Commit Graph

4528 Commits

Author SHA1 Message Date
Dan Brown
1dc094ffaf
OIDC: Added testing of PKCE flow
Also compared full flow to RFC spec during this process
2024-01-27 16:41:15 +00:00
Dan Brown
3e9e196cda
OIDC: Added PKCE functionality
Related to #4734.
Uses core logic from League AbstractProvider.
2024-01-25 14:24:46 +00:00
Dan Brown
5903823eed
Merge pull request #4796 from BookStackApp/v23-12
Merge in v23.12.2 changes
2024-01-24 10:38:14 +00:00
Dan Brown
8fb9d9d4c2
Dependancies: Updated PHP deps via composer 2024-01-24 10:27:09 +00:00
Dan Brown
eff7aa0f73
Updated translator attribution before v23.12.2 release 2024-01-24 10:25:24 +00:00
Dan Brown
14ecb19b05
Merged l10n_development into v23-12
Squash merge
Closes #4779
2024-01-24 10:23:09 +00:00
Sascha
0fc02a2532
fixed error from phpcs 2024-01-23 22:37:15 +01:00
Sascha
8c6b116472
Update TrashCan.php
remove duplicate call of $page->forceDelete();
2024-01-23 21:37:00 +01:00
Dan Brown
69c8ff5c2d
Entity selector: Fixed initial load overwriting initial search
This changes how initial searches can be handled via config rather than
specific action so they can be considered in how the initial data load
is done, to prevent the default empty state loading and overwriting the
search data if it lands later (which was commonly likely).

For #4778
2024-01-23 15:42:13 +00:00
Dan Brown
788327fffb
Attachment List: Fixed broken ctrl-click functionality
Fixes #4782
2024-01-23 15:01:07 +00:00
Dan Brown
655ae5ecae
Text: Tweaks to EN text for consistency/readability
As suggested by Tim in discord chat.
2024-01-23 12:31:44 +00:00
Dan Brown
d5a91d0d35
Merge pull request #4758 from BookStackApp/range_request_support
Range request support
2024-01-17 11:10:38 +00:00
Dan Brown
a4fd825fe2
Merge branch 'development' of github.com:BookStackApp/BookStack into development 2024-01-16 12:14:44 +00:00
Dan Brown
496b4264d9
Updated translator attribution 2024-01-16 12:14:25 +00:00
Dan Brown
57284bb869
Updated translations with latest Crowdin changes (#4747) 2024-01-16 12:10:22 +00:00
Dan Brown
adf1806fea
Chapters API: Added missing book_slug field
Was removed during previous changes, but reflected in response examples.
This adds into all standard single chapter responses.
For #4765
2024-01-16 12:06:13 +00:00
Dan Brown
2dc454d206
Uploads: Explicitly disabled s3 streaming in config
This was the default option anyway, just adding here for
better visibility of this being set.
Can't enable without issues as the app will attempt to seek which does
not work for these streams. Also have not tested on non-s3, s3-like
systems.
2024-01-15 13:36:04 +00:00
Dan Brown
c1552fb799
Attachments: Drag and drop video support
Supports dragging and dropping video attahchments to embed them in the
editor as HTML video tags.
2024-01-15 11:57:20 +00:00
Dan Brown
91d8d6eaaa
Range requests: Added test cases to cover functionality
Fixed some found issues in the process.
2024-01-14 15:50:00 +00:00
Dan Brown
afbbcafd44
Readme: Updates sponsor list 2024-01-10 14:33:49 +00:00
Dan Brown
d94762549a
Range requests: Added basic HTTP range support 2024-01-07 20:34:03 +00:00
Dan Brown
b4d9029dc3
Range requests: Extracted stream output handling to new class 2024-01-07 14:03:13 +00:00
Sascha
70bfebcd7c
Added Default Templates for Chapters 2024-01-01 21:58:49 +01:00
Dan Brown
b191d8f99f
Updated translator attribution before release v23.12 2023-12-29 12:08:39 +00:00
Dan Brown
c017f5bed1
Updated translations with latest Crowdin changes (#4658) 2023-12-28 17:49:38 +00:00
Dan Brown
5b1929a39a
Languages: Added Finnish to language list 2023-12-28 15:24:51 +00:00
Dan Brown
02d94c8798
Permissions: Updated generation querying to be more efficient
Query of existing entity permissions during view permission generation
could cause timeouts or SQL placeholder limits due to massive whereOr
query generation, where an "or where" clause would be created for each
entity type/id combo involved, which could be all within 20 books.

This updates the query handling to use a query per type involved, with
no "or where"s, and to be chunked at large entity counts.

Also tweaked role-specific permission regen to chunk books at
half-previous rate to prevent such a large scope being involved on each
chunk.

For #4695
2023-12-23 13:35:57 +00:00
Dan Brown
88ee33ee49
Deps: Updated php depenencies via composer 2023-12-22 15:48:46 +00:00
Dan Brown
529f7bd1bc
Merge pull request #4729 from BookStackApp/description_wysiwyg
Simple WYSIWYG for description fields and comments
2023-12-22 15:28:13 +00:00
Dan Brown
3668949705
Input WYSIWYG: Fixed up some dark mode elements 2023-12-22 15:16:06 +00:00
Dan Brown
7cd0629a75
Input WYSIWYG: Updated exports to handle HTML descriptions 2023-12-22 14:57:20 +00:00
Dan Brown
fb3cfaf7c7
Input WYSIWYG: Updated API examples to align with changes 2023-12-22 14:37:48 +00:00
Dan Brown
2a7a81e749
Input WYSIWYG: Updated API testing, fixed description set issue
Fixed issue where an existing description_html field would not be
updated via 'description' input.
2023-12-22 13:17:23 +00:00
Dan Brown
00ae04e0bd
Input WYSIWYG: Updated API to show/accept html descriptions
Also aligned books, shelves and chapters to return description content
and some relations (where not breaking API) in create/update responses
also so that information can be seen direct from that input in a
request.

API docs and tests not yet updated to match.
2023-12-21 13:23:52 +00:00
Dan Brown
ed5d67e609
Input WYSIWYG: Aligned newline handling with old descriptions
To ensure consistenent behaviour before/after changes.
Added tests to cover.
2023-12-20 17:40:58 +00:00
Dan Brown
a21ca44633
Input WYSIWYG: Fixed existing tests, fixed empty description handling 2023-12-20 17:21:09 +00:00
Dan Brown
7fd6d5b2cc
Input WYSIWYG: Updated tests, Added simple html limiting 2023-12-19 15:10:29 +00:00
Dan Brown
077b9709d4
Input WYSIWYG: Added testing for description references 2023-12-19 12:55:51 +00:00
Dan Brown
2fbed3919b
Input WYSIWYG: Added dynamic options for entity selector popups
So that multiple elements on the page can share the same popup, with
different search options.
2023-12-19 12:09:57 +00:00
Dan Brown
c07aa056c2
Input WYSIWYG: Updated UpdateUrlCommand, Added chapter HTML display 2023-12-18 18:31:16 +00:00
Dan Brown
bc354e8b12
Input WYSIWYG: Updated reference link updating for descriptions 2023-12-18 18:12:36 +00:00
Dan Brown
307fae39c4
Input WYSIWYG: Added reference store & fetch handling
For book, shelves and chapters.
Made much of the existing handling generic to entity types.
Added new MixedEntityListLoader to help load lists somewhat efficiently.
Only manually tested so far.
2023-12-18 16:23:40 +00:00
Dan Brown
c622b785a9
Input WYSIWYG: Added description_html field, added store logic
Rolled out HTML editor field and store logic across all target entity
types. Cleaned up WYSIWYG input logic and design.
Cleaned up some injected classes while there.
2023-12-17 15:02:15 +00:00
Dan Brown
569542f0bb
Input WYSIWYG: Added compontent and rough logic to book form
Just as a draft for prototyping and playing around to get things
started.
2023-12-16 14:48:35 +00:00
Dan Brown
fc2e8ed315
Merge pull request #4728 from BookStackApp/friendlier_buttons
Design: Updated buttons to be a bit friendlier
2023-12-16 14:04:57 +00:00
Dan Brown
0c4dd7874c
Design: Updated buttons to be a bit friendlier
Old all-caps button design made them a bit angry, and kinda odd and
outdated. This updates them to use their original source text casing
(which may help for translation variations) while being a bit rounder
with a better defined shadow for outline buttons.
2023-12-16 14:03:12 +00:00
Dan Brown
7250671889
Merge pull request #4727 from BookStackApp/editor_video_alignment
WYSWIYG: Allowed video/embed alignment controls
2023-12-16 12:32:52 +00:00
Dan Brown
5395ca2f00
WYSWIYG: Allowed video/embed alignment controls
Required a lot of working around TinyMCE since it added a
preview/wrapper element in the editor which complicates things.
Added view new "fixes.js" file so large hacks to default TinyMCe
functionality are kept in one place.
2023-12-16 12:22:40 +00:00
Luke T. Shumaker
c76d12d1de Oidc: Properly query the UserInfo Endpoint
BooksStack's OIDC Client requests the 'profile' and 'email' scope values
in order to have access to the 'name', 'email', and other claims.  It
looks for these claims in the ID Token that is returned along with the
Access Token.

However, the OIDC-core specification section 5.4 [1] only requires that
the Provider include those claims in the ID Token *if* an Access Token is
not also issued.  If an Access Token is issued, the Provider can leave out
those claims from the ID Token, and the Client is supposed to obtain them
by submitting the Access Token to the UserInfo Endpoint.

So I suppose it's just good luck that the OIDC Providers that BookStack
has been tested with just so happen to also stick those claims in the ID
Token even though they don't have to.  But others (in particular:
https://login.infomaniak.com) don't do so, and require fetching the
UserInfo Endpoint.)

A workaround is currently possible by having the user write a theme with a
ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE hook that fetches the UserInfo
Endpoint.  This workaround isn't great, for a few reasons:
 1. Asking the user to implement core parts of the OIDC protocol is silly.
 2. The user either needs to re-fetch the .well-known/openid-configuration
    file to discover the endpoint (adding yet another round-trip to each
    login) or hard-code the endpoint, which is fragile.
 3. The hook doesn't receive the HTTP client configuration.

So, have BookStack's OidcService fetch the UserInfo Endpoint and inject
those claims into the ID Token, if a UserInfo Endpoint is defined.
Two points about this:
 - Injecting them into the ID Token's claims is the most obvious approach
   given the current code structure; though I'm not sure it is the best
   approach, perhaps it should instead fetch the user info in
   processAuthorizationResponse() and pass that as an argument to
   processAccessTokenCallback() which would then need a bit of
   restructuring.  But this made sense because it's also how the
   ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE hook works.
 - OIDC *requires* that a UserInfo Endpoint exists, so why bother with
   that "if a UserInfo Endpoint is defined" bit?  Simply out of an
   abundance of caution that there's an existing BookStack user that is
   relying on it not fetching the UserInfo Endpoint in order to work with
   a non-compliant OIDC Provider.

[1]: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
2023-12-15 14:11:48 -07:00
Dan Brown
56d07f1909
Users API: Fixed sending invite when using form requests
- Cast send_invite value in cases where it might not have been a boolean,
  which occurs on non-JSON requests.
- Added test to cover.
- Updated API docs to mention and shown boolean usage.
2023-12-13 15:13:54 +00:00