified JavaScript files
Tim Düsterhus [Thu, 17 Nov 2022 08:41:23 +0000 (09:41 +0100)]
Merge branch '5.5'
Alexander Ebert [Wed, 16 Nov 2022 16:30:05 +0000 (17:30 +0100)]
Construct the profile url using just the user id
The attempt to embed the username into the URL is flawed, because it provides none of the server side transformations performed when naturally generating those URLs.
The currently implementation causes a redirect for most usernames anyway. Besides those redirects take place early in the processing of the controller and thus are acceptable.
Removing the username from the artificially constructed URL will now always cause a redirect, but do not break web servers with less permissive rewrite rules.
See https://www.woltlab.com/community/thread/297758-url-memberlist-suche-%C3%ACst-falsch/
Tim Düsterhus [Wed, 16 Nov 2022 16:17:11 +0000 (17:17 +0100)]
Add some additional types to PackageInstallationNodeBuilder
Tim Düsterhus [Wed, 16 Nov 2022 15:49:14 +0000 (16:49 +0100)]
Merge branch '5.5'
Tim Düsterhus [Wed, 16 Nov 2022 15:17:26 +0000 (16:17 +0100)]
Merge pull request #5126 from WoltLab/package-cleanup
Further clean up package archive handling logic
Alexander Ebert [Wed, 16 Nov 2022 12:41:34 +0000 (13:41 +0100)]
Schedule the restore of the scroll position for the next loop
The previous delay of 1ms causes issue by actions that also try to delay their execution to the next run of the event loop. These will get executed while the page offset has not been adjusted, causing the calculations to be incorrect.
This primarily affects the editor which makes use of `setTimeout()` to workaround some browser limitations.
See https://www.woltlab.com/community/thread/297841-einf%C3%BCgen-von-links-in-den-editor/
Tim Düsterhus [Wed, 16 Nov 2022 11:14:56 +0000 (12:14 +0100)]
Remove PackageArchive::isValidUpdate()
The method relies on the stateful `PackageArchive::$package` property and
`PackageArchive::filterUpdateInstructions()` which is super intransparent.
The last remaining user was removed in the previous commit.
see #5094
Tim Düsterhus [Wed, 16 Nov 2022 11:13:42 +0000 (12:13 +0100)]
Use `PackageArchive::getUpdateInstructionsFor()` in PackageValidationArchive
This removes the only user of `PackageArchive::isValidUpdate()` which will be
removed in a follow-up commit.
Tim Düsterhus [Wed, 16 Nov 2022 11:12:39 +0000 (12:12 +0100)]
Add PackageArchive::getUpdateInstructionsFor()
Tim Düsterhus [Wed, 16 Nov 2022 11:10:05 +0000 (12:10 +0100)]
Mark PackageValidationArchive::$archive as `readonly`
Tim Düsterhus [Wed, 16 Nov 2022 11:08:48 +0000 (12:08 +0100)]
Remove unused PackageValidationArchive::$parent property
Tim Düsterhus [Tue, 15 Nov 2022 14:59:48 +0000 (15:59 +0100)]
Narrow `protected` to `private` in PackageValidationArchive
Tim Düsterhus [Tue, 15 Nov 2022 14:58:27 +0000 (15:58 +0100)]
Mark PackageValidationArchive as final
Tim Düsterhus [Tue, 15 Nov 2022 14:50:37 +0000 (15:50 +0100)]
Remove useless check for `applicationDirectory` in PackageInstallationDispatcher::installPackage()
The key will always exist in the `$nodeData`.
Tim Düsterhus [Tue, 15 Nov 2022 14:48:17 +0000 (15:48 +0100)]
Remove useless conditions in PackageInstallationDispatcher::installPackage()
The `foreach()` loops handle empty arrays just fine.
Tim Düsterhus [Wed, 16 Nov 2022 10:34:49 +0000 (11:34 +0100)]
Update focus-trap and tabbable
Tim Düsterhus [Wed, 16 Nov 2022 10:33:24 +0000 (11:33 +0100)]
Update esbuild
Tim Düsterhus [Wed, 16 Nov 2022 10:32:20 +0000 (11:32 +0100)]
Merge branch '5.5'
Tim Düsterhus [Wed, 16 Nov 2022 10:29:25 +0000 (11:29 +0100)]
Update `@types/google.maps` and `@types/facebook-js-sdk`
Tim Düsterhus [Wed, 16 Nov 2022 10:28:24 +0000 (11:28 +0100)]
Update eslint
Tim Düsterhus [Wed, 16 Nov 2022 10:24:42 +0000 (11:24 +0100)]
Update `tslib`
Tim Düsterhus [Wed, 16 Nov 2022 09:06:57 +0000 (10:06 +0100)]
Merge branch '5.5'
Alexander Ebert [Tue, 15 Nov 2022 17:00:11 +0000 (18:00 +0100)]
Add the CSS class `.formAttachmentListItem` to existing attachments on page load
See https://www.woltlab.com/community/thread/297604-dateianh%C3%A4nge-werden-bei-mehrsprachigkeit-nicht-zwischen-editoren-synchronisiert/
Alexander Ebert [Tue, 15 Nov 2022 13:52:57 +0000 (14:52 +0100)]
Merge pull request #5124 from WoltLab/implicit-xsrf-validation
Implicit XSRF checks for PSR-15 controllers with opt-out
Tim Düsterhus [Tue, 15 Nov 2022 13:46:29 +0000 (14:46 +0100)]
Unbreak PackageArchive::getExistingRequirements() for com.woltlab.wcf
com.woltlab.wcf is special, because it has no dependencies, thus failing the
assertion.
see
792278848e22a9c1bbe710176ed9f54f67f0fa7d
Tim Düsterhus [Tue, 15 Nov 2022 13:40:17 +0000 (14:40 +0100)]
Merge pull request #5125 from WoltLab/package-archive-cleanup
Further clean up the package system
Alexander Ebert [Tue, 15 Nov 2022 13:27:52 +0000 (14:27 +0100)]
Perform the least expensive validations first
Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com>
Alexander Ebert [Tue, 15 Nov 2022 11:55:52 +0000 (12:55 +0100)]
Fix the check for safe HTTP verbs
Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com>
Alexander Ebert [Tue, 15 Nov 2022 11:29:10 +0000 (12:29 +0100)]
Add a helper method to validate if the HTTP verb requires an XSRF check
Alexander Ebert [Tue, 15 Nov 2022 11:26:03 +0000 (12:26 +0100)]
Move `DisableXsrfCheck` into a separate class file
Tim Düsterhus [Tue, 15 Nov 2022 10:13:32 +0000 (11:13 +0100)]
Remove PackageArchive::getAllExistingRequirements()
The last remaining user of this method was removed in the previous commit. The
logic of this method was overly complex:
- It handled the possibility that a single package is installed multiple times,
which is not possible since forever.
- It contained special (and semi-broken) logic for requirement links that are
already stored in the database. Since
a93b160e72731d72e58a13052c1b6b83b089552a
all requirements in the database were deleted before this method was called
in PackageInstallationDispatcher. It also failed to account for a requirement
link existing, but the target package being of an insufficient version.
Tim Düsterhus [Tue, 15 Nov 2022 10:11:47 +0000 (11:11 +0100)]
Stop using PackageArchive::getAllExistingRequirements()
The method is overly complex and will be removed in a follow-up commit.
Tim Düsterhus [Tue, 15 Nov 2022 10:07:26 +0000 (11:07 +0100)]
Further streamline the logic in PackageArchive::getExistingRequirements()
Tim Düsterhus [Tue, 15 Nov 2022 10:05:38 +0000 (11:05 +0100)]
Remove obsolete handling of duplicated packages in PackageArchive::getExistingRequirements()
`package` is a UNIQUE KEY in the database, the deleted logic was dead code.
Tim Düsterhus [Tue, 15 Nov 2022 09:26:13 +0000 (10:26 +0100)]
Add proper types to Package::checkFromversion()
Tim Düsterhus [Tue, 15 Nov 2022 09:20:26 +0000 (10:20 +0100)]
Remove PackageArchive::isValidInstall()
This method is unused, instead the existing logic checks if
`->getInstallInstructions()` is (non-)empty.
Tim Düsterhus [Tue, 15 Nov 2022 09:38:49 +0000 (10:38 +0100)]
Do not attempt to sanitize the path to `[internal function]`
This looks ugly and leaks some information: How deep WoltLab Suite Core is
location within the file system hierarchy.
Alexander Ebert [Mon, 14 Nov 2022 18:50:19 +0000 (19:50 +0100)]
Add `DisableXsrfCheck` attribute to opt out of the automated XSRF validation
Alexander Ebert [Mon, 14 Nov 2022 18:28:47 +0000 (19:28 +0100)]
Reject requests for `RquestHandlerInterface` implementations without a valid XSRF token
GET and HEAD requests are always exempt from the validation, because these are by definition safe actions (*).
(*) Legacy implementations violated this principle, but this is a bad practice and is frowned upon in new PSR implementation.
Alexander Ebert [Mon, 14 Nov 2022 17:17:37 +0000 (18:17 +0100)]
Merge pull request #5123 from WoltLab/background-queue-http-header
Migrate the forced check of the background queue to a HTTP response header
Alexander Ebert [Mon, 14 Nov 2022 16:35:25 +0000 (17:35 +0100)]
Reorder the conditions to make it easier to understand
Co-authored-by: Tim Düsterhus <duesterhus@woltlab.com>
Alexander Ebert [Mon, 14 Nov 2022 15:48:13 +0000 (16:48 +0100)]
Move the HTTP header name into a common class
Alexander Ebert [Mon, 14 Nov 2022 15:45:40 +0000 (16:45 +0100)]
Move the HTTP header for legacy requests into the `AJAXProxyAction`
Alexander Ebert [Mon, 14 Nov 2022 15:42:08 +0000 (16:42 +0100)]
Move the PhpDoc comment to the public API
Alexander Ebert [Mon, 14 Nov 2022 15:41:15 +0000 (16:41 +0100)]
Use `isACPRequest()` instead of probing for the `WCFACP` class
Alexander Ebert [Mon, 14 Nov 2022 15:15:55 +0000 (16:15 +0100)]
Stop injecting `forceBackgroundQueuePerform` into AJAX responses
Alexander Ebert [Mon, 14 Nov 2022 15:13:51 +0000 (16:13 +0100)]
Skip the background queue check for backend requests
Alexander Ebert [Mon, 14 Nov 2022 15:12:31 +0000 (16:12 +0100)]
Check the background queue when the response header is present
Alexander Ebert [Mon, 14 Nov 2022 15:06:56 +0000 (16:06 +0100)]
Conditionally add `woltlab-background-queue-check: yes` to the response
This header is intended to signal the client that an async check for pending jobs in the background queue should be dispatched.
Alexander Ebert [Mon, 14 Nov 2022 14:26:03 +0000 (15:26 +0100)]
Fix the creation of DOM elements from a HTML string
The naive approach of using `innerHTML` does not work for script tags. These are only recognized when they are manually inserted into the DOM for security reasons.
Tim Düsterhus [Mon, 14 Nov 2022 14:17:49 +0000 (15:17 +0100)]
Merge pull request #5122 from WoltLab/json-request-body
Add JsonBody middleware
Tim Düsterhus [Mon, 14 Nov 2022 14:17:39 +0000 (15:17 +0100)]
Merge pull request #5121 from WoltLab/formbuilder-id-escape
Properly escape special characters in form builder IDs
Tim Düsterhus [Mon, 14 Nov 2022 13:43:44 +0000 (14:43 +0100)]
Properly escape special characters in form builder IDs
Tim Düsterhus [Fri, 4 Nov 2022 09:00:12 +0000 (10:00 +0100)]
Improve content-type check in JsonBody middleware
Alexander Ebert [Thu, 3 Nov 2022 16:56:50 +0000 (17:56 +0100)]
Transparently decode JSON requests
Tim Düsterhus [Mon, 14 Nov 2022 13:41:22 +0000 (14:41 +0100)]
Add __valueIntervalFormFieldDependency.tpl to syncTemplates.json
Alexander Ebert [Mon, 14 Nov 2022 12:04:45 +0000 (13:04 +0100)]
Add npm script to refresh the web component bundle
Alexander Ebert [Mon, 14 Nov 2022 12:01:49 +0000 (13:01 +0100)]
Merge pull request #5117 from WoltLab/js-preload
Preload phrases for use in TypeScript
Alexander Ebert [Mon, 14 Nov 2022 11:53:45 +0000 (12:53 +0100)]
Replace `@\unlink()` with a check for file existence
Alexander Ebert [Mon, 14 Nov 2022 11:52:30 +0000 (12:52 +0100)]
Use the `AtomicWriter` to create the phrase cache
Alexander Ebert [Mon, 14 Nov 2022 11:50:01 +0000 (12:50 +0100)]
Fix the logic of the check for the phrase preload rebuild
Tim Düsterhus [Mon, 14 Nov 2022 10:14:22 +0000 (11:14 +0100)]
Rebuild compiled JavaScript
Tim Düsterhus [Mon, 14 Nov 2022 09:41:39 +0000 (10:41 +0100)]
Fix bad merge in EnforceAcpAuthentication middleware
The exception should no longer be there.
see
a693ef9dc6ab80b8c3c4671923071e4b9f9b23f3
see
2115b6456f75068740d54db29d4b5970a4bb7f36
Tim Düsterhus [Mon, 14 Nov 2022 09:41:16 +0000 (10:41 +0100)]
Merge branch '5.5'
Tim Düsterhus [Mon, 14 Nov 2022 09:37:02 +0000 (10:37 +0100)]
Tim Düsterhus [Mon, 14 Nov 2022 09:22:05 +0000 (10:22 +0100)]
Update composer dependencies
Tim Düsterhus [Mon, 14 Nov 2022 08:08:12 +0000 (09:08 +0100)]
Merge pull request #5120 from WoltLab/package-fix-update
Clean up package archive handling
Alexander Ebert [Sun, 13 Nov 2022 16:15:04 +0000 (17:15 +0100)]
`getSearchFormElement()` expects a string for the value parameter
Alexander Ebert [Sun, 13 Nov 2022 16:14:24 +0000 (17:14 +0100)]
Validate that the searched option implements the required interface
Alexander Ebert [Sun, 13 Nov 2022 15:43:36 +0000 (16:43 +0100)]
Remove selection markers after discarding the link dialog
See https://www.woltlab.com/community/thread/297178-links-bearbeiten-und-kopieren/
Alexander Ebert [Sun, 13 Nov 2022 15:09:23 +0000 (16:09 +0100)]
Bind the event listeners for the RSS feed dialog everytime
The dialog is replaced with the provided HTML on every invocation. Since this is a named dialog, the instance is set up once, but rebuild with every invocation.
See https://www.woltlab.com/community/thread/297896-kopieren-schaltfl%C3%A4che-nach-erneutem-%C3%B6ffnen-des-dialogs-nicht-mehr-funktionsf%C3%A4hig/
Alexander Ebert [Sun, 13 Nov 2022 14:53:58 +0000 (15:53 +0100)]
Fix the scroll offset when the first message is being targeted
See https://www.woltlab.com/community/thread/297814-mobil-zus%C3%A4tzlicher-container-sichtbar-bei-direktlink-auf-den-ersten-beitrag-eine/
Alexander Ebert [Sat, 12 Nov 2022 14:00:25 +0000 (15:00 +0100)]
Preload common phrases
Alexander Ebert [Sat, 12 Nov 2022 13:17:25 +0000 (14:17 +0100)]
Move the registration of preload phrases into a dedicated event listener
Alexander Ebert [Sat, 12 Nov 2022 11:53:15 +0000 (12:53 +0100)]
Provide only the plugin name when syncing pips
The full object provides little details because it is created on-the-fly with as little information as required.
Alexander Ebert [Sat, 12 Nov 2022 11:51:20 +0000 (12:51 +0100)]
Reset the phrase preload cache when syncing files and languages
Alexander Ebert [Sat, 12 Nov 2022 11:18:01 +0000 (12:18 +0100)]
Preload the phrase for relative timestamps
Alexander Ebert [Sat, 12 Nov 2022 11:11:37 +0000 (12:11 +0100)]
Fix the namespace and file name of the collecting event
Alexander Ebert [Sat, 12 Nov 2022 11:09:55 +0000 (12:09 +0100)]
Fix the condition to rebuild the phrase cache
Alexander Ebert [Sat, 12 Nov 2022 11:06:50 +0000 (12:06 +0100)]
Create the directory used for JS phrase preloads
Alexander Ebert [Fri, 11 Nov 2022 17:33:38 +0000 (18:33 +0100)]
Simplify the events by using constructor property promotion
Alexander Ebert [Fri, 11 Nov 2022 17:30:42 +0000 (18:30 +0100)]
Invert the order of the phrase preloader and the web component bundle
Alexander Ebert [Fri, 11 Nov 2022 17:30:25 +0000 (18:30 +0100)]
Replace the usage of `\gmdate()`
Alexander Ebert [Thu, 10 Nov 2022 17:10:13 +0000 (18:10 +0100)]
Add explicit markers to the preload cache files