Commit Graph

3211 Commits

Author SHA1 Message Date
Franz Liedke
5103a50711 Type hint contract, not implementation 2019-07-06 01:30:58 +02:00
Franz Liedke
32e84d651c Use Laravel's class-based Str and Arr helpers
Starting with version 5.9, the global funtions will be deprecated.

* https://laravel-news.com/laravel-5-8-deprecates-string-and-array-helpers
* https://github.com/laravel/framework/pull/26898
2019-07-06 01:30:58 +02:00
Franz Liedke
039973c5f8 Issue templates: Remove vulnerability information
GitHub now automatically displays this information (or rather, links to
the Security Policy) at the issue type selection page.
2019-07-06 00:08:55 +02:00
Franz Liedke
c76f606437 Use class constant instead of strings 2019-07-06 00:03:25 +02:00
Franz Liedke
bbd0cc5676 Add descriptions to custom Composer scripts 2019-07-05 23:34:23 +02:00
David Sevilla Martín
02ab9eb905 Update Application version string to beta 9 (#1784) 2019-07-05 12:37:02 +02:00
flarum-bot
eb68b3ec3a Bundled output for commit 26b9a3ec69 [skip ci] 2019-06-27 19:23:54 +00:00
David Sevilla Martín
26b9a3ec69 Merge pull request #1803 from flarum/ds/1777-previous-route-default
Visit home page if previous route does not exist when going back in history
2019-06-27 15:17:41 -04:00
David Sevilla Martín
28e5f5cdb2 Update CHANGELOG.md 2019-06-27 15:07:53 -04:00
David Sevilla Martín
20dfcfc39c Visit home page if no previous route exists
Fixes #1777
2019-06-27 14:58:05 -04:00
Daniël Klabbers
f71db08467 added changelog item for mediumText fix in posts.content 2019-06-24 14:57:13 +02:00
Daniël Klabbers
b7e1cfd88e Merge branch 'master' of github.com:flarum/core 2019-06-24 14:55:05 +02:00
Daniël Klabbers
0b7c611715 fixes #1801, increasing the size of posts.content to mediumText correctly 2019-06-24 14:53:56 +02:00
Daniël Klabbers
c443aa09e3 fixed tests on master, missing views directory and suppressing notices from tempnam when storing files in tmp 2019-06-24 13:00:36 +02:00
Daniël Klabbers
cbd57be8f1 Merge branch 'master' into advisory-fix-1 2019-06-24 12:53:37 +02:00
Daniël Klabbers
de5ab3a436 Merge branch 'master' of github.com:flarum/core 2019-06-24 10:49:39 +02:00
Daniël Klabbers
96bf238aea removed link to home, go back, which is always the case with csrf token invalidation 2019-06-24 10:49:31 +02:00
Daniël Klabbers
c935f8c74d Apply fixes from StyleCI (#1800)
[ci skip] [skip ci]
2019-06-24 09:15:15 +02:00
Franz Liedke
a65074d01b Merge pull request from GHSA-3wjh-93gr-chh6
* Integration tests: Memoize request handler as well

This is useful to send HTTP requests (or their PSR-7 equivalents)
through the entire application's middleware stack (instead of
talking to specific controllers, which should be considered
implementation detail).

* Add tests for CSRF token check

* Integration tests: Configure vendor path

Now that this is possible, make the easy change...

* Implement middleware for CSRF token verification

This fixes a rather large oversight in Flarum's codebase, which was that
we had no explicit CSRF protection using the traditional token approach.

The JS frontend was actually sending these tokens, but the backend did
not require them.

* Accept CSRF token in request body as well

* Refactor tests to shorten HTTP requests

Multiple tests now provide JSON request bodies, and others copy cookies
from previous responses, so let's provide convenient helpers for these.

* Fixed issue with tmp/storage/views not existing, this caused tmpname to notice.
Fixed csrf test that assumed an access token allows application access, which is actually api token.
Improved return type hinting in the StartSession middleware

* Using a different setting key now, so that it won't break tests whenever you re-run them once smtp is set.
Fixed, badly, the test to create users etc caused by the prepareDatabase flushing all settings by default.

* added custom view, now needs translation
2019-06-24 09:14:38 +02:00
Daniël Klabbers
f49564b548 added custom view, now needs translation 2019-06-22 19:40:20 +02:00
Daniël Klabbers
304e36ca22 Using a different setting key now, so that it won't break tests whenever you re-run them once smtp is set.
Fixed, badly, the test to create users etc caused by the prepareDatabase flushing all settings by default.
2019-06-18 17:45:29 +02:00
Daniël Klabbers
b69b24eea6 Fixed issue with tmp/storage/views not existing, this caused tmpname to notice.
Fixed csrf test that assumed an access token allows application access, which is actually api token.
Improved return type hinting in the StartSession middleware
2019-06-18 17:22:23 +02:00
Daniël Klabbers
6fe9ea3dee Update CHANGELOG.md
clarifying reason for change on the `like` fix
2019-06-13 09:13:31 +02:00
Franz Liedke
5a16992398 Update changelog 2019-06-13 01:03:39 +02:00
Franz Liedke
953cae0de1 Refactor tests to shorten HTTP requests
Multiple tests now provide JSON request bodies, and others copy cookies
from previous responses, so let's provide convenient helpers for these.
2019-06-13 00:13:59 +02:00
Franz Liedke
3899cd8487 Accept CSRF token in request body as well 2019-06-13 00:13:58 +02:00
Franz Liedke
aa43d1475e Implement middleware for CSRF token verification
This fixes a rather large oversight in Flarum's codebase, which was that
we had no explicit CSRF protection using the traditional token approach.

The JS frontend was actually sending these tokens, but the backend did
not require them.
2019-06-13 00:13:58 +02:00
Franz Liedke
69fdd82ffc Add tests for CSRF token check 2019-06-13 00:13:57 +02:00
Franz Liedke
53cc505037 Integration tests: Configure vendor path
Now that this is possible, make the easy change...
2019-06-13 00:13:57 +02:00
Franz Liedke
a7259bbd5f Integration tests: Memoize request handler as well
This is useful to send HTTP requests (or their PSR-7 equivalents)
through the entire application's middleware stack (instead of
talking to specific controllers, which should be considered
implementation detail).
2019-06-13 00:13:57 +02:00
Franz Liedke
5632ffb62b Integration tests: Fix test setup 2019-06-13 00:13:38 +02:00
Franz Liedke
3f2d1ffd02 Fix syntax error 2019-06-13 00:11:57 +02:00
Franz Liedke
ae409751c1 Apply fixes from StyleCI (#1793)
[ci skip] [skip ci]
2019-06-12 23:50:21 +02:00
Franz Liedke
a5b70d5175 Introduce a vendor path
This lets us or anyone modify the path from where dependencies (usually
installed into /vendor by Composer) are loaded. We need to be able to
tweak this in our integration tests, where the application code under
test needs access to certain dependencies.
2019-06-12 23:48:22 +02:00
Franz Liedke
ab731f090f Inject app, not container, to avoid global helpers 2019-06-12 23:48:22 +02:00
Daniël Klabbers
20207e1294 Update CHANGELOG.md
added fix for js compiler tmp path fix to changelog
2019-06-12 17:18:21 +02:00
Daniël Klabbers
e8beafa1d4 Merge branch 'master' of github.com:flarum/core 2019-06-12 16:47:15 +02:00
Daniël Klabbers
23f2082f07 fixed issue with the Js compiler being unable to use the system tmp directory, using the one in storage is much safer across different operating systems 2019-06-12 16:46:53 +02:00
Daniël Klabbers
8c3065680a Update CHANGELOG.md
fixed missing link markdown
2019-06-12 00:43:57 +02:00
Daniël Klabbers
6b3e2c6205 Update CHANGELOG.md
added missing changelog item for #1738
2019-06-12 00:43:09 +02:00
Daniël Klabbers
b939539149 Update CHANGELOG.md
referenced incorrect (parent) commit in changelog
2019-06-12 00:38:54 +02:00
Daniël Klabbers
c65b3e5cec patched constraint for components/font-awesome, fixes #1790 2019-06-11 20:22:35 +02:00
Annim Banerjee
4c731ac621 Updated names to match components in fontawsome (#1791)
fa-* named components are not present, hence updated to matching names.
2019-06-11 20:17:59 +02:00
Franz Liedke
77025c7bfd Load LESS variables via path traversal
Since these files are part of the same package, there is no need
to assume a Composer context to load these from. Instead, we can
just load them via the path relative to the current PHP file.

This assumption may break in certain environments, and it is
already broken when running (integration) tests.
2019-06-09 00:19:06 +02:00
Franz Liedke
836351f0cc This method should be private 2019-06-09 00:19:05 +02:00
Franz Liedke
2637e83490 Do not rely on extensions_enabled being present
This mostly simplifies setup in complex integration tests.
2019-06-09 00:19:05 +02:00
Daniël Klabbers
57463f4862 remove use of like which might cause unwanted side effects (#1787) 2019-06-03 12:04:17 +02:00
Franz Liedke
c740c7f593 Update changelog 2019-06-01 20:12:30 +02:00
flarum-bot
50eda14bf3 Bundled output for commit 046c3d0da8 [skip ci] 2019-06-01 18:10:13 +00:00
Franz Liedke
046c3d0da8 Update insecure jQuery version
Thanks, GitHub security alerts!
2019-06-01 20:03:07 +02:00