Commit Graph

110 Commits

Author SHA1 Message Date
Daniël Klabbers
89f6cfd949 removed link to home, go back, which is always the case with csrf token invalidation 2019-06-24 10:49:31 +02:00
Franz Liedke
8e86d38804 Merge pull request from GHSA-3wjh-93gr-chh6
* Integration tests: Memoize request handler as well

This is useful to send HTTP requests (or their PSR-7 equivalents)
through the entire application's middleware stack (instead of
talking to specific controllers, which should be considered
implementation detail).

* Add tests for CSRF token check

* Integration tests: Configure vendor path

Now that this is possible, make the easy change...

* Implement middleware for CSRF token verification

This fixes a rather large oversight in Flarum's codebase, which was that
we had no explicit CSRF protection using the traditional token approach.

The JS frontend was actually sending these tokens, but the backend did
not require them.

* Accept CSRF token in request body as well

* Refactor tests to shorten HTTP requests

Multiple tests now provide JSON request bodies, and others copy cookies
from previous responses, so let's provide convenient helpers for these.

* Fixed issue with tmp/storage/views not existing, this caused tmpname to notice.
Fixed csrf test that assumed an access token allows application access, which is actually api token.
Improved return type hinting in the StartSession middleware

* Using a different setting key now, so that it won't break tests whenever you re-run them once smtp is set.
Fixed, badly, the test to create users etc caused by the prepareDatabase flushing all settings by default.

* added custom view, now needs translation
2019-06-24 09:14:38 +02:00
Franz Liedke
d292aaabf8
Fix another documentation link
Forgotten in #1699, closes #1736.
2019-03-07 00:33:25 +01:00
Franz Liedke
89e018a4f0
Simplify PrerequisiteInterface
I went with a return type of Collection, because it is easier to call
methods such as isEmpty() directly on those objects.
2019-01-31 21:52:05 +01:00
Kirill
b58380e224 Fix incorrect docs link (#1699) 2018-12-13 20:19:13 +01:00
Toby Zerner
796b57753d Don't output empty html tag attributes
From https://discuss.flarum.org/d/17817-meta-description-is-empty/8
ref #1677
2018-12-04 09:47:49 +10:30
Toby Zerner
0e73785498
Frontend refactor (#1471)
Refactor Frontend + Asset code

- Use Laravel's Filesystem component for asset IO, meaning theoretically
  assets should be storable on S3 etc.

- More reliable checking for asset recompilation when debug mode is on,
  so you don't have to constantly delete the compiled assets to force
  a recompile. Should also fix issues with locale JS files being
  recompiled with the same name and cached.

- Remove JavaScript minification, because it will be done by Webpack
  (exception is for the TextFormatter JS).

- Add support for JS sourcemaps.

- Separate frontend view and assets completely. This is an important
  distinction because frontend assets are compiled independent of a
  request, whereas putting together a view depends on a request.

- Bind frontend view/asset factory instances to the container (in
  service providers) rather than subclassing. Asset and content
  populators can be added to these factories – these are simply objects
  that populate the asset compilers or the view with information.

- Add RouteHandlerFactory functions that make it easy to hook up a
  frontend controller with a frontend instance ± some content.

- Remove the need for "nojs"

- Fix cache:clear command

- Recompile assets when settings/enabled extensions change
2018-06-30 12:31:12 +09:30
Toby Zerner
805768a9e0
[WIP] JS Extender API foundation (#1468)
* Run extenders exported by extensions
* Add some basic extenders
* Patch Mithril as the very first thing so extension code can run safely
* Load the payload into the app before booting extensions
* Setup default routes before booting extensions
2018-06-22 10:49:46 +09:30
Toby Zerner
3f683dd6ee
Webpack (#1367)
* Replace gulp with webpack and npm scripts for JS compilation
* Set up Travis CI to commit compiled JS
* Restructure `js` directory; only one instance of npm, forum/admin are "submodules"
* Refactor JS initializers into Application subclasses
* Maintain partial compatibility API (importing from absolute paths) for extensions
* Remove minification responsibility from PHP asset compiler
* Restructure `less` directory
2018-06-20 13:20:31 +09:30
Johann Rodríguez
7721288ac6 No slug? Then no '-' separator! (#1351)
* Stop using slug separator when there is no slug

* Changing as per upstream requirements
2018-02-09 07:22:50 +10:30
Franz Liedke
3480a65989
Avoid calculations in views
Instead, look up existence of navigation links in the underlying
API document.
2018-01-10 20:39:53 +01:00
Franz Liedke
2979e8bc28
Use Blade's inject helper 2018-01-10 20:36:50 +01:00
Franz Liedke
8c470954eb
Add pagination link for previous page 2018-01-10 20:35:07 +01:00
Franz Liedke
6913e8f0f8
Only display pagination link if necessary
Otherwise, search engines start indexing pages that aren't filled yet.

Refs #189.
2018-01-10 20:34:25 +01:00
Toby Zerner
f2ce4e11e2 Fix class name 2018-01-01 10:34:19 +10:30
Toby Zerner
d807171c44 Fix URL generator usage 2017-12-29 21:29:04 +10:30
Daniël Klabbers
f65e4dcba3
merges 5.5 and master into next-back 2017-12-14 01:00:16 +01:00
Toby Zerner
1a239ee93a Fix crash when post's user has been deleted 2017-12-10 21:02:35 +10:30
Toby Zerner
b806dc3db2 Move view logic into middleware 2017-11-29 22:25:57 +10:30
Toby Zerner
5b46ec801d Generate URL in the controller instead of the view 2017-11-29 22:20:06 +10:30
Toby Zerner
ba769e0c7e Preserve return URL when confirming logout 2017-11-29 13:47:00 +10:30
Toby Zerner
ea2fc1ff8a Add a "return home" link to 404 errors 2017-11-29 13:23:25 +10:30
Toby Zerner
b7c1cc5cef New design for error pages. closes #252 2017-11-29 13:03:55 +10:30
Toby Zerner
e8a4e5e0ef Add log out confirmation if CSRF token is invalid. fixes #1282 2017-11-29 13:03:16 +10:30
Toby Zerner
9392e1bec3 New design for reset password view 2017-11-29 12:53:06 +10:30
Toby Zerner
479e44dd04 Restructure views
- Use Laravel's view namespacing rather than the full file path
- Organise views into directories
2017-11-29 12:51:24 +10:30
Daniel Klabbers
44e9007790 using blade @json directive to parse raw json into frontend` 2017-11-01 13:22:16 +01:00
Toby Zerner
40ebc13292 Only apply custom CSS and header HTML on forum, not admin 2017-10-25 13:40:57 +10:30
Toby Zerner
ea4d889b76 Fix post contentHtml sometimes breaking script parsing
<\/script> tags in post content would sometimes be recognized as
actually ending the script tag, even when escaped (not exactly sure
why). This is fixed by encoding the < > characters in unicode.
2017-10-05 11:48:10 +10:30
Franz Liedke
b72407440d
Combine URL generator classes into one 2017-10-03 18:54:06 +02:00
Toby Zerner
89d4a1e849 Remove MySQL port field from visual installer
Port can still be specified by suffixing the host with a :

closes #825
2017-07-22 11:32:07 +09:30
Sajjad Hashemian
8cc117d89d Prevent crawlers to index nojs pages 2017-02-26 19:48:33 +03:30
David Sevilla Martín
fcfc1b2a37 Add more attributes in app.blade.php and add a setDescription method. (#1105)
* Added `language` and `direction` properties to WebAppView

* Use properties `language` and `direction` in app.blade.php

* Added WebAppView::setDescription to set the meta description

* Whoops! Changed "ltr" to \'ltr\'. Thanks StyleCI :)

* Removed unnecessary `= null` for

* Changed `.. ? .. : ..` to `.. ?: ..`. Useful thing right there ;)
2017-02-03 23:09:22 +01:00
Franz Liedke
2225fdec72 Merge pull request #989 from nielstholenaar/master
Fixes #825
2017-02-03 17:51:07 +01:00
Toby Zerner
4b8eb5d6e4 Make reset password form look slightly nicer
(Still needs a proper makeover!)
2016-11-13 09:01:38 +10:30
Toby Zerner
b2c691a03d Improve password reset validation/error handling 2016-11-13 08:51:38 +10:30
Niels Tholenaar
05c9ce335e Fixes #825 2016-06-20 12:34:41 +02:00
Toby Zerner
998bb5708e Display header HTML in layout rather than app wrapper
This is so a custom layout can opt-out of displaying header HTML (e.g. embed extension)
2016-06-05 09:53:08 +09:30
Toby Zerner
feffe53a86 Add ability to upload a logo + favicon, and add custom header HTML
Closes #268. Not going to bother with a preview SVG or anything fancy for now – we can think about that as part of #746. Right now it's just good to finally get this functionality in!

Also need to think about apple-touch-icon, msTile stuff, and social sharing image. Not sure if this is all too much for core, but it's definitely too much for the current Appearance page layout. Again, something to think about as part of #746.

Code is a bit rough around the edges, but figured there's not much point in using the command bus properly since #870.
2016-06-04 18:05:46 +09:30
Toby Zerner
9bfb797fdc Refactor the web app bootstrapping code
- All custom JS variables are now preloaded into the `app.data` object, rather than directly on the `app` object. This means that admin settings are available in `app.data.settings` rather than `app.settings`, etc.
- Cleaner route handler generation
- Renamed ConfigureClientView to ConfigureWebApp, though the former still exists and is deprecated
- Partial fix for #881 (strips ?nojs=1 from URL if possible, so that refreshing will attempt to load JS version again)
2016-05-26 19:04:24 +09:30
dcsjapan
b068536dbd Fix translation key for deleted username 2016-04-07 20:50:35 +09:00
dcsjapan
6d5582e4ac Extract translations from core blade files.
- Extracts translations from `reset.blade.php`.
- Adjusts namespacing of translations in other files.
- Fixes one direct reference to a `core.ref` key.
2016-04-07 17:45:58 +09:00
Toby Zerner
1395ce6c30 Upgrade to flarum-gulp 0.2.0 / Babel 6 2016-03-18 09:31:01 +10:30
Toby Zerner
e37c7a9b06 Remove sudo mode and add password confirmation when changing email address
closes #674
2016-03-11 12:44:18 +10:30
Toby Zerner
a6cf10f854 Applied fixes from StyleCI 2016-02-25 22:09:39 -05:00
Franz Liedke
9ecb5f437a Use stored slug for generating server-rendered link to discussion
Fixes #646.
2016-02-04 11:47:03 +01:00
Toby Zerner
387109002e Rework sessions, remember cookies, and auth again
- Use Symfony's Session component to work with sessions, instead of a custom database model. Separate the concept of access tokens from sessions once again.
- Extract common session/remember cookie logic into SessionAuthenticator and Rememberer classes.
- Extract AuthenticateUserTrait into a new AuthenticationResponseFactory class.
- Fix forgot password process.
2015-12-05 15:11:25 +10:30
Toby Zerner
9896378b59 Overhaul sessions, tokens, and authentication
- Use cookies + CSRF token for API authentication in the default client. This mitigates potential XSS attacks by making the token unavailable to JavaScript. The Authorization header is still supported, but not used by default.
- Make sensitive/destructive actions (editing a user, permanently deleting anything, visiting the admin CP) require the user to re-enter their password if they haven't entered it in the last 30 minutes.
- Refactor and clean up the authentication middleware.
- Add an `onhide` hook to the Modal component. (+1 squashed commit)
2015-12-03 15:11:57 +10:30
Toby Zerner
a6eff9383b Show loading indicator for admin client too 2015-11-04 11:51:25 +10:30
Toby Zerner
7dcb99621d Display "Loading..." text while JS is loading 2015-11-02 16:47:36 +10:30