Tim Düsterhus [Thu, 15 Dec 2022 14:03:05 +0000 (15:03 +0100)]
Merge pull request #5190 from WoltLab/php-ddl-foreign-key-drop
Fix dropping of misnamed foreign keys in PHP DDL
Tim Düsterhus [Thu, 15 Dec 2022 13:22:10 +0000 (14:22 +0100)]
Fix dropping of misnamed foreign keys in PHP DDL
Foreign keys are matched up by their `getDiffData()` which includes the column
list, referenced column list and referenced table, but does not include the name.
This effectively ensures that only a single foreign key exists for each
possible combination of source and target columns.
Dropping foreign keys however relies on the foreign key’s name being sent to
the database and this is currently broken when the foreign key name differs
from the expected name:
The misnamed key will be matched up, but the DROP query will send the expected
name, instead of the actual name.
Fix this by inserting the `$matchingExistingForeignKey` into the list of keys
to drop, which makes sense, because the existing key is what should be dropped
in the first place.
Tim Düsterhus [Tue, 13 Dec 2022 14:11:42 +0000 (15:11 +0100)]
Merge pull request #5186 from WoltLab/fileDelete-validation
Fix validation in AbstractFileDeletePackageInstallationPlugin
Tim Düsterhus [Tue, 13 Dec 2022 14:02:52 +0000 (15:02 +0100)]
Silently skip files belonging to other packages in AbstractFileDeletePackageInstallationPlugin
Instead of throwing, we just silently skip files belonging to other packages,
because this implies that the file no longer exists for the package in
question.
Tim Düsterhus [Tue, 13 Dec 2022 13:31:04 +0000 (14:31 +0100)]
Fix validation in AbstractFileDeletePackageInstallationPlugin
The query for logged files must not include the `packageID` in its condition,
as the entire purpose is retrieving all the `packageID`s for installed files to
compare them against the package that is currently installed or updated. Thus
by selecting only files for the current packageID the purpose is defeated.
see
672cd6166b684767a3fc8ee1fd6a4516d2061285
Tim Düsterhus [Mon, 12 Dec 2022 14:19:24 +0000 (15:19 +0100)]
Merge pull request #5184 from WoltLab/external-image-internal-hostname
Merge `INTERNAL_HOSTNAMES` into list of allowed image domains
Tim Düsterhus [Mon, 12 Dec 2022 13:43:03 +0000 (14:43 +0100)]
Merge `INTERNAL_HOSTNAMES` into list of allowed image domains
Fixes #5146
Tim Düsterhus [Mon, 12 Dec 2022 13:36:11 +0000 (14:36 +0100)]
Use BBCodeHandler::getImageExternalSourceWhitelist() in HtmlOutputNodeImg
Related to #5146
Tim Düsterhus [Mon, 12 Dec 2022 09:28:28 +0000 (10:28 +0100)]
Fix baseclass inheritance check in DatabaseObjectList::__construct()
see https://www.woltlab.com/community/thread/298219-fehlerhafte-%C3%BCberpr%C3%BCfung-der-databaseobjectdecorator-baseclass/
Alexander Ebert [Fri, 9 Dec 2022 18:04:02 +0000 (19:04 +0100)]
Fix the insertion of tables into the editor
See https://www.woltlab.com/community/thread/298250-tabellen-einf%C3%BCgen-via-ipad-nicht-mehr-m%C3%B6glich/
Alexander Ebert [Fri, 9 Dec 2022 14:59:26 +0000 (15:59 +0100)]
Fix the logic to display the button for the participant list
See https://www.woltlab.com/community/thread/298009-teilnehmer-bei-umfragen-nicht-%C3%B6ffentlich-sichtbar/
Alexander Ebert [Fri, 9 Dec 2022 12:49:24 +0000 (13:49 +0100)]
The `$value` for `getFormElement()` is nullable
See https://www.woltlab.com/community/thread/298187-explode-passing-null-to-parameter-2-string-of-type-string-is-deprecated-php-8-1/
Tim Düsterhus [Tue, 6 Dec 2022 11:22:59 +0000 (12:22 +0100)]
Stop using undefined properties in SearchHandler::saveSearch()
These are not intended to be stored on the class and not used elsewhere, the
`this->` is likely a copy and paste mistake in the initial implementation.
see
11b63e8aa4e1a71425e1bffd7eb28f9db4a4bf13
Marcel Werk [Wed, 30 Nov 2022 15:12:55 +0000 (16:12 +0100)]
Merge pull request #5151 from SoftCreatR/bugfix/tpl
Make unfurlUrl template available in ACP
Sascha Greuel [Tue, 29 Nov 2022 09:38:01 +0000 (10:38 +0100)]
Made unfurlUrl template available in ACP
See https://www.woltlab.com/community/thread/298168-artikel-erstellen-im-acp-bringt-fehler-bei-vorschau/
Tim Düsterhus [Fri, 25 Nov 2022 11:01:05 +0000 (12:01 +0100)]
Merge pull request #5142 from WoltLab/php-ddl-index-validate
Fix validation of changed indices in PHP DDL
Tim Düsterhus [Thu, 24 Nov 2022 10:17:33 +0000 (11:17 +0100)]
Fix validation of changed indices in PHP DDL
The validation of the to-be-performed DDL operation currently identifies
indices by their data (i.e. column list and type), whereas the actual DDL
operation uses the `->diffIndices()` operation which also takes into account
the name of the index.
This mismatch allows a package to drop a foreign index, consider the following
situation:
Package A:
DatabaseTable::create('wcf1_test')
->columns([
NotNullInt10DatabaseTableColumn::create('a'),
NotNullInt10DatabaseTableColumn::create('b'),
])
->indices([
DatabaseTableIndex::create('testing')
->columns(['a']),
])
The package creates a table with two columns and a named index (“testing”) that
includes one of the columns.
Now Package B:
DatabaseTable::create('wcf1_test')
->indices([
DatabaseTableIndex::create('testing')
->columns(['a', 'b'])
->drop(),
])
This definition drops the named index (“testing”), but with a different column
definition. Thus the validation believes the indices to be different, allowing
the operation to proceed. The actual operation however identifies the index by
its name and thus drops the “testing” index that belongs to a different
package.
Alexander Ebert [Thu, 24 Nov 2022 17:08:53 +0000 (18:08 +0100)]
Release 5.5.7
Alexander Ebert [Thu, 24 Nov 2022 14:39:19 +0000 (15:39 +0100)]
The `$value` for `getSearchFormElement()` is nullable
See https://www.woltlab.com/community/thread/297958-fehler-bei-suche-mit-php-8-1/
Alexander Ebert [Thu, 24 Nov 2022 14:34:08 +0000 (15:34 +0100)]
Revert "`getSearchFormElement()` expects a string for the value parameter"
This reverts commit
d2beab69c1aee0a33cfe8bdb7d967da2300b1691.
Tim Düsterhus [Tue, 22 Nov 2022 12:47:43 +0000 (13:47 +0100)]
Merge pull request #5137 from WoltLab/store-code-refresh
Refresh the package database in Package/QuickInstallation.ts
Tim Düsterhus [Tue, 22 Nov 2022 12:45:58 +0000 (13:45 +0100)]
Merge pull request #5133 from WoltLab/i18n-form-field-one-language
Fix TI18nFormField if only one language is active
Tim Düsterhus [Tue, 22 Nov 2022 11:43:04 +0000 (12:43 +0100)]
Update to TypeScript 4.9
Tim Düsterhus [Tue, 22 Nov 2022 11:18:56 +0000 (12:18 +0100)]
Update eslint npm dependency
Tim Düsterhus [Tue, 22 Nov 2022 09:21:21 +0000 (10:21 +0100)]
Refresh the package database in Package/QuickInstallation.ts
Fixes #5135
Tim Düsterhus [Mon, 21 Nov 2022 11:26:55 +0000 (12:26 +0100)]
Fix TI18nFormField if only one language is active
Fixes #5131
Tim Düsterhus [Mon, 21 Nov 2022 10:27:39 +0000 (11:27 +0100)]
Update eslint npm dependency
Tim Düsterhus [Mon, 21 Nov 2022 09:01:13 +0000 (10:01 +0100)]
Fix erroneous encoding of ampersands in HtmlInputProcessor::convertToHtml()
see
f8deb9077dc485487bf53f9930ff956fbca1127b
see https://www.woltlab.com/community/thread/298042-werden-beim-import-falsch-ersetzt/
Alexander Ebert [Thu, 17 Nov 2022 11:44:23 +0000 (12:44 +0100)]
Release 5.5.7 dev 1
WoltLab [Thu, 17 Nov 2022 11:33:20 +0000 (11:33 +0000)]
Updating minified JavaScript files
Alexander Ebert [Wed, 16 Nov 2022 16:30:05 +0000 (17:30 +0100)]
Construct the profile url using just the user id
The attempt to embed the username into the URL is flawed, because it provides none of the server side transformations performed when naturally generating those URLs.
The currently implementation causes a redirect for most usernames anyway. Besides those redirects take place early in the processing of the controller and thus are acceptable.
Removing the username from the artificially constructed URL will now always cause a redirect, but do not break web servers with less permissive rewrite rules.
See https://www.woltlab.com/community/thread/297758-url-memberlist-suche-%C3%ACst-falsch/
Alexander Ebert [Wed, 16 Nov 2022 12:41:34 +0000 (13:41 +0100)]
Schedule the restore of the scroll position for the next loop
The previous delay of 1ms causes issue by actions that also try to delay their execution to the next run of the event loop. These will get executed while the page offset has not been adjusted, causing the calculations to be incorrect.
This primarily affects the editor which makes use of `setTimeout()` to workaround some browser limitations.
See https://www.woltlab.com/community/thread/297841-einf%C3%BCgen-von-links-in-den-editor/
Tim Düsterhus [Wed, 16 Nov 2022 10:29:25 +0000 (11:29 +0100)]
Update `@types/google.maps` and `@types/facebook-js-sdk`
Tim Düsterhus [Wed, 16 Nov 2022 10:28:24 +0000 (11:28 +0100)]
Update eslint
Tim Düsterhus [Wed, 16 Nov 2022 10:24:42 +0000 (11:24 +0100)]
Update `tslib`
Alexander Ebert [Tue, 15 Nov 2022 17:00:11 +0000 (18:00 +0100)]
Add the CSS class `.formAttachmentListItem` to existing attachments on page load
See https://www.woltlab.com/community/thread/297604-dateianh%C3%A4nge-werden-bei-mehrsprachigkeit-nicht-zwischen-editoren-synchronisiert/
Alexander Ebert [Sun, 13 Nov 2022 16:15:04 +0000 (17:15 +0100)]
`getSearchFormElement()` expects a string for the value parameter
Alexander Ebert [Sun, 13 Nov 2022 16:14:24 +0000 (17:14 +0100)]
Validate that the searched option implements the required interface
Alexander Ebert [Sun, 13 Nov 2022 15:43:36 +0000 (16:43 +0100)]
Remove selection markers after discarding the link dialog
See https://www.woltlab.com/community/thread/297178-links-bearbeiten-und-kopieren/
Alexander Ebert [Sun, 13 Nov 2022 15:09:23 +0000 (16:09 +0100)]
Bind the event listeners for the RSS feed dialog everytime
The dialog is replaced with the provided HTML on every invocation. Since this is a named dialog, the instance is set up once, but rebuild with every invocation.
See https://www.woltlab.com/community/thread/297896-kopieren-schaltfl%C3%A4che-nach-erneutem-%C3%B6ffnen-des-dialogs-nicht-mehr-funktionsf%C3%A4hig/
Alexander Ebert [Sun, 13 Nov 2022 14:53:58 +0000 (15:53 +0100)]
Fix the scroll offset when the first message is being targeted
See https://www.woltlab.com/community/thread/297814-mobil-zus%C3%A4tzlicher-container-sichtbar-bei-direktlink-auf-den-ersten-beitrag-eine/
Alexander Ebert [Fri, 11 Nov 2022 15:49:33 +0000 (16:49 +0100)]
Merge pull request #5119 from WoltLab/acp-not-authorized-ux
Improve user experience when accessing the ACP with an unauthorized user
Marcel Werk [Fri, 11 Nov 2022 15:24:31 +0000 (16:24 +0100)]
Typo
Alexander Ebert [Fri, 11 Nov 2022 14:41:45 +0000 (15:41 +0100)]
Prevent wrapping of text on narrow resolutions
There is plenty of whitespace around each column to allow for some small overlaps.
https://www.woltlab.com/community/thread/297666-blog-unsch%C3%B6ne-darstellung-der-reaktionen/
Tim Düsterhus [Thu, 10 Nov 2022 14:00:18 +0000 (15:00 +0100)]
Improve user experience when accessing the ACP with an unauthorized user
Specifically the logout link is available now.
Marcel Werk [Tue, 8 Nov 2022 14:25:30 +0000 (15:25 +0100)]
Fix missing consideration of the ad position when calculating the show order
Tim Düsterhus [Mon, 7 Nov 2022 10:00:16 +0000 (11:00 +0100)]
Fix typo in de.xml
Tim Düsterhus [Wed, 2 Nov 2022 08:51:43 +0000 (09:51 +0100)]
Merge pull request #5099 from WoltLab/articlelist-comments-column
Remove comments column from ACP's ArticleListPage
Tim Düsterhus [Wed, 2 Nov 2022 08:51:30 +0000 (09:51 +0100)]
Merge pull request #5100 from WoltLab/notification-email-unconfirmed
Discard notification emails if the recipient’s email address is unconfirmed
Tim Düsterhus [Mon, 31 Oct 2022 15:35:50 +0000 (16:35 +0100)]
Discard notification emails if the recipient’s email address is unconfirmed
This change discards notification emails if the recipient’s email address is
unconfirmed after the email was created and before the email was actually seat.
An example might be that the background queue is delayed, due to the mail
server’s spam protection kicking in, allowing the admin to unconfirm email
addresses of email addresses that are no longer valid to prevent more bounces
from being generated.
Tim Düsterhus [Mon, 31 Oct 2022 12:53:14 +0000 (13:53 +0100)]
Remove comments column from ACP's ArticleListPage
This column was effectively broken since the introduction of pluggable
discussion providers and is completely broken (always showing zero) since the
`comments` column was moved the the article to the article content in
75c21dfd1231389b2e3f527fc202dfec8f5c808b.
Tim Düsterhus [Mon, 31 Oct 2022 12:40:44 +0000 (13:40 +0100)]
Merge pull request #5098 from Krymonota/patch-23
Fix typos in German language items
Niklas [Mon, 31 Oct 2022 12:30:27 +0000 (13:30 +0100)]
Fix package update error message typos (`de.xml`)
Niklas [Mon, 31 Oct 2022 12:27:16 +0000 (13:27 +0100)]
Fix capitalization and add missing hyphen (`de.xml`)
Niklas [Mon, 31 Oct 2022 12:23:53 +0000 (13:23 +0100)]
Add missing commas preceding "um" (`de.xml`)
Sascha Greuel [Mon, 31 Oct 2022 11:04:20 +0000 (12:04 +0100)]
Update outdated links within phrases (#5096)
see #5095
see https://www.woltlab.com/community/thread/297811-neuer-twitter-link-registrierung/
Sascha Greuel [Mon, 31 Oct 2022 09:38:44 +0000 (10:38 +0100)]
Update Twitter Developer link (#5095)
See https://www.woltlab.com/community/thread/297811-neuer-twitter-link-registrierung/
Niklas [Mon, 31 Oct 2022 08:09:02 +0000 (09:09 +0100)]
Fix typo in PHPDoc in `ValueFormFieldDependency` (#5089)
Tim Düsterhus [Thu, 27 Oct 2022 15:29:42 +0000 (17:29 +0200)]
Fix CryptoUtil API misuse in SessionHandler
The previous version was not incorrect (we never sign a falsy string in
SessionHandler). However the return value should always be explicitly compared
to `null` to make verification of correctness easier.
Tim Düsterhus [Wed, 26 Oct 2022 15:06:11 +0000 (17:06 +0200)]
Update `guzzlehttp/psr7` composer dependency
Tim Düsterhus [Tue, 25 Oct 2022 14:20:40 +0000 (16:20 +0200)]
Update `guzzlehttp/psr7` composer dependency
Hanashi [Sat, 22 Oct 2022 15:29:25 +0000 (17:29 +0200)]
Change autoIncrement default type to false if autoIncrement is not set
Alexander Ebert [Sat, 22 Oct 2022 12:01:22 +0000 (14:01 +0200)]
Merge pull request #5065 from HanashiDev/fix/timedatabasetablecolumn
Fix double implements in TimeDatabaseTableColumn
Hanashi [Sat, 22 Oct 2022 07:38:47 +0000 (09:38 +0200)]
Fix double "implements" in TimeDatabaseTableColumn
Tim Düsterhus [Fri, 21 Oct 2022 08:52:42 +0000 (10:52 +0200)]
Add missing module comments to `.d.ts` files
Tim Düsterhus [Wed, 19 Oct 2022 15:01:48 +0000 (17:01 +0200)]
Merge pull request #5057 from WoltLab/smtp-email-fails-to-stringify
Improve the behavior of the SmtpEmailTransport if generating the DATA value fails
Tim Düsterhus [Wed, 19 Oct 2022 14:50:02 +0000 (16:50 +0200)]
Improve the behavior of the SmtpEmailTransport if generating the DATA value fails
Alexander Ebert [Tue, 18 Oct 2022 14:50:50 +0000 (16:50 +0200)]
Release 5.5.6
Alexander Ebert [Tue, 18 Oct 2022 14:47:06 +0000 (16:47 +0200)]
Merge branch '5.4' into 5.5
Alexander Ebert [Tue, 18 Oct 2022 14:44:19 +0000 (16:44 +0200)]
Release 5.4.24
Alexander Ebert [Tue, 18 Oct 2022 14:43:34 +0000 (16:43 +0200)]
Merge branch '5.3' into 5.4
Alexander Ebert [Tue, 18 Oct 2022 14:38:23 +0000 (16:38 +0200)]
Release 5.3.25
Tim Düsterhus [Tue, 18 Oct 2022 14:28:22 +0000 (16:28 +0200)]
Merge branch '5.4' into 5.5
Tim Düsterhus [Tue, 18 Oct 2022 14:28:10 +0000 (16:28 +0200)]
Merge branch '5.3' into 5.4
Tim Düsterhus [Tue, 18 Oct 2022 14:25:39 +0000 (16:25 +0200)]
Merge branch 'js-relocate-xss' into 5.3
Tim Düsterhus [Fri, 14 Oct 2022 10:25:05 +0000 (12:25 +0200)]
Add missing return value to cleanup() in AclFormField/WysiwygFormField
see #5032
Tim Düsterhus [Thu, 13 Oct 2022 15:19:17 +0000 (17:19 +0200)]
Fix XSS vulnerability within the JavaScript relocator
If the relocation placeholder appeared multiple times within the source code,
it would also be replaced multiple times. This might allow an attacker to blow
up the HTML structure by including the placeholder within UGC.
Fix this issue by only ever replacing the last placeholder, which should be the
“real” one from footer.tpl. In the future this should be protected further by
including a random nonce to prevent this attack entirely.
Alexander Ebert [Thu, 13 Oct 2022 14:42:04 +0000 (16:42 +0200)]
Release 5.5.6 dev 1
WoltLab [Thu, 13 Oct 2022 14:29:22 +0000 (14:29 +0000)]
Updating minified JavaScript files
Alexander Ebert [Tue, 11 Oct 2022 15:35:52 +0000 (17:35 +0200)]
Force the editor to be focused after inserting quotes
Alexander Ebert [Tue, 11 Oct 2022 11:50:07 +0000 (13:50 +0200)]
Fix a race condition when inserting into the editor from a dialog context
Alexander Ebert [Tue, 11 Oct 2022 11:04:11 +0000 (13:04 +0200)]
Fix the reference to the current class name
Alexander Ebert [Tue, 11 Oct 2022 10:52:23 +0000 (12:52 +0200)]
Incorrect detection of numerical lists using `[list=1]`
Alexander Ebert [Mon, 10 Oct 2022 17:58:03 +0000 (19:58 +0200)]
Skip unrelated stylesheets when compiling the frontend style
See https://www.woltlab.com/community/thread/296365-scss-dateien-unter-acp-style-werden-f%C3%BCr-das-frontend-kompiliert/
Alexander Ebert [Mon, 10 Oct 2022 17:50:20 +0000 (19:50 +0200)]
Preserve the category parameter after submitting the settings
See https://www.woltlab.com/community/thread/297264-zur%C3%BCcksetzen-der-verlinkung-in-den-einstellungen/
Alexander Ebert [Mon, 10 Oct 2022 17:39:22 +0000 (19:39 +0200)]
Skip attempts to install the same package twice
See https://www.woltlab.com/community/thread/297390-fehler-bei-installation-mit-storecode/
Alexander Ebert [Mon, 10 Oct 2022 16:42:30 +0000 (18:42 +0200)]
Skip incomplete articles that contain no content
See https://www.woltlab.com/community/thread/297481-trying-to-get-property-comments-of-non-object/
Alexander Ebert [Mon, 10 Oct 2022 14:31:16 +0000 (16:31 +0200)]
Fix the check for enabled wysiwyg form tabs
See https://www.woltlab.com/community/thread/297588-settingstab-wird-nur-angezeigt-wenn-module-smiley-aktiviert-ist/
Tim Düsterhus [Thu, 6 Oct 2022 14:50:32 +0000 (16:50 +0200)]
Merge pull request #5029 from WoltLab/template-pip-validation
Improve validation of the file list within the template PIP archives
Tim Düsterhus [Thu, 6 Oct 2022 13:30:05 +0000 (15:30 +0200)]
Check WCF::AVAILABLE_UPGRADE_VERSION in PackageEnableUpgradeOverrideForm
Tim Düsterhus [Thu, 6 Oct 2022 12:35:41 +0000 (14:35 +0200)]
Improve validation of the file list within the template PIP archives
It previously was possible to deploy all kinds of garbage that was impossible
to clean up later, because the uninstallation assumes that the templates have a
`.tpl` file extension.
Resolves #4698
Tim Düsterhus [Wed, 5 Oct 2022 15:10:55 +0000 (17:10 +0200)]
Merge pull request #5025 from WoltLab/user-storage-parameter-types
Add proper parameter types to UserStorageHandler
Tim Düsterhus [Wed, 5 Oct 2022 13:23:16 +0000 (15:23 +0200)]
Add proper parameter types to UserStorageHandler
Previously attempting to store an array in the user storage without manually
serializing it appeared to succeed, as the `->update()` call accepted it and
stored it in the `->log`. However the actually persisting would fail during
shutdown, as the array would be implicitly converted to a string, thus causing
a PHP Warning to be emitted.
Add parameter types to ensure the error is immediately detected when calling
`->update()`, as errors during shutdown are very hard to debug.
Return types are not added, as UserStorageHandler is not final and thus
technically child classes could exist. Adding types would break these child
classes.
see https://www.woltlab.com/community/thread/297525-array-to-string-conversion-fehlermeldung/
Tim Düsterhus [Tue, 4 Oct 2022 15:01:13 +0000 (17:01 +0200)]
Show the email address in the English version of the Email MFA method's description
Fixes #5018
Tim Düsterhus [Thu, 29 Sep 2022 15:13:35 +0000 (17:13 +0200)]
Properly handle enterprise mode permissions when showing systemIdMismatch in acp/index.tpl
see
b7a2fba6ba6498a1c3a618addf6084ddfc7aa5c9
Alexander Ebert [Thu, 22 Sep 2022 16:06:57 +0000 (18:06 +0200)]
Release 5.5.5
Alexander Ebert [Thu, 22 Sep 2022 16:01:05 +0000 (18:01 +0200)]
Merge branch '5.4' into 5.5
Alexander Ebert [Thu, 22 Sep 2022 15:12:13 +0000 (17:12 +0200)]
Release 5.4.23
Tim Düsterhus [Thu, 22 Sep 2022 11:09:54 +0000 (13:09 +0200)]
Remove redundant TTestableCategorizedUserNotificationEvent from ArticleComment*UserNotificationEvent
This is already provided by TTestableArticleCommentUserNotificationEvent.
see #4777
Tim Düsterhus [Wed, 21 Sep 2022 14:36:37 +0000 (16:36 +0200)]
Update for PHP CS Fixer 3.11.0
projects / GitHub / WoltLab / WCF.git / log