Commit Graph

3501 Commits

Author SHA1 Message Date
Toby Zerner
5dfb9b474c
Auth token and avatarUrl security improvements (#1514)
* Remove AbstractOAuth2Controller

There is no reason to provide an implementation for a specific oAuth2
library in core; it's not generic enough (eg. auth-twitter can't use it).

This code could be moved into another package which auth extensions
depend on, but it's a negligible amount of relatively simple code that
I don't think it's worth the trouble.

* Introduce login providers

Users can have many login providers (a combination of a provider name
and an identifier for that user, eg. their Facebook ID).

After retrieving user data from a provider (eg. Facebook), you pass the
login provider details into the Auth\ResponseFactory. If an associated
user is found, a response that logs them in will be returned. If not, a
registration token will be created so the user can proceed to sign up.
Once the token is fulfilled, the login provider will be associated with
the user.
2018-09-22 13:48:27 +09:30
Toby Zerner
fcb97b256f Add migration helper to drop columns 2018-09-22 13:45:41 +09:30
Toby Zerner
4429cf4eba
Merge pull request #1513 from flarum/tz/1419-restrict-own-permissions
Make "own" permissions depend on the user's ability to reply
2018-09-22 12:22:03 +09:30
Toby Zerner
c54f739484 Make "own" permissions depend on the user's ability to reply
Permission to rename/hide/edit one's own discussion/post is only granted
if the user has permission to reply to the discussion. This makes sense
if you think of these actions as forms of "replying" to a discussion.

Fixes #1419 because suspended users do not have permission to reply to
discussions, therefore they will not be granted these "own" permissions.
2018-09-22 12:15:46 +09:30
Franz Liedke
6c0d73afa0
Fix tests 2018-09-22 00:40:19 +02:00
Franz Liedke
1cd8ec6873
Display only exception messages during booting
By not letting PHP render the stack trace, we prevent displaying
sensitive information (such as the database credentials). Instead,
we display a simple line with the exception message.

In the console, the full exception can still be shown, as that is
a tool only for forum admins anyway.

Fixes #1421.
2018-09-21 23:33:28 +02:00
Franz Liedke
4ed1c7a1bb
Boot Flarum app in Server classes
This is in preparation for fixing #1421 - it allows us to
encapsulate the exception handling in the server classes, so that
we can keep the skeleton (flarum/flarum) lean.
2018-09-21 23:30:14 +02:00
Franz Liedke
c67f673819
Remove references to deleted property 2018-09-21 12:29:16 +02:00
flarum-bot
7917ce130e Bundled output for commit 2b174b17fc [skip ci] 2018-09-21 05:07:46 +00:00
Toby Zerner
2b174b17fc Fix tests 2018-09-21 14:32:41 +09:30
Toby Zerner
550d35e86f
Apply fixes from StyleCI (#1574)
[ci skip] [skip ci]
2018-09-21 14:28:02 +09:30
Toby Zerner
64686ef7a9 Remove the "debug" button from request error alerts
Using the browser's console to debug failed requests is much more powerful
2018-09-21 14:27:39 +09:30
Toby Zerner
5ce702a5d0 Make registration errors still work properly when debug mode is on 2018-09-21 14:18:17 +09:30
flarum-bot
fdf5fdbaf3 Bundled output for commit 184ffcd991 [skip ci] 2018-09-21 02:30:05 +00:00
Toby Zerner
184ffcd991 Sort user discussion list properly 2018-09-21 11:55:00 +09:30
flarum-bot
ba946237e4 Bundled output for commit 8ec0578ddf [skip ci] 2018-09-21 02:09:25 +00:00
Toby Zerner
8ec0578ddf Fix installation command 2018-09-21 11:32:46 +09:30
Toby Zerner
c34fcecf03 Update TextFormatter deprecated API 2018-09-21 11:23:24 +09:30
Toby Zerner
9e487b4e41 Live output of migrator notes 2018-09-21 11:22:51 +09:30
Toby Zerner
986d811a16 Fix notifications crash
When loading notifications, $this->type was null and thus array_get
was returning an array instead of null. I assume this issue was
introduced in a Laravel version upgrade? Anyway, this fixes it.
2018-09-21 11:22:26 +09:30
Toby Zerner
c32af6559e Fix group badge misalignment if there is no group icon 2018-09-21 11:20:54 +09:30
Toby Zerner
07298e165d Use default system font instead of Open Sans 2018-09-21 11:20:17 +09:30
Toby Zerner
c15bbc9c5e Add "tiny" preset for LoadingIndicator
This is used in various places but had not been added since presets were
removed from Spin.js in a recent version upgrade.
2018-09-21 11:19:32 +09:30
Toby Zerner
6c8c525e57 Fix regression introduced by #1543
The Page component's config method wasn't being called, therefore the
bodyClass would not be applied.
2018-09-21 11:17:54 +09:30
Toby Zerner
93dfb6dec9 Revert "Frontend extender: Remove route registration"
This reverts commit 4770a5c906.
2018-09-21 09:05:45 +09:30
Toby Zerner
750d9d05a6 Use container events as an alternative to the ConfigureMiddleware event (#1462)
By moving the DispatchRoute middleware into an `afterResolving`
callback, this will allow a new Middleware extender to add a `resolving`
callback to the appropriate container binding, removing the need for the
ConfigureMiddleware event.

The ConfigureMiddleware event has been deprecated and should be removed
in beta 9.
2018-09-16 21:21:13 +02:00
Franz Liedke
0ce289be4c
Travis: Add table prefix to build matrix (#1568)
Fixes #1564.
2018-09-16 20:59:40 +02:00
flarum-bot
7fcf556f13 Bundled output for commit 68afdd21ae [skip ci] 2018-09-16 18:51:11 +00:00
Franz Liedke
68afdd21ae
Merge pull request #1344 from flarum/1236-database-changes
Database changes
2018-09-16 20:44:29 +02:00
Toby Zerner
54aa9ee3cf Add database indices. closes #127 2018-09-15 14:32:51 +09:30
Toby Zerner
5635bd26f9 Fix query error 2018-09-15 12:44:59 +09:30
Toby Zerner
622bf26510 Inline permissions migration 2018-09-15 12:40:32 +09:30
Franz Liedke
2367a45c18
Use instance variable directly instead of passing it around 2018-09-07 01:40:31 +02:00
Franz Liedke
4770a5c906
Frontend extender: Remove route registration
This can be achieved using the Route extender, which is more
flexible, as it does not necessary connect the URL with the current
frontend's router.

(Example use-case: The ext-embed frontend will be a new frontend,
however any routes using this frontend will be part of the forum
route group.)

Refs #851.
2018-09-07 01:40:31 +02:00
Franz Liedke
c61badd754
Frontend extender: Route to correct frontend
So far, we always added routes configured via this extender to the
forum frontend. Not correct.
2018-09-07 01:02:13 +02:00
Franz Liedke
14393ec53e
RouteHandlerFactory: Refactor frontend parameter
By passing in just the frontend identifier, we can hide some of the
implementation details, in this case the identifier of the Frontend
instance in the IoC container.
2018-09-07 01:00:56 +02:00
Franz Liedke
96045ca390
flarum info: Try to fix STDERR redirection for Windows
See the following articles for more information:
- https://www.24k.com.sg/blog-27.html
- https://support.microsoft.com/en-us/help/110930/redirecting-error-messages-from-command-prompt-stderr-stdout

Refs #1562.
2018-09-07 00:25:26 +02:00
Franz Liedke
eb228dd7b9
flarum info: Extract extension table to function 2018-09-04 00:38:08 +02:00
Franz Liedke
092e5b9d23
flarum info: Tweak output styling 2018-09-04 00:32:54 +02:00
David Sevilla Martín
7e3980744e InfoCommand improvements (#1562)
* Ignore error output of 'git rev-parse HEAD'
* Organize extension information in a table
2018-09-04 00:24:07 +02:00
Franz Liedke
85c965afbc
Use correct method from contract 2018-09-03 23:55:16 +02:00
David Sevilla Martín
43fc2c0952 Add 'oldUsername' to User\Event\Renamed (#1563) 2018-09-03 22:42:30 +02:00
Franz Liedke
5a9b47cdf7
Apply fixes from StyleCI (#1561)
[ci skip] [skip ci]
2018-09-01 23:35:37 +02:00
Franz Liedke
5374f8a352
flarum info: Display warning when in debug mode
Refs #1421.
2018-09-01 16:57:44 +02:00
Franz Liedke
5f5af894ab
Load per-site extenders, if available
Closes #1559.
2018-09-01 16:27:52 +02:00
Franz Liedke
d7c283a48f
Frontend extender: Work without extension, too 2018-09-01 16:15:02 +02:00
flarum-bot
c5a3715701 Bundled output for commit 710c63ba6a [skip ci] 2018-08-25 10:56:59 +00:00
Toby Zerner
710c63ba6a Update JS tooling 2018-08-25 20:18:59 +09:30
Toby Zerner
5142c639c1 Rename user methods 2018-08-24 22:13:06 +09:30
Toby Zerner
eb3232dfc9 Missed a spot 2018-08-24 22:13:06 +09:30