Travis CI for core has been flaky for a while - processes
tend to die or are queued forever. The only thing travis
still executed for us is updating sonar cloud data.
This service has been introduced some years ago but did
never find significant usage and has never been configured.

The patch drops travis along with sonar-cloud. If anyone
wants to pick up work with sonar again, it could be added
as github action again.

Change-Id: I2929bfb1f72d1a6af273692b4f632d90280bf074
Resolves: #93084
Releases: master, 10.4, 9.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67144


Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

When a user logs in, the "cache" field "usergroup_cached_list"
is updated in the be_users table.

This value is used so the groups do not need to be recalculated
each time for each user (e.g. in Workspaces when sending
notifications and in Log module).

However, this has serious flaws:
1) If an admin removes a previously active user from a BE
   group, the cached list still contains the old group, until
   the user logs in
2) If a user never logged in before, the list is empty

This change removes this conceptual bug, and builds this
into the GroupResolver to use direct (optimized) DB queries
for these use cases, making the DB field obsolete.

Resolves: #79565
Releases: master
Change-Id: I9d8fd04cc466906d7f8da43887788f48de81c642
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67137


Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

The following tsconfig configurations have been removed in favor of
strong defaults and less configuration options:

- `mod.web_layout.disableIconToolbar`
- `mod.web_layout.disableSearchBox`

Resolves: #93077
Releases: master
Change-Id: I01da28e2b3fbc12693c00cb012c3749b4fa4b0c7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67117


Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Since core dependency injection is in place and is about to
replace the extbase dependency injection, marking properties
with the @Extbase\Inject annotation to invoke property injection is
deprecated and must be replaced by one of the following di
methods:

- constructor injection: works both with core and extbase di
  and is well suited to make extensions compatible for multiple
  TYPO3 versions.

- setter injection: Basically the same like constructor injection.
  Both the core and extbase di can handle setter injection and
  both are supported in different TYPO3 versions.

- (core) property injection: This kind of injection can be used
  but it requires the configuration of services via a Services.yaml
  in the Configuration folder of an extension.

The recommended way is constructor injection. Not only is it the
most compatible version of di, it also brings the advantage of
clearly showing dependencies of a class. Also, it quickly shows
if dependencies stack up which indicates that the service should
be refactored.

Releases: master
Resolves: #92386
Change-Id: I61afbb6bb15b136c200849c6c8f2cd6211d4c306
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65835


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

To explicitly refresh the internal cache of StorageRepository
when a file storage has been added/removed/updated, a public
method flush() has been added to the class.

Releases: master
Resolves: #93057
Change-Id: I514bc5c39f6749a171006968a8b513803c599f4d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67097


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

TYPO3 Core has its own implementation of driver classes
for database abstraction by effectively overriding e.g.
the PDO Statement class with TYPO3's Statment class
to ensure that resources are strings to be completely
transparent with Database abstraction.

Doctrine DBAL 3.0 will force Drivers to either
switch to composition or extend from the Abstract Driver classes.

This change switches TYPO3's native implementation
to extend from Abstract Driver classes, ensuring
forward-compatibility with Doctrine DBAL 3.0
for TYPO3 v11 with Drivers.

Resolves: #93076
Releases: master
Change-Id: I32b886fe13bc7b5c759c1d127b31fe6d3ba94141
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67115


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

The ShortcutRepository should not deal with generating
shortcut titles based on the provided arguments. This can
never be reliable, especially for custom extension code.
The appropriate title must be set by the calling controller
since this is the place where all necessary information,
to define such title, are available.

Therefore, adding a new shortcut button without defining
a display name is deprecated. All Core controllers are
adjusted to provide the necessary title themself.

Resolves: #93060
Releases: master
Change-Id: Ic15fe13769dec841868977a862464f8dd3c73c42
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67096


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

A 'true' MM relation (select / group with MM, but not inline
with foreign_field - used in core for pages/tt_content table
to sys_category via sys_category_record_mm) has two sorting
fields: 'sorting' for the local (sys_category) side, and
'sorting_foreign' for the foreign (pages / tt_content) side.

When categories are added to a tt_content element,
'sorting_foreign' is set to the given order of sys_category
elements. 'sorting' is set to 0. When then opening a
sys_category record that has multiple records pointing to
it with 0 as sorting, the returned order of records is
non-deterministic and depends on implicit DB engine fallbacks.

This also confuses the reference index, which checks
refindex integrity always from the 'local' side.

The patch adds 'uid_foreign' as second order-by field to
force deterministic ordering. There is still a possible
collision in multi table relations (more than one foreign
table uses the mm table like pages AND tt_content to
sys_category with foreign records having the same uid) and
if the mm table allows "multi" relations. Those scenarios
however have no explicit TCA configuration (only implicit
via MM_match_fields), need a deeper investigation and
possibly further detail patches later.

The patch should for now fix a functional test that is
flaky with postgres.

Change-Id: I3c89d0e67f8a4065354f9df173020ca0080e0d57
Resolves: #93075
Releases: master, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67110


Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

In order to re-use the group resolving, this logic
is now extract from AbstractUserAuthentication,
allowing to further optimize this code.

The hook $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauthgroup.php']['fetchGroups_postProcessing']
is removed and replaced by a PSR-14 event to modify the Group Data.

Resolves: #93056
Releases: master
Change-Id: If0fc7939e2617fae899474ba47ba786405e87a3c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67034


Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

This reverts commit 6558a6bd.

The client side template engine introduced in #91810 is inspired
by lit-html. It was introduced because ES6 modules like lit-html could
not be included in core AMD builds.
With the help of rollup, lit-html can be converted to AMD within
our build process. Therefore our own implementation is removed
in order for lit-html to be introduced afterwards.

Resolves: #93058
Reverts: #91810
Releases: master
Change-Id: I2d5d20a6f9e0c8c4c683dafb6e36500f1966bd35
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67095


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

The option "forceSetCookie", previously used
for lifetime, is only set in FrontendUserAuthentication,
and is moved to that subclass as a protected property,
making the dependencies between the parent class and the main class
cleaner.

Resolves: #93073
Releases: master
Change-Id: Ia711b2a0eb7b03ec1b352b0fd498d296a44df101
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67086


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

Makes lit-html loadable in unit tests.

composer require --dev typo3/testing-framework ^6.6.0

Change-Id: I4b5cbf0825d12708882e744b10ffa31b78332c25
Resolves: #93074
Releases: master, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67113


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Releases: master
Resolves: #93069
Relates: #93011
Change-Id: I80c970009694462d48ec65f96eb9b0f29cacf18c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67108


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

In preparation for Doctrine DBAL 3.0,

1. all usages of Doctrine\DBAL\DBALException have
been migrated to Doctrine\DBAL\Exception,
because DBAL Exception does not exist in
Doctrine 3.0 anymore.

2. Doctrine\DBAL\Platforms\PostgreSqlPlatform
has been migrated to Doctrine\DBAL\Platforms\PostgreSQL94Platform
because this class does not exist anymore in Doctrine DBAL 3.0,
same goes for Doctrine\DBAL\Platforms\SQLServerPlatform
which has been replaced by Doctrine\DBAL\Platforms\SQLServer2012Platform

3. Doctrine\DBAL\Driver\PDOException has been
renamed to Doctrine\DBAL\Driver\PDO\Exception

4. Doctrine\DBAL\Driver\PDOStatement has been
renamed to Doctrine\DBAL\Driver\PDO\Statement

Resolves: #93071
Releases: master
Change-Id: I05e82f2fca09eb7718a90c09f95e503980ae10ae
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67109


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Due to some missing casting and usage of wrong properties,
a wrong comparison happened.

In addition, the change now checks for "user" instead of "userSession",
as the "userSession" property is obsolete.

Resolves: #93066
Releases: master
Change-Id: I4a0ff4797265c15e5cf9a822e4f7e1ea31fb31c1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67103


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Ensures client-side function `SecurityUtility.encodeHtml` behaves like
`htmlspecialchars(..., ENT_QUOTES)`. The function is used for complete
nodes only, but now could be used for parts as well.

Resolves: #93068
Releases: master, 10.4, 9.5
Change-Id: I74b09676d0fdb8ddf09e7fc639480742fe645e9b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67105


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>

This patch adds EventDispatcher and Logger support to the various
transports where it was missing so far. Now the Mailer API should be
compatible to the underlaying Symfony Mailer and all features can be
used.

Resolves: #93000
Releases: master, 10.4
Change-Id: Iea222586a0f4d3e35e462c3cf27c16eec914b5c4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66145


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Gerdes <markus@madaxel.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Markus Gerdes <markus@madaxel.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

A first patch towards more reliable workspace-mm scenarios:
When a record is discarded that has mm relations, those
relations are now deleted along with the deleted "parent"
record.

Change-Id: Ic2abe8d1c828158cf86abe760aec8766abcd0e71
Resolves: #93064
Releases: master, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67100


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Flash Messages which should be stored in sessions,
are now stored as stringified JsonSerializable instead of
their objects themselves.

The huge advantages over the previous functionality
is that the FlashMessage objects are not instantiated during the process
when a session is loaded, but actually only when the FlashMessages
are needed, bringing a bit of performance for Backend functionality.

Resolves: #93063
Releases: master
Change-Id: Ie2da3b3d0a3fbb14416fd5743b3109221d30d28d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67098


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

The "$BE_USER->groupList" property is a comma-separated list
of userGroupUID, whereas "$BE_USER->includeGroupArray"
is a list of groups added to the includeGroupArray
which contains groups possibly added multiple times due
to recursion.

This is not needed, and therefore cleaned up,
the properties are removed.

Resolves: #93062
Releases: master
Change-Id: Ic358c1be56253acdbe3be4222196a074aab1e98c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67099


Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Resolves: #93065
Releases: master
Change-Id: Ia12c5e6fbec0441bc41508c6985b73347331157d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67102


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

With #91642 some event listeners were detached from the global document
object and reattached to better fitting DOM nodes to avoid pollution of
too many event listeners in document.

Unfortunately, this broke the module menu toggle after it has been
reloaded, e.g. after installing an extension via Extension Manager.

This change binds the event listener for the module menu state toggle to
the document object again.

Resolves: #93008
Related: #91642
Releases: master
Change-Id: I5da58a997db311205accfbaf57874460ce077e91
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67091


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Benni Mack <benni@typo3.org>

Showing PDF documents in Safari browsers is blocked due to recent
content-security-policy adjustments in `fileadmin/` directory.
This change uses a less restrictive approach for PDF documents.

Resolves: #93035
Releases: master, 10.4, 9.5
Change-Id: I58065e19c86c0054dc5f155e20d7f6a90baec20e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67081


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Marcus Schwemer <ms@schwemer.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Philipp Gampe <philipp.gampe@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Marcus Schwemer <ms@schwemer.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The method unpackExtensionFromExtensionDataArray()
is only used once, but with the second argument
set to "null", so all complexity down to EmConfUtility
is reduced.

Same goes for `isValidExtensionPath` in FileHandlingUtility
which is not related to FileHandlingUtility and does not
need to be exposed.

Resolves: #93059
Releases: master
Change-Id: I035e2faa81d6312c09ae5d040335784ec389f7c5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67093


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

In order to prepare for further refactorings and streamlining
extension manager code, resolving extensions' path is now
always handled with a full path.

Releases: master
Resolves: #93054
Change-Id: I2d853c3f5d4a6ae4861dcd174d380a855764d995
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64873


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

The internal public property BE_USER->dataLists is removed
as all data is now directly written into groupData now.

This is part of a larger clean up of legacy code of
UserAuthentication.

Resolves: #93052
Releases: master
Change-Id: I92ce48e71c5463ff5ddd3971deb5a82931dcc908
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67089


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Add a label to the search field via aria-label attribute, because a
separate all time visible label would break the design.

Also disable pointer-events for the icon so the search field
is focused when you click on the icon.

Resolves: #92644
Releases: master
Change-Id: If897e458efc0c0caf1958391b8f7ddbeca92f9f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66276


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Michael Telgkamp <michael.telgkamp@mindscreen.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Michael Telgkamp <michael.telgkamp@mindscreen.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Introduce a slim and simplistic client-side templating engine to
avoid using custom template processing with e.g. jQuery and keep
results robust agains cross-site scripting.

This module has been inspired by `lit-html`, uses some of their
vocabulary and behavior, but actually does not have all of their
great features - see https://lit-element.polymer-project.org/

Resolves: #91810
Releases: master
Change-Id: I4402f64625cb5526d246c315312a7977b68e88ac
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65047


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The BackendException class is exported as named (not as default)
export in BackendException.ts, and therefore the module consumer
needs to access the BackendException property of the module.
Fix FormEngine to do so.

Releases: master, 10.4
Resolves: #92249
Change-Id: Id416e7ee4753db033301c43482b786c38075e13a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65688


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The public property $sendNoCacheHeaders of
AbstractUserAuthentication is now fully put into
PSR-15 middlewares, which decide on their own
if headers diasallowing HTTP caches should be sent to the client.

This change removes the property, as the PSR-15 middlewares
set the headers already since TYPO3 v10.

Resolves: #93047
Releases: master
Change-Id: I242d972c1a37a0642be19522f321e3f0ee88935d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67082


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

This change raises a codeception-related (dev-) dependencies to
enable PHP 8 support:

Used composer command:

composer req --dev codeception/codeception:^4.1.12 \
 codeception/lib-asserts:^1.13.2 \
 codeception/module-asserts:^1.3.1 \
 codeception/module-filesystem:^1.0.3 \
 codeception/module-webdriver:^1.1.4 \
 php-webdriver/webdriver:^1.9.0

Resolves: #93050
Releases: master
Change-Id: Ibde6f696cc620e2fdbf162c80d4ee6a1ba7c23b4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67085


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

This patch avoids further undetected usages of deprecated
methods:

- ControllerContext::getFlashMessageQueue()
- ControllerContext::getUriBuilder()

Those methods have been called on a controller context
instance obtained by the rendering context.

Releases: master
Resolves: #93036
Releates: #93019
Releates: #93016
Change-Id: I0634580479f2a814e2644d35cc25abc1ca411d79
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67075


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The AbstractUserAuthentication class handles way too much
of what it should know / do.

For this reason, a new UserSession object which contains
basic information needed for everything belonging to a non-fixated
session, a fixated anonymous session, if a session was evelated,
or if a session has expired, is kept in there.
The "SessionManager" should not be used anymore publically
but slowly dissolve into a SessionBackendManager.

Design goals:
* UserAuth object should not know about session backends
* UserAuth should not store sessionData etc. directly in its own object
* Decouple UserSession info from any properties of UserAuth
* A UserSessionManager deals with the creation and validation of the UserSession objects. No Session Objects can be created etc outside
of this class to maintain persistability
* UserSessionManager also encapsulates ipLocking and the responsible SessionBackend

Final goals to be tackled later:
* Build a user session object from the request object, and not within the UserAuth object
* Session Handling can be accessed outside of UserAuth
* Cookie Handling and Session Handling are separated from UserAuth
* Load Session information from PSR-7 request instead of $_COOKIE

Resolves: #93023
Releases: master
Change-Id: Ia2d8244e433d0f6adf220d443b2c0947f251b5e9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66935


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

Inline JavaScript produced by BackendUtility:viewOnClick is substituted
with markup based instructions and static JavaScript event handlers.

// basically delivers window.open(generatedUri)
BackendUtility::viewOnClick($pageId, $backPath, $rootLine, $section,
    $viewUri, $getVars, $switchFocus);

can be substituted with e.g.

\TYPO3\CMS\Backend\Routing\PreviewUriBuilder::create($pageId, $viewUri)
    ->withRootLine($rootLine)
    ->withSection($section)
    ->withAdditionalQueryParameters($getVars)
    ->serializeDispatcherAttributes([
        PreviewUriBuilder::OPTION_SWITCH_FOCUS => $switchFocus,
    ]);

which results in the following HTML data attributes
(data can be retrieved as array of complete element as well)

data-dispatch-action="TYPO3.WindowManager.localOpen"
data-dispatch-args="["https://...",null,"previewWin"]"

Resolves: #91123
Releases: master
Change-Id: Iedd9bfe60827977677ee68e2c948c63e359abf84
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64243


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>

The option typolink.addQueryString.method only has either "GET"
or nothing (using $_SERVER[QUERY_PARAMS]) as possibility.

In order to effectively make use of PSR-7 Requests and better
routing capabilities, the "GET" method is preferred, making
the whole option obsolete, and removing it.

All related Fluid arguments and Extbase UriBuilder
methods are deprecated.

Resolves: #93041
Releases: master
Change-Id: I286fdf08548f224f5e4287ad36b43b2d79a669b8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67000


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>

* Since introduction of class ReferenceIndexUpdater each
  record is handled only once when updating the reference
  index. The record runtime cache is obsolete and can be
  dropped.

* The $excludedTables and $excludedColumns properties are
  non-static now: In normal operation only one instance
  of ReferenceIndex class is created and used for many
  records, there is no point in creating hard to evict
  static state.

* A runtime cache has been used for information derived
  from TCA (no db calls). This is dropped in favor of a
  class property.

Change-Id: I5cf16e38ec8f36dfa838cdbc6591b59b463be3f9
Resolves: #93038
Releases: master
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67076


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Page unavailable (e.g. maintenance mode) is a "503 service unavailable"
error, not 500 internal server error.
If TYPO3 is in maintenance mode then a 503 error is now thrown.
Also 503 Error Handlers are taken into account now.

Releases: master, 10.4
Resolves: #93032
Change-Id: I8bd013fc202b07263388fc22ec2256262c40b709
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67074


Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

Since TYPO3 11 requires php >= 7.4 and since symfony
components support php 7.4 type hint evaluations as
well, some tests have been added to verify that when
building ClassSchema instances, property types are
properly detected.

Releases: master
Resolves: #93037
Change-Id: Ia50934731838d2bdccc2e6bdb4cdebb3b1a096b9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67077


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

With this patch method getFlashMessageQueue() of ControllerContext
is deprecated and the core avoids using it.

A trigger_error call will be implemented in another patch set
which deprecates the whole ControllerContext object.

Releases: master
Resolves: #93016
Change-Id: I20b47dc26892b4affb1aec8e147169738139241c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67044


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Keeping relation information for soft deleted records
in sys_refindex is quite useless: When records are
undeleted, the reference index is updated to recreate
rows. Additionally, the deleted handling was incomplete,
especially if a record on the 'right' side of the relation
got deleted.

The patch drops the deleted field from the table and
prevents adding relations for soft deleted rows.
Furthermore, visibility of a couple of properties and
methods is changed to protected and a series of not used
methods is removed.

Note the hash sums change due to the removal of the deleted
field. The CLI command "bin/typo3 referenceindex:update"
will update hashes and will drop obsolete deleted rows.

Change-Id: I58d7a904a6b4c555529b7c70e45d56ccb498f77f
Resolves: #93029
Releases: master
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66968


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>