Commit Graph

1630 Commits

Author SHA1 Message Date
Stefan Totev
738ca405fe Normalize Base URL during installation
- Fix base url when is appended with a script filename
- Add default base url http://flarum.local when CLI wizard used
- Remove some code duplication
- Add minor improvement to the UX when CLI wizard used
- Add tests
- Extract base url normalisation into its own value object
2019-09-24 00:26:51 +02:00
Matteo Contrini
09609a9f20 Change rel for external links to nofollow ugc (#1884) 2019-09-23 23:37:49 +02:00
David Sevilla Martín
74b6b9935b Prepare beta.10 release (#1885)
* Update Application version string to beta 10
* Add beta.10 changelog
2019-09-16 09:28:17 +02:00
Franz Liedke
3b5691ee28
Restore beta.9 behavior of assertCan()
In flarum/core#1854, I changed the implementation of `assertCan()` to be
more aware of the user's log-in status. I came across this when unifying
our API's response status code when actors are not authenticated or not
authorized to do something.

@luceos rightfully had to tweak this again in ea84fc4, because the
behavior changed for one of the few API endpoints that checked for a
permission that even guests can have.

It turns out having this complex behavior in `assertCan()` is quite
misleading, because the name suggests a simple permission check and
nothing more.

Where we actually want to differ between HTTP 401 and 403, we can do
this using two method calls, and enforce it with our tests.

If this turns out to be problematic or extremely common, we can revisit
this and introduce a method with a different, better name in the future.

This commit restores the method's behavior in the last release, so we
also avoid another breaking change for extensions.
2019-09-14 21:32:00 +02:00
Franz Liedke
538136153c
Send a HTTP 401 for incorrect login credentials
This fixes a regression from #1843 and #1854. Now, the frontend again
shows the proper "Incorrect login details" message instead of "You
do not have permission to do that".
2019-09-13 15:03:03 +02:00
Daniël Klabbers
14e7bc73ee moved the artisan binary override and commented some of the bindings for queue 2019-09-12 09:11:12 +02:00
Daniël Klabbers
2aee020c14 prevent constant to be duplicated during tests 2019-09-11 12:20:35 +02:00
Daniël Klabbers
f20696210e Merge branch 'master' of github.com:flarum/core 2019-09-11 11:59:10 +02:00
Daniël Klabbers
ea84fc4836 Fixes an issue where permission checks aren't made for guest users,
due to the gate being accessed after the check whether the user
is registered/signed in.
2019-09-11 11:58:27 +02:00
luceos
5ff04d0c68 Apply fixes from StyleCI
[ci skip] [skip ci]
2019-09-11 09:43:46 +00:00
Daniël Klabbers
e2ec52c28c Fixes the queue listen command. We might need to rectify this implementation before stable. 2019-09-11 11:42:52 +02:00
Daniël Klabbers
6196081bdf Fixes an issue where a different cache driver is used and Formatter
attempts to load the s9e Renderer from the wrong cache. It has
to be saved locally so that it can be properly loaded using
the spl auto register functionality.
2019-09-10 12:33:25 +02:00
Daniël Klabbers
ba175144f4 listen and restart currently fail in the queue, see #1879 2019-09-09 15:47:56 +02:00
David Sevilla Martín
e88a9394ed Add back defaults for language and direction attributes (#1860) 2019-09-05 08:28:52 +02:00
Franz Liedke
0a2bdbaa09
Debug mode: Include stacktrace in JSON-API errors
Refs #1843, #1865.
2019-09-04 23:35:32 +02:00
Franz Liedke
26229db1fd
Refactor JSON-API error formatter 2019-09-04 23:30:22 +02:00
Franz Liedke
1aef3162be
Apply fixes from StyleCI (#1867)
[ci skip] [skip ci]
2019-09-04 01:44:59 +02:00
Franz Liedke
dcf88df0c7
Restore error details in JSON-API error formatter
Fixes #1865. Refs #1843.
2019-09-04 01:44:22 +02:00
Matteo Contrini
1d43371fa9 Allow formatting post content without a request (#1848) 2019-09-04 00:12:28 +02:00
Franz Liedke
2c43ccf66c
Merge pull request #1854 from flarum/fl/1641-fix-status-codes
Error handling: Fix status codes
2019-09-02 16:33:48 +02:00
Franz Liedke
98464a8a33
Remove superfluous ForbiddenException
It has the same effect as the PermissionDeniedException, so let's
just use that.

Refs #1641.
2019-08-22 00:06:26 +02:00
Franz Liedke
2b6535525b
When signups are prohibited, respond with HTTP 403 2019-08-21 23:48:24 +02:00
Franz Liedke
b60617b849
Move authentication check into assertCan() method
This will cause the right error (HTTP 401) to be thrown whenever
we're checking for a specific permission, but the user is not even
logged in. Authenticated users will still get HTTP 403.
2019-08-21 23:48:03 +02:00
Franz Liedke
0836d99e83
Remove unnecessary indirection 2019-08-21 00:06:32 +02:00
Franz Liedke
279c7df9b9
Document permission check methods 2019-08-21 00:06:31 +02:00
Franz Liedke
04bcf1eef6
Fix inconsistent status codes
HTTP 401 should be used when logging in (i.e. authenticating) would make
a difference; HTTP 403 is reserved for requests that fail because the
already authenticated user is not authorized (i.e. lacking permissions)
to do something.
2019-08-21 00:06:31 +02:00
Franz Liedke
085468382a
Error handling: Document another interface 2019-08-20 22:20:11 +02:00
Franz Liedke
7dbdd8c024
Rename method 2019-08-20 20:08:01 +02:00
Franz Liedke
ad25307e68
Error handling: Tweak Reporter interface
Because reporters are used for exceptions we were not able to handle, it
makes sense to simply pass the exception, not the "handled error".
2019-08-20 20:07:56 +02:00
Franz Liedke
6c454b8279
Error handling: Document classes and interfaces 2019-08-20 20:07:52 +02:00
Franz Liedke
9f15e9ba86
Error handling: Rename renderers to formatters
Refs #1641.
2019-08-20 20:07:47 +02:00
Franz Liedke
41009dba74
Remove obsolete queue config 2019-08-19 22:33:32 +02:00
Daniël Klabbers
a045f8bef9
Queue support (#1773)
Implementation of clean queue handling, by default sync is used
2019-08-19 21:44:06 +02:00
Franz Liedke
689d767f82
Don't fail when extend.php doesn't return an array
Refs #1607.
2019-08-16 12:29:31 +02:00
Franz Liedke
77fff9fde8
#1607: Show more details when catching boot errors 2019-08-16 12:13:47 +02:00
Franz Liedke
c6c1ae32e6
Bubble up exception for invalid confirmation token
This way, the error handler can simply be amended to deal with this
exception type with a dedicated error message or page.

Refs #1337.
Closes #1528.
2019-08-14 19:47:56 +02:00
Franz Liedke
bdac88b573
Determine error view and message based on type
...not based on status code.

To simplify this logic, we now use the same error "type" both when
routes are not found and specific models are not found. One exception is
ours, one is from Laravel, but for the purposes of error handling they
should be treated the same.

Fixes flarum/core#1641.
2019-08-14 19:47:56 +02:00
Franz Liedke
d06493c61e
Support multiple error reporters
The error handling middleware now expects an array of reporters.
Extensions can register new reporters in the container like this:

    use Flarum\Foundation\ErrorHandling\Reporter;

    $container->tag(NewReporter::class, Reporter::class);

Note that this is just an implementation detail and will be hidden
behind an extender.
2019-08-10 11:04:12 +02:00
Franz Liedke
9f71e2c3cb
Remove old error handler, middleware and tests 2019-08-10 00:26:24 +02:00
Franz Liedke
81a8736ba9
API Client: Use new error handling mechanism 2019-08-10 00:26:24 +02:00
Franz Liedke
57ce25301d
Use new error handler middleware 2019-08-10 00:26:24 +02:00
Franz Liedke
cfbaa84fbc
Wire up new error handling stack 2019-08-10 00:26:23 +02:00
Franz Liedke
3417f5a77e
Make existing extensions compatible with new stack 2019-08-10 00:26:22 +02:00
Franz Liedke
1035636d0f
Implement new error handling stack
This separates the error registry (mapping exception types to status
codes) from actual handling (the middleware) as well as error formatting
(Whoops, pretty error pages or JSON-API?) and reporting (log? Sentry?).

The components can be reused in different places (e.g. the API client
and the error handler middleware both need the registry to understand
all the exceptions Flarum knows how to handle), while still allowing to
change only the parts that need to change (the API stack always uses the
JSON-API formatter, and the forum stack switches between Whoops and
pretty error pages based on debug mode).

Finally, this paves the way for some planned features and extensibility:
- A console error handler can build on top of the registry.
- Extensions can register new exceptions and how to handle them.
- Extensions can change how we report exceptions (e.g. Sentry).
- We can build more pretty error pages, even different ones for
  exceptions having the same status code.
2019-08-10 00:26:22 +02:00
Franz Liedke
d00fc2c49d
Remove obsolete constructor parameter
This was removed in commit 484c6d2e.
2019-08-10 00:16:21 +02:00
David Sevilla Martín
5ed55195e1 Add canonical URL to discussion list (#1814) 2019-08-08 00:01:25 +02:00
Franz Liedke
8604ea3020
Bypass CSRF token check when using access tokens
Fixes #1828.
2019-08-01 22:53:31 +02:00
Franz Liedke
2648e960a7
Make exception message dynamic as well 2019-08-01 22:25:28 +02:00
Daniël Klabbers
f0dff95d62 Merge branch 'master' of github.com:flarum/core 2019-07-31 17:10:47 +02:00
Daniël Klabbers
894db01ad8 Allows configuration of where the language files live. So that
language packs can optionally decide for themselves if they want
to use a different directory.
2019-07-31 17:10:13 +02:00
Franz Liedke
bd04023359
Determine default route after extensions
Fixes #1819.
2019-07-30 00:56:29 +02:00
Daniël Klabbers
c2586586c4 fixes #1695, take into consideration is_private with counts on User stats 2019-07-28 20:59:12 +02:00
Franz Liedke
1502fc98d8
Prevent MySQL search operators from taking effect
We do not want to inherit MySQL's fulltext query language, so let's
just drop all non-word characters from the search term.

Fixes #1498.
2019-07-23 23:55:06 +02:00
Franz Liedke
ed97989ca2
Revert "Remove deprecated bootstrap.php fallback"
This reverts commit f8061bbca1.

We will keep this fallback in place, to avoid unnecessary breakage of
backwards compatibility for extension authors.

Removal is planned for the final 0.1 release.
2019-07-14 22:22:06 +02:00
Franz Liedke
7f1048352d
Clean up database query
- Use existing `selectRaw()` method to avoid using the global `app()`
  helper as a service locator, which hides dependencies.
- Do the same for the join.
- The `Expression` is necessary to prevent the aliased column from being
  prefixed with the database table prefix, if configured.
2019-07-11 22:35:19 +02:00
Daniël Klabbers
b2dbb0439c fixed class property hint for event post content attribute 2019-07-09 08:31:48 +02:00
Daniël Klabbers
085c924a07 fix return type hint for event post content attribute 2019-07-09 08:30:10 +02:00
David Sevilla Martín
f31f02d4cc Set Whoops middleware HTTP status to error code (#1648)
* Use error code for HTTP status, defaults to 500
* Use logic from HandleErrorsWithView, make sure status is valid
2019-07-07 14:57:40 +02:00
Daniël Klabbers
797f6eea50 moved GetDisplayName event to User namespace (#1768) 2019-07-06 19:27:44 +02:00
Franz Liedke
9fb3a31b51
Get rid of unnecessary method 2019-07-06 02:25:06 +02:00
Franz Liedke
f8061bbca1
Remove deprecated bootstrap.php fallback
Closes #1557.
2019-07-06 02:11:09 +02:00
Franz Liedke
f4c0d4ba87
Type hint contract, not implementation 2019-07-06 01:30:58 +02:00
Franz Liedke
646bd40bca
Use Laravel's class-based Str and Arr helpers
Starting with version 5.9, the global funtions will be deprecated.

* https://laravel-news.com/laravel-5-8-deprecates-string-and-array-helpers
* https://github.com/laravel/framework/pull/26898
2019-07-06 01:30:58 +02:00
Franz Liedke
cbc896eba7
Use class constant instead of strings 2019-07-06 00:03:25 +02:00
David Sevilla Martín
a720f6f651 Update Application version string to beta 9 (#1784) 2019-07-05 12:37:02 +02:00
Daniël Klabbers
935a968257 fixed tests on master, missing views directory and suppressing notices from tempnam when storing files in tmp 2019-06-24 13:00:36 +02:00
Daniël Klabbers
fd66722945 added custom view, now needs translation 2019-06-22 19:40:20 +02:00
Daniël Klabbers
bfd3a667dd Fixed issue with tmp/storage/views not existing, this caused tmpname to notice.
Fixed csrf test that assumed an access token allows application access, which is actually api token.
Improved return type hinting in the StartSession middleware
2019-06-18 17:22:23 +02:00
Franz Liedke
7f7484e790
Accept CSRF token in request body as well 2019-06-13 00:13:58 +02:00
Franz Liedke
5d64056e89
Implement middleware for CSRF token verification
This fixes a rather large oversight in Flarum's codebase, which was that
we had no explicit CSRF protection using the traditional token approach.

The JS frontend was actually sending these tokens, but the backend did
not require them.
2019-06-13 00:13:58 +02:00
Franz Liedke
9e2b796a7c
Fix syntax error 2019-06-13 00:11:57 +02:00
Franz Liedke
7f5bd1e96b
Apply fixes from StyleCI (#1793)
[ci skip] [skip ci]
2019-06-12 23:50:21 +02:00
Franz Liedke
5e1680c458
Introduce a vendor path
This lets us or anyone modify the path from where dependencies (usually
installed into /vendor by Composer) are loaded. We need to be able to
tweak this in our integration tests, where the application code under
test needs access to certain dependencies.
2019-06-12 23:48:22 +02:00
Franz Liedke
6e26b988bd
Inject app, not container, to avoid global helpers 2019-06-12 23:48:22 +02:00
Daniël Klabbers
54660ebd63 fixed issue with the Js compiler being unable to use the system tmp directory, using the one in storage is much safer across different operating systems 2019-06-12 16:46:53 +02:00
Franz Liedke
f42142979d
Load LESS variables via path traversal
Since these files are part of the same package, there is no need
to assume a Composer context to load these from. Instead, we can
just load them via the path relative to the current PHP file.

This assumption may break in certain environments, and it is
already broken when running (integration) tests.
2019-06-09 00:19:06 +02:00
Franz Liedke
5f79d3b499
This method should be private 2019-06-09 00:19:05 +02:00
Franz Liedke
8e4d97260f
Do not rely on extensions_enabled being present
This mostly simplifies setup in complex integration tests.
2019-06-09 00:19:05 +02:00
Daniël Klabbers
ee3640e160 remove use of like which might cause unwanted side effects (#1787) 2019-06-03 12:04:17 +02:00
Franz Liedke
56fde28e43
Restore "originalUri" request attribute
This is helpful when Flarum is installed in subfolders.

Fixes #778.
2019-06-01 12:51:05 +02:00
Franz Liedke
1c1d661bdd
Use the settings repository's default value
Updates commit bf2c5a5564.
2019-05-24 20:11:34 +02:00
Clark Winkelmann
7a44086bf3
Remove notification id from serializer attributes 2019-05-01 23:05:25 +02:00
Clark Winkelmann
ecc3b5e227 Remove post id from serializer attributes (#1775) 2019-04-19 21:37:14 +02:00
Daniël Klabbers
bf2c5a5564 This small fix prevents that the forum frontend breaks whenever
custom_less is NULL or unavailable in the database. We cannot rely
on this value to exist or is incorrectly set to null and thus
completely bricking the app.
2019-04-12 14:10:20 +02:00
Toby Zerner
e17bb0b433 Fix is:unread gambit 2019-03-24 12:24:44 +10:30
Franz Liedke
ef57b443c1
Apply fixes from StyleCI (#1761)
[ci skip] [skip ci]
2019-03-19 09:59:09 +01:00
Franz Liedke
5154d7e5a6
Allow configuring all drivers via frontend (#1169)
This includes an API endpoint for fetching the list of possible
drivers and their configuration fields. In the future, this can
be extended to include more meta information about each field.
2019-03-19 09:56:20 +01:00
Franz Liedke
c50d58d0f4
Add drivers for Mailgun, Mandrill, SES (#1169) 2019-03-16 12:58:35 +01:00
Franz Liedke
441ebacfd7
Apply fixes from StyleCI (#1760)
[ci skip] [skip ci]
2019-03-13 21:32:18 +01:00
Franz Liedke
46acfb6c23
Implement mail driver classes (#1169)
This adds an interface for mail drivers to implement, defining several
methods that we need throughout Flarum to configure, validate and use
the various email drivers we can support through Laravel.

More mail drivers can be added by `extend()`ing the container binding
"mail.supported_drivers" with an arbitrary key and the name of a class
that implements our new `DriverInterface`.

This will ensure that drivers added by extensions can be properly built
and validated, even in the frontend.
2019-03-13 21:31:19 +01:00
Daniël Klabbers
9910e884fc Allow fallback to check for bound mail drivers (#1757) 2019-03-12 19:45:42 +01:00
bdumaspilhou
33deea4791 Fixes #1738 : Search Title within discussions (#1741) 2019-03-07 00:20:37 +01:00
Franz Liedke
e8ab49abc1
Merge pull request #1743 from flarum/fl/test-structure
Improve test suite structure
2019-03-03 20:17:35 +01:00
Daniël Klabbers
654ab4cc29 prefixes indices when installing too 2019-02-05 09:50:15 +01:00
Daniël Klabbers
e0becd0c7b Capsule manager (#1744)
Refactored to use the Capsule Database manager for setting up the
Flarum (mysql) connection.

This will introduce the reconnector automatically, fixing #1740
2019-02-04 23:31:12 +01:00
Franz Liedke
ed43ad9c3f
Properly wrap error bag in session
Second part of fixing #1683.
2019-02-03 21:16:43 +01:00
Franz Liedke
4611abe5db
Fix error redirect when resetting passwords
This was an oversight from the large database column renamings.

Fixes #1683.
2019-02-03 21:06:47 +01:00
Franz Liedke
cf746079ed
Make integration tests independent
This creates a dedicated test suite for integration tests. All of them
can be run independently, and there is no order dependency - previously,
all integration tests needed the installer test to run first, and they
would fail if installation failed.

Now, the developer will have to set up a Flarum database to be used by
these tests. A setup script to make this simple will be added in the
next commit.

Small tradeoff: the installer is NOT tested in our test suite anymore,
only implicitly through the setup script. If we decide that this is a
problem, we can still set up separate, dedicated installer tests which
should probably test the web installer.
2019-02-03 20:39:32 +01:00
Franz Liedke
1a9f1f7a3d
Use Collection class rather than collect() helper 2019-02-01 14:12:29 +01:00
Franz Liedke
4d1411e2a8
Improve problem description for wrong PHP version 2019-02-01 13:00:25 +01:00