GitHub/WoltLab/WCF.git
3 years agoRevert "Make PHP status in SystemCheckPage resilient against method reordering"
Tim Düsterhus [Mon, 1 Nov 2021 13:32:52 +0000 (14:32 +0100)]
Revert "Make PHP status in SystemCheckPage resilient against method reordering"

This change was buggy and it's not worth the effort to do this cleanly.

This reverts commit ba725407cd3e7ee83961e355252841153493face.

3 years agoWrap overly long line in SystemCheckPage
Tim Düsterhus [Mon, 1 Nov 2021 10:21:05 +0000 (11:21 +0100)]
Wrap overly long line in SystemCheckPage

3 years agoMake PHP status in SystemCheckPage resilient against method reordering
Tim Düsterhus [Mon, 1 Nov 2021 10:19:53 +0000 (11:19 +0100)]
Make PHP status in SystemCheckPage resilient against method reordering

3 years agoFix indentation in systemCheck.tpl
Tim Düsterhus [Mon, 1 Nov 2021 10:16:37 +0000 (11:16 +0100)]
Fix indentation in systemCheck.tpl

3 years agoFix ACP login for PHP 8.1
Tim Düsterhus [Fri, 29 Oct 2021 14:06:44 +0000 (16:06 +0200)]
Fix ACP login for PHP 8.1

see 9d12c9783ce32b0396a80a498f54b053591d4aa3

3 years agoMerge branch '5.3' into 5.4
Tim Düsterhus [Tue, 26 Oct 2021 12:57:19 +0000 (14:57 +0200)]
Merge branch '5.3' into 5.4

3 years agoRegenerate composer autoloader
Tim Düsterhus [Tue, 26 Oct 2021 12:56:26 +0000 (14:56 +0200)]
Regenerate composer autoloader

3 years agoSync `aclSimple.tpl`
joshuaruesweg [Mon, 25 Oct 2021 09:08:44 +0000 (11:08 +0200)]
Sync `aclSimple.tpl`

3 years ago Improved a11y of radio buttons
joshuaruesweg [Mon, 25 Oct 2021 09:02:52 +0000 (11:02 +0200)]
 Improved a11y of radio buttons

 See f4ec1c5a25e150fbb8b27818fdbaed816259decb

3 years agoWorkaround for multiple quote handlers on one page
Alexander Ebert [Sun, 24 Oct 2021 12:57:39 +0000 (14:57 +0200)]
Workaround for multiple quote handlers on one page

3 years agoSpecify a default value for `register_disabled`
Tim Düsterhus [Fri, 22 Oct 2021 08:48:20 +0000 (10:48 +0200)]
Specify a default value for `register_disabled`

see 83a6038eea6da6608c5363be7b9f88080f3dadb1
see #4565

3 years agoSpecify a default value for `force_login`
Tim Düsterhus [Fri, 22 Oct 2021 08:49:36 +0000 (10:49 +0200)]
Specify a default value for `force_login`

see 83a6038eea6da6608c5363be7b9f88080f3dadb1
see #4565

3 years agoSpecify a default value for `module_paid_subscription` / `paid_subscription_enable_to...
Tim Düsterhus [Fri, 22 Oct 2021 08:47:17 +0000 (10:47 +0200)]
Specify a default value for `module_paid_subscription` / `paid_subscription_enable_tos_confirmation`

see 83a6038eea6da6608c5363be7b9f88080f3dadb1
see #4565

3 years agoSpecify a default value for `offline` / `offline_message_allow_html`
Tim Düsterhus [Fri, 22 Oct 2021 08:45:01 +0000 (10:45 +0200)]
Specify a default value for `offline` / `offline_message_allow_html`

see 83a6038eea6da6608c5363be7b9f88080f3dadb1
see #4565

3 years agoSpecify a default value for `enable_censorship`
Tim Düsterhus [Fri, 22 Oct 2021 08:41:52 +0000 (10:41 +0200)]
Specify a default value for `enable_censorship`

This did not cause issues in practice, as `options.inc.php` reliably contained
a `0` as the option’s value.

Fixes #4565

3 years agoMerge pull request #4556 from WoltLab/password-toggle-submit
Tim Düsterhus [Thu, 21 Oct 2021 13:05:46 +0000 (15:05 +0200)]
Merge pull request #4556 from WoltLab/password-toggle-submit

Hide all passwords upon form submission in Core/Ui/Password.ts

3 years agoMerge pull request #4555 from WoltLab/style-delete
Tim Düsterhus [Thu, 21 Oct 2021 12:19:52 +0000 (14:19 +0200)]
Merge pull request #4555 from WoltLab/style-delete

Move all of the style deletion logic into StyleEditor

3 years agoFix PHPDoc return type for IDatabaseTableColumn::getDefaultValue()
Tim Düsterhus [Thu, 21 Oct 2021 11:59:28 +0000 (13:59 +0200)]
Fix PHPDoc return type for IDatabaseTableColumn::getDefaultValue()

3 years agoUse `->prepare()` instead of `->prepareStatement() in LastActivityCronjob
Tim Düsterhus [Thu, 21 Oct 2021 08:39:15 +0000 (10:39 +0200)]
Use `->prepare()` instead of `->prepareStatement() in LastActivityCronjob

3 years agoFix `userID` condition in LastActivityCronjob
Tim Düsterhus [Thu, 21 Oct 2021 08:38:30 +0000 (10:38 +0200)]
Fix `userID` condition in LastActivityCronjob

3 years agoAdd `UnfurlUrl::$status` to `@property-read`
Sascha Greuel [Wed, 20 Oct 2021 22:25:11 +0000 (00:25 +0200)]
Add `UnfurlUrl::$status` to `@property-read`

Closes #4561

[Tim: Rephrased the commit message]

3 years agoHide all passwords upon form submission in Core/Ui/Password.ts
Tim Düsterhus [Wed, 20 Oct 2021 09:58:35 +0000 (11:58 +0200)]
Hide all passwords upon form submission in Core/Ui/Password.ts

Resolves #4554

3 years agoMove all of the style deletion logic into StyleEditor
Tim Düsterhus [Wed, 20 Oct 2021 08:50:31 +0000 (10:50 +0200)]
Move all of the style deletion logic into StyleEditor

This ensures that all the files on the filesystem are deleted no matter how the
style is deleted. Previously the style's image folder remained when
StyleEditor::delete() was used, for example within the style PIP.

3 years agoMerge pull request #4552 from WoltLab/email-header-case
Tim Düsterhus [Tue, 19 Oct 2021 10:37:26 +0000 (12:37 +0200)]
Merge pull request #4552 from WoltLab/email-header-case

Use canonical header casing in PhpEmailTransport

3 years agoUse canonical header name in PhpEmailTransport
Tim Düsterhus [Tue, 19 Oct 2021 10:01:53 +0000 (12:01 +0200)]
Use canonical header name in PhpEmailTransport

3 years agoAdd Email::getCanonicalHeaderName()
Tim Düsterhus [Tue, 19 Oct 2021 10:00:55 +0000 (12:00 +0200)]
Add Email::getCanonicalHeaderName()

3 years agoIncorrect data type used in AJAX requests for search requests
Alexander Ebert [Fri, 15 Oct 2021 15:23:06 +0000 (17:23 +0200)]
Incorrect data type used in AJAX requests for search requests

The `Set` type is not understood by the browser's AJAX API and thus silently discarded.

3 years agoMerge branch '5.3' into 5.4
Tim Düsterhus [Thu, 14 Oct 2021 13:17:37 +0000 (15:17 +0200)]
Merge branch '5.3' into 5.4

3 years agoMerge branch '5.2' into 5.3
Tim Düsterhus [Thu, 14 Oct 2021 13:14:54 +0000 (15:14 +0200)]
Merge branch '5.2' into 5.3

3 years agoMerge branch '3.1' into 5.2
Tim Düsterhus [Thu, 14 Oct 2021 13:11:44 +0000 (15:11 +0200)]
Merge branch '3.1' into 5.2

3 years agoFix EmailNewActivationCodeForm
Tim Düsterhus [Thu, 14 Oct 2021 13:10:10 +0000 (15:10 +0200)]
Fix EmailNewActivationCodeForm

This got broken, because it inherits from RegisterNewActivationForm and the “is
already enabled” validation was moved into a dedicated method within there. This
is a perfect example of why one should never inherit from controllers …

see f394421c0cc7e8879007092e40e540b2fd1118c1

3 years agoFix bad merge from 5.3 to 5.4
Tim Düsterhus [Thu, 14 Oct 2021 13:03:35 +0000 (15:03 +0200)]
Fix bad merge from 5.3 to 5.4

Commit f394421c0cc7e8879007092e40e540b2fd1118c1 was incorrectly applied.

3 years agoAllow unblocking non-blockable users from within the profile
Tim Düsterhus [Wed, 13 Oct 2021 14:21:09 +0000 (16:21 +0200)]
Allow unblocking non-blockable users from within the profile

Fixes #4548

3 years agoUpdating minified JavaScript files
WoltLab [Wed, 13 Oct 2021 10:37:41 +0000 (10:37 +0000)]
Updating minified JavaScript files

3 years agoUpdate npm dependencies in extra/
Tim Düsterhus [Wed, 13 Oct 2021 10:36:21 +0000 (12:36 +0200)]
Update npm dependencies in extra/

3 years agoUpdating minified JavaScript files
WoltLab [Wed, 13 Oct 2021 10:31:37 +0000 (10:31 +0000)]
Updating minified JavaScript files

3 years agoSupport for the embedding of private vimeo videos
Marcel Werk [Fri, 8 Oct 2021 14:01:18 +0000 (16:01 +0200)]
Support for the embedding of private vimeo videos

3 years agoMerge pull request #4539 from WoltLab/php-ddl-reject-duplicate-index-column
Tim Düsterhus [Tue, 5 Oct 2021 07:00:18 +0000 (09:00 +0200)]
Merge pull request #4539 from WoltLab/php-ddl-reject-duplicate-index-column

Reject indices with duplicate columns in DatabaseTableChangeProcessor

3 years agoMerge pull request #4540 from WoltLab/5.4-image-proxy-exception
Tim Düsterhus [Mon, 4 Oct 2021 14:32:53 +0000 (16:32 +0200)]
Merge pull request #4540 from WoltLab/5.4-image-proxy-exception

Correctly wrap \RuntimeException from body reading in \DomainExceptio…

3 years agoCorrectly wrap \RuntimeException from body reading in \DomainException in ImageProxyA...
joshuaruesweg [Mon, 4 Oct 2021 14:28:44 +0000 (16:28 +0200)]
Correctly wrap \RuntimeException from body reading in \DomainException in ImageProxyAction

3 years agoReject indices with duplicate columns in DatabaseTableChangeProcessor
Tim Düsterhus [Mon, 4 Oct 2021 14:04:11 +0000 (16:04 +0200)]
Reject indices with duplicate columns in DatabaseTableChangeProcessor

Resolves #4536

3 years agoMerge pull request #4538 from WoltLab/5.4-disable-unfurling-in-signatures
Joshua Rüsweg [Mon, 4 Oct 2021 13:31:19 +0000 (15:31 +0200)]
Merge pull request #4538 from WoltLab/5.4-disable-unfurling-in-signatures

Disable unfurled urls in signatures

3 years agoDisable unfurled urls in signatures
joshuaruesweg [Mon, 4 Oct 2021 12:53:14 +0000 (14:53 +0200)]
Disable unfurled urls in signatures

3 years agoFix check whether a non-owned FOREIGN KEY is being dropped in DatabaseTableChangeProc...
Tim Düsterhus [Wed, 29 Sep 2021 13:38:50 +0000 (15:38 +0200)]
Fix check whether a non-owned FOREIGN KEY is being dropped in DatabaseTableChangeProcessor

The reproducer and fix is effectively identical to the one in
167291206e57ffb9bc043308682061e5e499ff45.

Package A: Installs FOREIGN KEY (someOtherUserID) REFERENCES wcf1_user (userID)
Package B: Installs FOREIGN KEY (userID) REFERENCES wcf1_user (userID)
Package B: Drops FOREIGN KEY (userID) REFERENCES wcf1_user (userID)

It was erroneously detected that Package B would drop the foreign key owned by
Package A, but possibly only after the foreign key has already been (correctly)
dropped. This delay in check is caused by the `continue 2;` skipping any other
foreign keys after matching up one foreign key.

The actual dropping logic was already correct, just the safety check was
incorrect.

see #4434

3 years agoForce blur the editor after replying with a message
Alexander Ebert [Wed, 29 Sep 2021 12:06:46 +0000 (14:06 +0200)]
Force blur the editor after replying with a message

See https://community.woltlab.com/thread/292195-probleme-mit-opera-mobile-unter-android/

3 years agoForce blur the editor after replying with a message
Alexander Ebert [Wed, 29 Sep 2021 12:06:09 +0000 (14:06 +0200)]
Force blur the editor after replying with a message

See https://community.woltlab.com/thread/292195-probleme-mit-opera-mobile-unter-android/

3 years agoMerge pull request #4532 from WoltLab/unfurl-body-read-failure
Joshua Rüsweg [Wed, 29 Sep 2021 08:46:35 +0000 (10:46 +0200)]
Merge pull request #4532 from WoltLab/unfurl-body-read-failure

Correctly wrap \RuntimeException from body reading in DownloadFailed in UnfurlResponse

3 years agoCorrectly wrap \RuntimeException from body reading in DownloadFailed in UnfurlResponse
Tim Düsterhus [Tue, 28 Sep 2021 15:10:05 +0000 (17:10 +0200)]
Correctly wrap \RuntimeException from body reading in DownloadFailed in UnfurlResponse

3 years agoMerge branch '5.3' into 5.4
Tim Düsterhus [Tue, 28 Sep 2021 14:01:19 +0000 (16:01 +0200)]
Merge branch '5.3' into 5.4

3 years agoMerge pull request #4531 from WoltLab/http-request-timeout
Tim Düsterhus [Tue, 28 Sep 2021 13:58:46 +0000 (15:58 +0200)]
Merge pull request #4531 from WoltLab/http-request-timeout

Configure emergency timeout in HTTPRequest

3 years agoMerge remote-tracking branch 'origin/5.4' into 5.4
Tim Düsterhus [Tue, 28 Sep 2021 13:21:30 +0000 (15:21 +0200)]
Merge remote-tracking branch 'origin/5.4' into 5.4

3 years agoAdd explicit check whether the port is numeric in Redis wrapper
Tim Düsterhus [Tue, 28 Sep 2021 13:18:52 +0000 (15:18 +0200)]
Add explicit check whether the port is numeric in Redis wrapper

This improves error messages.

3 years agoMerge branch '5.3' into 5.4
Tim Düsterhus [Tue, 28 Sep 2021 13:17:30 +0000 (15:17 +0200)]
Merge branch '5.3' into 5.4

3 years agoCast the Redis port to int
Tim Düsterhus [Tue, 28 Sep 2021 13:13:42 +0000 (15:13 +0200)]
Cast the Redis port to int

The `Redis::connect()` method expects the `$port` parameter to be an integer.
PHP will automatically cast numeric strings to an integer, but error out with
an TypeError if the string is not a well-formed number. This TypeError will not
be caught in an `catch(\Exception $e)` block, because TypeError does not
inherit Exception.

Perform an explicit cast to ensure the fallback to DiskCacheSource works.

3 years agoConfigure emergency timeout in HTTPRequest
Tim Düsterhus [Tue, 28 Sep 2021 12:31:33 +0000 (14:31 +0200)]
Configure emergency timeout in HTTPRequest

The connect and read timeouts might not reliably trigger in all cases.
Configure a large overall timeout to ensure PHP workers will terminate
eventually.

see 2dbd5654cb9faff45bb51df9a2f3834bd320cc00

3 years agoIncorrect detection of HTML tags
Alexander Ebert [Mon, 27 Sep 2021 15:00:48 +0000 (17:00 +0200)]
Incorrect detection of HTML tags

The previous regex was incorrect and caused false-positive matches. One such case was a `<td>The …</td>` which translated into `###td ###The …`, causing it to be recognized as a `<th>`.

The new regex is much more restrictive by requiring at least one whitespace after the tag name if there is additional content.

3 years agoFix removing reactions on guests content
joshuaruesweg [Mon, 27 Sep 2021 11:16:31 +0000 (13:16 +0200)]
Fix removing reactions on guests content

Since MySQL 8 the deletion of reactions on contents created by guests might fail. The ReactionHandler tries to update the likesReceived column for a non-existent user, sending the empty string as the userID. Recent versions of MySQL 8 error out with MySQL error 1292. The following MySQL bug appears to be related:

https://bugs.mysql.com/bug.php?id=101806

3 years agoMerge pull request #4526 from WoltLab/session-cookie-lifetime
Tim Düsterhus [Mon, 27 Sep 2021 08:32:14 +0000 (10:32 +0200)]
Merge pull request #4526 from WoltLab/session-cookie-lifetime

Decrease the session cookie lifetime leeway to 1 week

3 years agoDecrease the session cookie lifetime leeway to 1 week
Tim Düsterhus [Mon, 27 Sep 2021 08:03:13 +0000 (10:03 +0200)]
Decrease the session cookie lifetime leeway to 1 week

With the increase of the user session lifetime to 2 months, simply multiplying
by two results in an excessive cookie lifetime.

Decrease this to a constant leeway of 1 week. If the cookie in the browser
expires, the session on the server should be long gone, even for wildly
incorrect local clocks.

3 years agoMerge pull request #4525 from WoltLab/session-device-icon
Joshua Rüsweg [Mon, 27 Sep 2021 07:50:54 +0000 (09:50 +0200)]
Merge pull request #4525 from WoltLab/session-device-icon

Move Session::getDeviceIcon() into UserAgent::getDeviceIcon()

3 years agoMove Session::getDeviceIcon() into UserAgent::getDeviceIcon()
Tim Düsterhus [Fri, 24 Sep 2021 14:29:03 +0000 (16:29 +0200)]
Move Session::getDeviceIcon() into UserAgent::getDeviceIcon()

This method does not really belong into the Session class.

3 years agoValidate the XSRF-Token in DeleteSessionAction
Tim Düsterhus [Fri, 24 Sep 2021 13:27:48 +0000 (15:27 +0200)]
Validate the XSRF-Token in DeleteSessionAction

This is not necessarily required, because the `sessionID` already contains high
entropy. However the JavaScript code already provides the XSRF-Token, so let's
validate it for completeness.

3 years agoRemove SECURITY_TOKEN* constants from constants.php
Tim Düsterhus [Fri, 24 Sep 2021 12:34:39 +0000 (14:34 +0200)]
Remove SECURITY_TOKEN* constants from constants.php

These were effectively deprecated in 3f6a261b1e6a3804370eb1e2a046ea6c666dbedd.

3 years agoRemove SID* constants from constants.php
Tim Düsterhus [Fri, 24 Sep 2021 12:33:48 +0000 (14:33 +0200)]
Remove SID* constants from constants.php

These were removed in 8a35fd6de81f1138456fb777eb57d4b3907c0c66.

3 years agoRelease 5.4.8 5.4.8
Alexander Ebert [Fri, 24 Sep 2021 09:13:32 +0000 (11:13 +0200)]
Release 5.4.8

3 years agoRelease 5.4.8 dev 2 5.4.8_dev_2
Alexander Ebert [Fri, 24 Sep 2021 07:37:56 +0000 (09:37 +0200)]
Release 5.4.8 dev 2

3 years agoMerge pull request #4516 from WoltLab/xsrf-token-error
Tim Düsterhus [Thu, 23 Sep 2021 11:33:54 +0000 (13:33 +0200)]
Merge pull request #4516 from WoltLab/xsrf-token-error

Improve phrasing for XSRF token error messages

3 years agoImprove phrasing in wcf.ajax.error.sessionExpired
Tim Düsterhus [Thu, 23 Sep 2021 10:47:15 +0000 (12:47 +0200)]
Improve phrasing in wcf.ajax.error.sessionExpired

see #4501

3 years agoImprove phrasing in wcf.global.form.error.securityToken
Tim Düsterhus [Thu, 23 Sep 2021 10:44:32 +0000 (12:44 +0200)]
Improve phrasing in wcf.global.form.error.securityToken

see #4501

3 years agoRelease 5.4.8 dev 1 5.4.8_dev_1
Alexander Ebert [Wed, 22 Sep 2021 16:35:39 +0000 (18:35 +0200)]
Release 5.4.8 dev 1

3 years agoUpdating minified JavaScript files
WoltLab [Wed, 22 Sep 2021 16:11:07 +0000 (16:11 +0000)]
Updating minified JavaScript files

3 years agoFix typo in setup_en.xml
Tim Düsterhus [Wed, 22 Sep 2021 12:55:44 +0000 (14:55 +0200)]
Fix typo in setup_en.xml

3 years agoIncorrect type comparison when the legacy mysql extension is been used
Marcel Werk [Wed, 22 Sep 2021 08:57:09 +0000 (10:57 +0200)]
Incorrect type comparison when the legacy mysql extension is been used

3 years agoMerge branch '5.3' into 5.4
Tim Düsterhus [Tue, 21 Sep 2021 14:58:07 +0000 (16:58 +0200)]
Merge branch '5.3' into 5.4

3 years agoMerge pull request #4497 from max-m/patch-categoryMultiSelectOptionType
Marcel Werk [Tue, 21 Sep 2021 14:53:14 +0000 (16:53 +0200)]
Merge pull request #4497 from max-m/patch-categoryMultiSelectOptionType

Make `categoryMultiSelectOptionType.tpl` behave like `categoryOptionList.tpl`

3 years agoTake the array key into account when checking whether an unnamed KEY matches in Datab...
Tim Düsterhus [Tue, 21 Sep 2021 14:31:17 +0000 (16:31 +0200)]
Take the array key into account when checking whether an unnamed KEY matches in DatabaseTableChangeProcessor

The reproducer effectively matches d7f721d6f920d66f75102723b504d89e57a8c9ff, except that the KEY
is unnamed.

Previously the update would silently fail to do anything. Now the update fails
loudly, because it attempts to create another index with an existing name. This
is no different behavior compared to an INDEX collision of two unnamed indices
`(a, b)`, `(a, c)`. The developer will be clearly alerted of this issue and can
take appropriate measures to avoid it, e.g. by using explicit names.

see #4434

3 years agoSkip desktop notifications on Android
Alexander Ebert [Tue, 21 Sep 2021 13:23:24 +0000 (15:23 +0200)]
Skip desktop notifications on Android

Notifications are not supported outside of the context of service workers.

See https://community.woltlab.com/thread/292374-chrome-android-failed-to-construct-notification-illegal-constructor/

3 years agoDo not error during validation of TOTP codes if an invalid device is selected
Tim Düsterhus [Tue, 21 Sep 2021 08:59:22 +0000 (10:59 +0200)]
Do not error during validation of TOTP codes if an invalid device is selected

3 years agoDo not pass `null` to `|encodeJS`
Tim Düsterhus [Tue, 21 Sep 2021 08:54:46 +0000 (10:54 +0200)]
Do not pass `null` to `|encodeJS`

This breaks in PHP 8.1.

3 years agoFix TypeScript code style
Tim Düsterhus [Mon, 20 Sep 2021 16:51:04 +0000 (18:51 +0200)]
Fix TypeScript code style

3 years agoFix SCSS code style
Tim Düsterhus [Mon, 20 Sep 2021 16:50:03 +0000 (18:50 +0200)]
Fix SCSS code style

3 years agoUse well-specified node.js for Prettier jobs in GitHub Actions
Tim Düsterhus [Mon, 20 Sep 2021 16:47:42 +0000 (18:47 +0200)]
Use well-specified node.js for Prettier jobs in GitHub Actions

3 years agoUpdate GitHub Actions to node.js 16
Tim Düsterhus [Mon, 20 Sep 2021 16:44:54 +0000 (18:44 +0200)]
Update GitHub Actions to node.js 16

3 years agoSkip bogus selection changes
Alexander Ebert [Mon, 20 Sep 2021 16:25:10 +0000 (18:25 +0200)]
Skip bogus selection changes

3 years agoSkip the check for the caret position if the selection is invalid
Alexander Ebert [Mon, 20 Sep 2021 16:20:28 +0000 (18:20 +0200)]
Skip the check for the caret position if the selection is invalid

3 years agoMerge branch '5.3' into 5.4
Alexander Ebert [Mon, 20 Sep 2021 15:48:46 +0000 (17:48 +0200)]
Merge branch '5.3' into 5.4

3 years agoIncorrect gradient value in Safari
Alexander Ebert [Mon, 20 Sep 2021 15:48:31 +0000 (17:48 +0200)]
Incorrect gradient value in Safari

https://community.woltlab.com/thread/292475-mainmenushowprevious-mainmenushownext-safari-farbunterschied-fehler/

3 years agoUpdate npm dependencies
Tim Düsterhus [Mon, 20 Sep 2021 15:15:31 +0000 (17:15 +0200)]
Update npm dependencies

3 years agoFix SCSS code style
Tim Düsterhus [Mon, 20 Sep 2021 14:52:58 +0000 (16:52 +0200)]
Fix SCSS code style

Apparently the replacement of 100% by 1 caused the line to be sufficiently
short to rewrap.

3 years agoFix use of transparentize() in *.scss
Tim Düsterhus [Mon, 20 Sep 2021 14:47:14 +0000 (16:47 +0200)]
Fix use of transparentize() in *.scss

The function expects a unitless number between 0 and 1 as the second parameter.
The updated SCSS compiler in 5.5+ complains about this misuse.

3 years agoFix return type for SeekableIterator::* implementations
Tim Düsterhus [Mon, 20 Sep 2021 14:23:41 +0000 (16:23 +0200)]
Fix return type for SeekableIterator::* implementations

The `mixed` type is not available with our current minimum PHP version, thus
using ReturnTypeWillChange for these.

3 years agoMove scssphp to the WoltLab fork
Tim Düsterhus [Mon, 20 Sep 2021 14:01:02 +0000 (16:01 +0200)]
Move scssphp to the WoltLab fork

This is for PHP 8.1 compatibility.

3 years agoMerge branch '5.4' of https://github.com/WoltLab/WCF into 5.4
Alexander Ebert [Mon, 20 Sep 2021 13:58:59 +0000 (15:58 +0200)]
Merge branch '5.4' of https://github.com/WoltLab/WCF into 5.4

3 years agoEnable `X-Frame-Options` for the WCFSetup
Alexander Ebert [Mon, 20 Sep 2021 13:58:51 +0000 (15:58 +0200)]
Enable `X-Frame-Options` for the WCFSetup

This has the side effect of suppressing `SameSite=none` for the cookies, which fails on insecure connections because this attribute value is valid for secure cookies only.

Resolves #4499
Follow up for 2a9d48c4badc4de2e0f2d2fc73c3af2bee39cce8

3 years agoFix return type of `count()` for the remaining classes implementing \Countable
Tim Düsterhus [Mon, 20 Sep 2021 13:48:03 +0000 (15:48 +0200)]
Fix return type of `count()` for the remaining classes implementing \Countable

see 3f6b343d10b044ab08d41fec525f69ffe0a95e49

3 years agoFix PHP 8.1 compatibility in DatabaseObjectList
Tim Düsterhus [Mon, 20 Sep 2021 13:44:14 +0000 (15:44 +0200)]
Fix PHP 8.1 compatibility in DatabaseObjectList

> Return type of wcf\data\DatabaseObjectList::count() should either be
> compatible with Countable::count(): int, or the #[ReturnTypeWillChange]
> attribute should be used to temporarily suppress the notice […]

3 years agoEnable `X-Frame-Options` for the WCFSetup
Alexander Ebert [Mon, 20 Sep 2021 13:31:54 +0000 (15:31 +0200)]
Enable `X-Frame-Options` for the WCFSetup

This has the side effect of suppressing `SameSite=none` for the cookies, which fails on insecure connections because this attribute value is valid for secure cookies only.

Resolves #4499

3 years agoSkip the default cover photo when rebuilding users
Alexander Ebert [Mon, 20 Sep 2021 12:17:50 +0000 (14:17 +0200)]
Skip the default cover photo when rebuilding users

Fixes #4500

3 years agoSet the XSRF-Token cookie to SameSite=lax
Tim Düsterhus [Mon, 20 Sep 2021 11:37:54 +0000 (13:37 +0200)]
Set the XSRF-Token cookie to SameSite=lax

As it turns out, `strict` is too strict for some use cases of the average user,
as it might suppress the cookie when the user researches something while
writing a post and ultimately comes back to the community via an external link.

This request will not have the XSRF-Token cookie attached due to violating the
`strict` policy, resulting in WoltLab Suite sending a fresh cookie in response.
This will then invalidate the token stored in the form where the user is in the
process of writing their post, ultimately resulting in an error message.

The `SameSite` value is meant as a defense in depth measure to protect the user
even if they current token leaked in some way. Reducing the strictness does not
reduce the security in a measurable way.

3 years agoTypo
Marcel Werk [Fri, 17 Sep 2021 12:15:30 +0000 (14:15 +0200)]
Typo