Commit Graph

3211 Commits

Author SHA1 Message Date
Franz Liedke
3b5691ee28
Restore beta.9 behavior of assertCan()
In flarum/core#1854, I changed the implementation of `assertCan()` to be
more aware of the user's log-in status. I came across this when unifying
our API's response status code when actors are not authenticated or not
authorized to do something.

@luceos rightfully had to tweak this again in ea84fc4, because the
behavior changed for one of the few API endpoints that checked for a
permission that even guests can have.

It turns out having this complex behavior in `assertCan()` is quite
misleading, because the name suggests a simple permission check and
nothing more.

Where we actually want to differ between HTTP 401 and 403, we can do
this using two method calls, and enforce it with our tests.

If this turns out to be problematic or extremely common, we can revisit
this and introduce a method with a different, better name in the future.

This commit restores the method's behavior in the last release, so we
also avoid another breaking change for extensions.
2019-09-14 21:32:00 +02:00
Franz Liedke
18593e0d7d
Add a test for viewUserList guest permission
This test would have failed without commit ea84fc4. Next, I will revert
that commit and most of my PR #1854, so we need this test to ensure the
API continues to behave as desired.
2019-09-14 21:30:09 +02:00
Franz Liedke
40e1b61fe6 Apply fixes from StyleCI
[ci skip] [skip ci]
2019-09-14 18:57:28 +00:00
Franz Liedke
95dcb45d65
Convert more controller tests to feature tests 2019-09-14 13:09:56 +02:00
Franz Liedke
bd989df769
Update vulnerable JS dependencies 2019-09-13 15:26:10 +02:00
Franz Liedke
538136153c
Send a HTTP 401 for incorrect login credentials
This fixes a regression from #1843 and #1854. Now, the frontend again
shows the proper "Incorrect login details" message instead of "You
do not have permission to do that".
2019-09-13 15:03:03 +02:00
Franz Liedke
c330662241
Convert another controller test to feature test
Decouple from implementation, test closer to HTTP...
2019-09-13 14:58:45 +02:00
flarum-bot
588cbaee2d Bundled output for commit a9557c399a [skip ci] 2019-09-12 22:36:12 +00:00
David Sevilla Martín
a9557c399a Fix errors caused by deletion alert when deleting users (#1883)
Refs #1788

TypeError: t.showDeletionAlert is not a function
  at onSuccess(./src/forum/utils/UserControls.js:104:12)

Also, don't override 'this' param with user object for editAction
2019-09-13 00:34:05 +02:00
Daniël Klabbers
14e7bc73ee moved the artisan binary override and commented some of the bindings for queue 2019-09-12 09:11:12 +02:00
flarum-bot
edc579fa6f Bundled output for commit 119831e51c [skip ci] 2019-09-11 22:16:20 +00:00
David Sevilla Martin
119831e51c
Fixes an issue where deleting a nonexistent model would error instead of resolving gracefully 2019-09-11 18:14:37 -04:00
Daniël Klabbers
2aee020c14 prevent constant to be duplicated during tests 2019-09-11 12:20:35 +02:00
Daniël Klabbers
f20696210e Merge branch 'master' of github.com:flarum/core 2019-09-11 11:59:10 +02:00
Daniël Klabbers
ea84fc4836 Fixes an issue where permission checks aren't made for guest users,
due to the gate being accessed after the check whether the user
is registered/signed in.
2019-09-11 11:58:27 +02:00
luceos
5ff04d0c68 Apply fixes from StyleCI
[ci skip] [skip ci]
2019-09-11 09:43:46 +00:00
Daniël Klabbers
e2ec52c28c Fixes the queue listen command. We might need to rectify this implementation before stable. 2019-09-11 11:42:52 +02:00
Daniël Klabbers
6196081bdf Fixes an issue where a different cache driver is used and Formatter
attempts to load the s9e Renderer from the wrong cache. It has
to be saved locally so that it can be properly loaded using
the spl auto register functionality.
2019-09-10 12:33:25 +02:00
Franz Liedke
6d8e6583c8
Fix instructions in PR template 2019-09-10 00:18:04 +02:00
flarum-bot
c2b0060852 Bundled output for commit 24964b94bf [skip ci] 2019-09-09 21:37:54 +00:00
David Sevilla Martín
24964b94bf Mark notification as read without visiting discussion (#1874) 2019-09-09 23:36:06 +02:00
flarum-bot
2b624c935d Bundled output for commit 2e647cdda8 [skip ci] 2019-09-09 21:07:00 +00:00
David Sevilla Martín
2e647cdda8
Fix error thrown if textarea doesn't exist in TextEditor (#1852)
* Prevent textarea not existing from causing errors to be thrown

* Replace [0] with .length
2019-09-09 17:05:11 -04:00
Daniël Klabbers
ba175144f4 listen and restart currently fail in the queue, see #1879 2019-09-09 15:47:56 +02:00
flarum-bot
e9af36ab47 Bundled output for commit 8b3913339a [skip ci] 2019-09-08 17:33:39 +00:00
Matthew Kilgore
8b3913339a Fix the new edit user permission label (#1870) 2019-09-08 13:31:57 -04:00
David Sevilla Martín
3cced4156f
Add DB prefix to PHP tests (#1855)
* Add test job with PHP 7.3, MySQL & custom prefix

* Add prefix MariaDB test

* Add PHP 7.4 to tests

* Remove PHP 7.4 from tests

This reverts commit 270cba2f5f.
2019-09-08 13:28:39 -04:00
David Sevilla Martín
e88a9394ed Add back defaults for language and direction attributes (#1860) 2019-09-05 08:28:52 +02:00
flarum-bot
ba73c59601 Bundled output for commit 0191babb05 [skip ci] 2019-09-05 00:34:59 +00:00
Franz Liedke
0191babb05
Optimize ScrollListener performance
Listen to "scroll" event and throttle callback executions instead
of actively polling for changes to the scroll position.

Fixes #1222.
2019-09-05 02:17:09 +02:00
Franz Liedke
ed51f9ff0a
Fix failing test 2019-09-05 00:07:40 +02:00
Franz Liedke
0a2bdbaa09
Debug mode: Include stacktrace in JSON-API errors
Refs #1843, #1865.
2019-09-04 23:35:32 +02:00
Franz Liedke
26229db1fd
Refactor JSON-API error formatter 2019-09-04 23:30:22 +02:00
Franz Liedke
1aef3162be
Apply fixes from StyleCI (#1867)
[ci skip] [skip ci]
2019-09-04 01:44:59 +02:00
Franz Liedke
dcf88df0c7
Restore error details in JSON-API error formatter
Fixes #1865. Refs #1843.
2019-09-04 01:44:22 +02:00
Franz Liedke
3eb28dfb16
Convert controller test to request test
This further decouples these tests from the implementation (i.e. which
controller are we calling?).
2019-09-04 01:27:24 +02:00
Matteo Contrini
1d43371fa9 Allow formatting post content without a request (#1848) 2019-09-04 00:12:28 +02:00
Matthew Kilgore
4df455cf04 Add Edit User permission to permissions grid (#1859) 2019-09-03 23:54:38 +02:00
Franz Liedke
2c43ccf66c
Merge pull request #1854 from flarum/fl/1641-fix-status-codes
Error handling: Fix status codes
2019-09-02 16:33:48 +02:00
dependabot[bot]
1d010efbca Bump lodash from 4.17.11 to 4.17.15 in /js (#1863)
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.11 to 4.17.15.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.11...4.17.15)

Signed-off-by: dependabot[bot] <support@github.com>
2019-08-28 09:11:25 +02:00
dependabot[bot]
2135d5908e Bump mixin-deep from 1.3.1 to 1.3.2 in /js (#1862)
Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/jonschlinkert/mixin-deep/releases)
- [Commits](https://github.com/jonschlinkert/mixin-deep/compare/1.3.1...1.3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2019-08-28 09:06:38 +02:00
Franz Liedke
9640dd6419
Remove unnecessary dependency
Refs #1773.
2019-08-22 10:04:38 +02:00
Franz Liedke
98464a8a33
Remove superfluous ForbiddenException
It has the same effect as the PermissionDeniedException, so let's
just use that.

Refs #1641.
2019-08-22 00:06:26 +02:00
Franz Liedke
2b6535525b
When signups are prohibited, respond with HTTP 403 2019-08-21 23:48:24 +02:00
Franz Liedke
b60617b849
Move authentication check into assertCan() method
This will cause the right error (HTTP 401) to be thrown whenever
we're checking for a specific permission, but the user is not even
logged in. Authenticated users will still get HTTP 403.
2019-08-21 23:48:03 +02:00
Franz Liedke
0836d99e83
Remove unnecessary indirection 2019-08-21 00:06:32 +02:00
Franz Liedke
279c7df9b9
Document permission check methods 2019-08-21 00:06:31 +02:00
Franz Liedke
04bcf1eef6
Fix inconsistent status codes
HTTP 401 should be used when logging in (i.e. authenticating) would make
a difference; HTTP 403 is reserved for requests that fail because the
already authenticated user is not authorized (i.e. lacking permissions)
to do something.
2019-08-21 00:06:31 +02:00
Franz Liedke
70e98f810c
Travis: Remove deploy key 2019-08-21 00:06:16 +02:00
David Sevilla Martín
3851d805f7 Move to GitHub Actions (#1853) 2019-08-21 00:05:04 +02:00