Commit Graph

3246 Commits

Author SHA1 Message Date
Franz Liedke
8e86d38804 Merge pull request from GHSA-3wjh-93gr-chh6
* Integration tests: Memoize request handler as well

This is useful to send HTTP requests (or their PSR-7 equivalents)
through the entire application's middleware stack (instead of
talking to specific controllers, which should be considered
implementation detail).

* Add tests for CSRF token check

* Integration tests: Configure vendor path

Now that this is possible, make the easy change...

* Implement middleware for CSRF token verification

This fixes a rather large oversight in Flarum's codebase, which was that
we had no explicit CSRF protection using the traditional token approach.

The JS frontend was actually sending these tokens, but the backend did
not require them.

* Accept CSRF token in request body as well

* Refactor tests to shorten HTTP requests

Multiple tests now provide JSON request bodies, and others copy cookies
from previous responses, so let's provide convenient helpers for these.

* Fixed issue with tmp/storage/views not existing, this caused tmpname to notice.
Fixed csrf test that assumed an access token allows application access, which is actually api token.
Improved return type hinting in the StartSession middleware

* Using a different setting key now, so that it won't break tests whenever you re-run them once smtp is set.
Fixed, badly, the test to create users etc caused by the prepareDatabase flushing all settings by default.

* added custom view, now needs translation
2019-06-24 09:14:38 +02:00
Daniël Klabbers
fd66722945 added custom view, now needs translation 2019-06-22 19:40:20 +02:00
Daniël Klabbers
ce42b5e035 Using a different setting key now, so that it won't break tests whenever you re-run them once smtp is set.
Fixed, badly, the test to create users etc caused by the prepareDatabase flushing all settings by default.
2019-06-18 17:45:29 +02:00
Daniël Klabbers
bfd3a667dd Fixed issue with tmp/storage/views not existing, this caused tmpname to notice.
Fixed csrf test that assumed an access token allows application access, which is actually api token.
Improved return type hinting in the StartSession middleware
2019-06-18 17:22:23 +02:00
Daniël Klabbers
b669490d33
Update CHANGELOG.md
clarifying reason for change on the `like` fix
2019-06-13 09:13:31 +02:00
Franz Liedke
ba956f51ac
Update changelog 2019-06-13 01:03:39 +02:00
Franz Liedke
c126b95451
Refactor tests to shorten HTTP requests
Multiple tests now provide JSON request bodies, and others copy cookies
from previous responses, so let's provide convenient helpers for these.
2019-06-13 00:13:59 +02:00
Franz Liedke
7f7484e790
Accept CSRF token in request body as well 2019-06-13 00:13:58 +02:00
Franz Liedke
5d64056e89
Implement middleware for CSRF token verification
This fixes a rather large oversight in Flarum's codebase, which was that
we had no explicit CSRF protection using the traditional token approach.

The JS frontend was actually sending these tokens, but the backend did
not require them.
2019-06-13 00:13:58 +02:00
Franz Liedke
e927254e99
Add tests for CSRF token check 2019-06-13 00:13:57 +02:00
Franz Liedke
8061bfd74a
Integration tests: Configure vendor path
Now that this is possible, make the easy change...
2019-06-13 00:13:57 +02:00
Franz Liedke
4c309d2ad7
Integration tests: Memoize request handler as well
This is useful to send HTTP requests (or their PSR-7 equivalents)
through the entire application's middleware stack (instead of
talking to specific controllers, which should be considered
implementation detail).
2019-06-13 00:13:57 +02:00
Franz Liedke
54876cfbd6
Integration tests: Fix test setup 2019-06-13 00:13:38 +02:00
Franz Liedke
9e2b796a7c
Fix syntax error 2019-06-13 00:11:57 +02:00
Franz Liedke
7f5bd1e96b
Apply fixes from StyleCI (#1793)
[ci skip] [skip ci]
2019-06-12 23:50:21 +02:00
Franz Liedke
5e1680c458
Introduce a vendor path
This lets us or anyone modify the path from where dependencies (usually
installed into /vendor by Composer) are loaded. We need to be able to
tweak this in our integration tests, where the application code under
test needs access to certain dependencies.
2019-06-12 23:48:22 +02:00
Franz Liedke
6e26b988bd
Inject app, not container, to avoid global helpers 2019-06-12 23:48:22 +02:00
Daniël Klabbers
2e8d4e4b6b
Update CHANGELOG.md
added fix for js compiler tmp path fix to changelog
2019-06-12 17:18:21 +02:00
Daniël Klabbers
14bede2847 Merge branch 'master' of github.com:flarum/core 2019-06-12 16:47:15 +02:00
Daniël Klabbers
54660ebd63 fixed issue with the Js compiler being unable to use the system tmp directory, using the one in storage is much safer across different operating systems 2019-06-12 16:46:53 +02:00
Daniël Klabbers
1a62b7e07a
Update CHANGELOG.md
fixed missing link markdown
2019-06-12 00:43:57 +02:00
Daniël Klabbers
4b04c0e0ce
Update CHANGELOG.md
added missing changelog item for #1738
2019-06-12 00:43:09 +02:00
Daniël Klabbers
4d45ce389b
Update CHANGELOG.md
referenced incorrect (parent) commit in changelog
2019-06-12 00:38:54 +02:00
Daniël Klabbers
d2674fb309 patched constraint for components/font-awesome, fixes #1790 2019-06-11 20:22:35 +02:00
Annim Banerjee
5eb69e1f59 Updated names to match components in fontawsome (#1791)
fa-* named components are not present, hence updated to matching names.
2019-06-11 20:17:59 +02:00
Franz Liedke
f42142979d
Load LESS variables via path traversal
Since these files are part of the same package, there is no need
to assume a Composer context to load these from. Instead, we can
just load them via the path relative to the current PHP file.

This assumption may break in certain environments, and it is
already broken when running (integration) tests.
2019-06-09 00:19:06 +02:00
Franz Liedke
5f79d3b499
This method should be private 2019-06-09 00:19:05 +02:00
Franz Liedke
8e4d97260f
Do not rely on extensions_enabled being present
This mostly simplifies setup in complex integration tests.
2019-06-09 00:19:05 +02:00
Daniël Klabbers
ee3640e160 remove use of like which might cause unwanted side effects (#1787) 2019-06-03 12:04:17 +02:00
Franz Liedke
bd584802e5
Update changelog 2019-06-01 20:12:30 +02:00
flarum-bot
f4dd045326 Bundled output for commit 24522943f6 [skip ci] 2019-06-01 18:10:13 +00:00
Franz Liedke
24522943f6
Update insecure jQuery version
Thanks, GitHub security alerts!
2019-06-01 20:03:07 +02:00
Franz Liedke
56fde28e43
Restore "originalUri" request attribute
This is helpful when Flarum is installed in subfolders.

Fixes #778.
2019-06-01 12:51:05 +02:00
Franz Liedke
1c1d661bdd
Use the settings repository's default value
Updates commit bf2c5a5564.
2019-05-24 20:11:34 +02:00
Franz Liedke
d3be186fb6
Update changelog 2019-05-24 20:11:31 +02:00
Daniël Klabbers
8f8cc558be
Update SECURITY.md
fixed typo
2019-05-23 11:15:55 +02:00
Franz Liedke
5ea9e1cf5e
Add a security policy 2019-05-23 11:10:53 +02:00
Toby Zerner
99a6066f96
Merge pull request #1779 from clarkwinkelmann/fix-userpage-card-dropdown
Fix dropdown icon not showing in UserCard when on UserPage
2019-05-02 19:21:39 +09:30
Toby Zerner
8b7db726dc
Merge pull request #1780 from clarkwinkelmann/remove-notification-id
Remove notification id from serializer attributes
2019-05-02 19:20:42 +09:30
Clark Winkelmann
7a44086bf3
Remove notification id from serializer attributes 2019-05-01 23:05:25 +02:00
Clark Winkelmann
12fdfc9b54
Fix dropdown icon not showing in UserCard when on UserPage
The rule hiding the icon in the UserHero was too broad and applied to UserCard in the list of posts as well
The float rule was redundant
2019-05-01 22:54:13 +02:00
Clark Winkelmann
ecc3b5e227 Remove post id from serializer attributes (#1775) 2019-04-19 21:37:14 +02:00
Daniël Klabbers
bf2c5a5564 This small fix prevents that the forum frontend breaks whenever
custom_less is NULL or unavailable in the database. We cannot rely
on this value to exist or is incorrectly set to null and thus
completely bricking the app.
2019-04-12 14:10:20 +02:00
Toby Zerner
d3a5c91845 Update changelog 2019-03-24 12:26:02 +10:30
Toby Zerner
e17bb0b433 Fix is:unread gambit 2019-03-24 12:24:44 +10:30
flarum-bot
c4ba41f850 Bundled output for commit 0c4de6f163 [skip ci] 2019-03-20 21:09:11 +00:00
Franz Liedke
0c4de6f163
Fix storing dynamic mail settings
Refs #1169.
2019-03-20 22:02:06 +01:00
flarum-bot
cd313952c7 Bundled output for commit 5154d7e5a6 [skip ci] 2019-03-19 09:06:21 +00:00
Franz Liedke
ef57b443c1
Apply fixes from StyleCI (#1761)
[ci skip] [skip ci]
2019-03-19 09:59:09 +01:00
Franz Liedke
5154d7e5a6
Allow configuring all drivers via frontend (#1169)
This includes an API endpoint for fetching the list of possible
drivers and their configuration fields. In the future, this can
be extended to include more meta information about each field.
2019-03-19 09:56:20 +01:00