This change raises a codeception-related (dev-) dependencies to
enable PHP 8 support:

Used composer command:

composer req --dev codeception/codeception:^4.1.12 \
 codeception/lib-asserts:^1.13.2 \
 codeception/module-asserts:^1.3.1 \
 codeception/module-filesystem:^1.0.3 \
 codeception/module-webdriver:^1.1.4 \
 php-webdriver/webdriver:^1.9.0

Resolves: #93050
Releases: master
Change-Id: Ibde6f696cc620e2fdbf162c80d4ee6a1ba7c23b4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67085


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

This patch avoids further undetected usages of deprecated
methods:

- ControllerContext::getFlashMessageQueue()
- ControllerContext::getUriBuilder()

Those methods have been called on a controller context
instance obtained by the rendering context.

Releases: master
Resolves: #93036
Releates: #93019
Releates: #93016
Change-Id: I0634580479f2a814e2644d35cc25abc1ca411d79
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67075


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The AbstractUserAuthentication class handles way too much
of what it should know / do.

For this reason, a new UserSession object which contains
basic information needed for everything belonging to a non-fixated
session, a fixated anonymous session, if a session was evelated,
or if a session has expired, is kept in there.
The "SessionManager" should not be used anymore publically
but slowly dissolve into a SessionBackendManager.

Design goals:
* UserAuth object should not know about session backends
* UserAuth should not store sessionData etc. directly in its own object
* Decouple UserSession info from any properties of UserAuth
* A UserSessionManager deals with the creation and validation of the UserSession objects. No Session Objects can be created etc outside
of this class to maintain persistability
* UserSessionManager also encapsulates ipLocking and the responsible SessionBackend

Final goals to be tackled later:
* Build a user session object from the request object, and not within the UserAuth object
* Session Handling can be accessed outside of UserAuth
* Cookie Handling and Session Handling are separated from UserAuth
* Load Session information from PSR-7 request instead of $_COOKIE

Resolves: #93023
Releases: master
Change-Id: Ia2d8244e433d0f6adf220d443b2c0947f251b5e9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66935


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

Inline JavaScript produced by BackendUtility:viewOnClick is substituted
with markup based instructions and static JavaScript event handlers.

// basically delivers window.open(generatedUri)
BackendUtility::viewOnClick($pageId, $backPath, $rootLine, $section,
    $viewUri, $getVars, $switchFocus);

can be substituted with e.g.

\TYPO3\CMS\Backend\Routing\PreviewUriBuilder::create($pageId, $viewUri)
    ->withRootLine($rootLine)
    ->withSection($section)
    ->withAdditionalQueryParameters($getVars)
    ->serializeDispatcherAttributes([
        PreviewUriBuilder::OPTION_SWITCH_FOCUS => $switchFocus,
    ]);

which results in the following HTML data attributes
(data can be retrieved as array of complete element as well)

data-dispatch-action="TYPO3.WindowManager.localOpen"
data-dispatch-args="["https://...",null,"previewWin"]"

Resolves: #91123
Releases: master
Change-Id: Iedd9bfe60827977677ee68e2c948c63e359abf84
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64243


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>

The option typolink.addQueryString.method only has either "GET"
or nothing (using $_SERVER[QUERY_PARAMS]) as possibility.

In order to effectively make use of PSR-7 Requests and better
routing capabilities, the "GET" method is preferred, making
the whole option obsolete, and removing it.

All related Fluid arguments and Extbase UriBuilder
methods are deprecated.

Resolves: #93041
Releases: master
Change-Id: I286fdf08548f224f5e4287ad36b43b2d79a669b8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67000


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>

* Since introduction of class ReferenceIndexUpdater each
  record is handled only once when updating the reference
  index. The record runtime cache is obsolete and can be
  dropped.

* The $excludedTables and $excludedColumns properties are
  non-static now: In normal operation only one instance
  of ReferenceIndex class is created and used for many
  records, there is no point in creating hard to evict
  static state.

* A runtime cache has been used for information derived
  from TCA (no db calls). This is dropped in favor of a
  class property.

Change-Id: I5cf16e38ec8f36dfa838cdbc6591b59b463be3f9
Resolves: #93038
Releases: master
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67076


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Page unavailable (e.g. maintenance mode) is a "503 service unavailable"
error, not 500 internal server error.
If TYPO3 is in maintenance mode then a 503 error is now thrown.
Also 503 Error Handlers are taken into account now.

Releases: master, 10.4
Resolves: #93032
Change-Id: I8bd013fc202b07263388fc22ec2256262c40b709
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67074


Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

Since TYPO3 11 requires php >= 7.4 and since symfony
components support php 7.4 type hint evaluations as
well, some tests have been added to verify that when
building ClassSchema instances, property types are
properly detected.

Releases: master
Resolves: #93037
Change-Id: Ia50934731838d2bdccc2e6bdb4cdebb3b1a096b9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67077


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

With this patch method getFlashMessageQueue() of ControllerContext
is deprecated and the core avoids using it.

A trigger_error call will be implemented in another patch set
which deprecates the whole ControllerContext object.

Releases: master
Resolves: #93016
Change-Id: I20b47dc26892b4affb1aec8e147169738139241c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67044


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Keeping relation information for soft deleted records
in sys_refindex is quite useless: When records are
undeleted, the reference index is updated to recreate
rows. Additionally, the deleted handling was incomplete,
especially if a record on the 'right' side of the relation
got deleted.

The patch drops the deleted field from the table and
prevents adding relations for soft deleted rows.
Furthermore, visibility of a couple of properties and
methods is changed to protected and a series of not used
methods is removed.

Note the hash sums change due to the removal of the deleted
field. The CLI command "bin/typo3 referenceindex:update"
will update hashes and will drop obsolete deleted rows.

Change-Id: I58d7a904a6b4c555529b7c70e45d56ccb498f77f
Resolves: #93029
Releases: master
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66968


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

As the PageLayoutView is marked as deprecated all usages must be
changed. This patch migrates the hooks from PageLayoutView into
PreviewRenderer.

Resolves: #92926
Releases: master

Change-Id: Ieed06e08c3a3896ad574a3d54d89716c8e8ed808
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66692


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Remove usage of $mock->at() matcher and some other
deprecated matchers.

Following matchers are deprecated in phpunit v9:

* at()
* assertRegExp()
* assertFileNotExists()

Those were replaced with their respective replacements.

Resolves: #92461
Releases: master, 10.4
Change-Id: Id8373659160c219c2caff8bcbe0bdb9b0da16436
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65971


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

The method returned the opposite of what the function name
defines. It checks whether the current backend route
is a public route, and in that case it returned true. But if
a public route is requested, then a backend user is actually
*not* required.

The method was then used inverted, which contervailed this mistake.
Therefore there was no functional bug here, just a naming bug.

Therefore we now invert the result of this method.

Releases: master
Resolves: #93021
Change-Id: I4ae585eb9259360cb3975df6654640d18ec45932
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67048


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Move the database queries of EXT:linkvalidator into a new class
PagesRepository to make the functionality more flexible and easier to
test.

Resolves: #93006
Releases: master
Change-Id: Id068d0ef876005db11aceffb11ad968a08f377cf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67040


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Several properties and methods in the ActionController
are marked interal and will remain as is only until
TYPO3 11 LTS. From version 12.0 on, said properties and
methods may change or vanish without further notice.

Releases: master
Resolves: #92996
Change-Id: Ia03f4746f45dcc9223907c9c8a4927e2e1f86876
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67008


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benni Mack <benni@typo3.org>

With this patch method geturiBuilder() of ControllerContext
is deprecated and the core avoids using it.

A trigger_error call will be implemented in another patch set
which deprecates the whole ControllerContext object.

Releases: master
Resolves: #93019
Change-Id: Ie36bac79a6da3400a2b3594d5519af13f23a22c6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67047


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

The template now evaluates the correct variable for
checking whether the login message should be
displayed on the overview page.

Resolves: #92939
Releases: master, 10.4
Change-Id: I54dd4759b3154be5e57cc38df89a52e22c838f63
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67049


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Simon Gilli <typo3@gilbertsoft.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: Benni Mack <benni@typo3.org>

In previous TYPO3 versions, AbstractUserAuthentication emitted
cookies directly via header() or setcookie() methods.

In order to have a better testing scenario, this change
builds Cookie objects and keeps them until a PSR-15 middleware
asks to apply the cookie information to a PSR-7 Response.

This also makes it possible to manipulate the authentication
cookies in Middlewares.

AbstractUserAuthentication does not actually "remove"
or "set" a cookie but rather keeps the information for
setting a cookie.

Resolves: #93011
Releases: master
Change-Id: Iaec0007a1347676bc3ba570b4b5a1da63d58d7e6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67032


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

The composer min stage in nightly tests should respect the PHP version
the run is executed with.
So the platform.php setting will be the lowest possible PHP version
of its own input, not the lowest possible TYPO3 currently supports.

Resolves: #93020
Releases: master, 10.4
Change-Id: Id5cd4d4bce5f015ae35303cbcd0d0d561730204a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66940


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Since $loginType will be always 'BE' in this context, there is
no need to access $GLOBALS['BE_USER'] for this information.

Resolves: #93018
Releases: master
Change-Id: I0c6bef5d7f8eebbe2aca325d7e3737a2659dd53a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67046


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

If a versioned page is inaccessible due to versionOL, the row will be
converted to a value of "false". This can be the case for deleted or hidden pages.
In those cases, the tree should not include this page.
Keeping the page would furthermore result in a type error, as later
calls expect $row to be an array.

Resolves: #93009
Releases: master, 10.4
Change-Id: I43033e6fe3b403ffc2eebb2cc7080b988425917e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67043


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

Logic around Backend User Sessions and its access
across the EXT:beuser backend module is now encapsulated
and streamlined:

* The BackendUserSessionRepository does not inherit
from Extbase anymore, as there is nothing needed here
* No ObjectManager is needed, GeneralUtility can be used instead
* All access to the actual sessionBackend is now placed inside
this method.

This allows to further streamline the User Session handling
at a later stage.

Resolves: #93017
Releases: master
Change-Id: I02ab22d90e570cd04f4e6a3ea96412dfbf247967
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67045


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

PageRenderer->render() does not accept any arguments anymore.

This change allows to later-on hand in a Request object
into the PageRenderer and/or continue building a generic
View for rendering content, without marker-based changes.

In addition, the corresponding constants are now marked as
protected.

Resolves: #93003
Releases: master
Change-Id: Ia24c81647d665fdc23a8c961fe89722cf0e5a31d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67033


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

TYPO3 v11 supports PHP 7.4 or higher, some workarounds
regarding same site functionality can be simplified
and removed.

Resolves: #92999
Releases: master
Change-Id: I6ab5e257cfbe595f81693fc60d824bb46e106594
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67009


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

A seldom used (and undocumented) feature to transfer a session
via the GET parameter FE_SESSION_KEY is removed in favor
of custom authentication services when integrating third-party
Single-Sign-On processes.

Resolves: #93002
Releases: master
Change-Id: I8418bdf36ce3dd2ab63edb9a77f2db59beeaac43
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67035


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

The internal methods
* BackendUtility::blindUserNames()
* BackendUtility::blindGroupNames()
* BackendUtility::getBackendScript()
are not in use anymore by TYPO3 Core and are removed.

Also fix Breaking-91473-DeprecatedFunctionalityRemoved.rst
to not reference BackendUtility::getBackendScript() as
breaking removal, as it was an internal method.

Resolves: #93001
Releases: master
Change-Id: Icd280dada15b99266dd6542f8b256f03dc3c992a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67037


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

In order to allow further manipulation of Response objects,
using "throw new ImmediateResponseException" is much
more flexible than calling HttpUtility::redirect() which immediately
stops the PHP process. This way, it is not even possible
for developers to manipulate the response, or even
test this behavior in functional tests with TYPO3 Core.

The change removes all usages of HttpUtility::redirect().
The method will be deprecated at a later stage.

Resolves: #93004
Releases: master
Change-Id: I9bd0db2b2ee0c15b39b38168d67e6d78ba4be2db
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67038


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Gorges <daniel.gorges@b13.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Daniel Gorges <daniel.gorges@b13.com>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

The related HTTP no-cache headers (e.g. when a user is logged in)
are now only set via PSR-15 middlewares (already in place for
Backend Users, but now added for Frontend Users / Sessions as well),
but not directly emitted via "header()" functions anymore.

The next steps for having autonomous tests are:
* Do not send cookies directly anymore
* Double-check backend login cookies and
* Check for ImmediateResponse / HttpUtility::redirect() methods
* Evaluate the HTTP headers emitted inside the Installer.

Resolves: #92997
Releases: master
Change-Id: I7f1e9826b3d61977cb24e4622e0888e301b807e3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67001


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

This allows to add the current request into ALL userFunctions, including
Extbase, where we can then convert the request into an Extbase Request.

Plus, it is injected in all ContentObjects, making it available for subsequent
renderings.

Resolves: #92984
Releases: master
Change-Id: I7ac6872db6ea0ed8838a0d63c18b5fa53407ebed
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66080


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Reviewed-by: Benni Mack <benni@typo3.org>

This patch introduces a PSR-7 compatible response class
which allows users to initiate forwarding to another
extbase controller action.

Returning a ForwardResponse replaces the helper function
forward() in the ActionController.

Releases: master
Resolves: #92815
Change-Id: I37b40d9e3de1125c0173d2115e0224cb1b13dc2f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66564


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>

The context menu shows on right click and pressing the context
menu button as well as Shift+F10 where available. Inside the
menu you are able to navigate using the arrow keys, the home
and end keys. Items are activated with ENTER or SPACE key.

Using the ESC key you can hide the current context menu.

Resolves: #89496
Releases: master
Change-Id: Icb10bdb927d1891785e82929e05e90475a846f08
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66258


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

TYPO3 Core now requires the GuzzleHTTP library
in version v7.2 or higher as this one explicitly states
compatibility with PHP 8.0.

Resolves: #92995
Releases: master
Change-Id: Ib86d8fcdc6d5218269270292f71a819d47d6ef3b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67007


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Indexed search captures search statistics and which words
were searched. However, TYPO3 only evaluates the searched
words, which do not contain any user/IP specific values.

This change removes the personalized tracking information,
as only the word-based statistics are evaluated.

Also the database table "index_stat_search" gets removed.

Resolves: #92993
Releases: master
Change-Id: I7ab5f9d4a23a79b68274db1a709551604f5479fb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66996


Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

In order to set up the dependencies for the upcoming
TYPO3 v11 release, Core now requires symfony components in version
5.2 or higher.

Used composer command:

composer require symfony/mime:^5.2 symfony/mailer:^5.2 symfony/http-foundation:^5.2 symfony/finder:^5.2 symfony/expression-language:^5.2 symfony/dependency-injection:^5.2 symfony/console:^5.2 symfony/config:^5.2 symfony/routing:^5.2 symfony/var-dumper:^5.2 symfony/yaml:^5.2 symfony/property-access:^5.2 symfony/property-info:^5.2 --update-with-all-dependencies

Resolves: #92994
Releases: master
Change-Id: Ia54001583919d2da9b2107e0486fe7744a2ef220
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67006


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Benni Mack <benni@typo3.org>

TYPO3 has native Browser Notification API since a few TYPO3 versions.

However, also due to recent security implementations (permission API)
in browsers, and TYPO3 not strongly using this feature (only for LoginRefresh
when a login is about to expire, and ONLY when this window is not focussed),
this feature is dropped in favor of UX.

Resolves: #92988
Releases: master
Change-Id: I8e92d96bb47bf060f35b06375d8ff49ff131c185
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66997


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

The public property svConfig is just a short-hand variable
for $GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth'],
but should not be accessed from the outside, and is therefore
moved from a public property to a local variable within the
"checkAuthentication" method where it is mainly used.

Resolves: #92990
Releases: master
Change-Id: I1f8cadc36b22e535efb1940c8090ff5e487952bb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67002


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Node 14 is the latest LTS version for NodeJS, and
yarn v1.22 was the latest version for a long time.

Resolves: #92991
Releases: master, 10.4
Change-Id: I7256865717a839cda5ea20be4b67a6a3dca3ede2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66998


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>

The flag AbstractUserAuthentication->loginFailure
is removed. The current plans are to clean up the
AbstractUserAuthentication class, and build separate
concerns as much as possible.

The main "monster" method "checkAuthentication" is now
cleaned up, and the public property "loginFailure" is removed,
as this is handled by a local variable now.

Resolves: #92989
Releases: master
Change-Id: I377baa94d6681fab7de04a74991254156235af52
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66999


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #92977
Releases: master, 10.4
Change-Id: I222f2e7e1f3772d72e0da2b9b77f74cd86852086
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66967


Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Marcus Schwemer <ms@schwemer.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Marcus Schwemer <ms@schwemer.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

With #92112, parsing of the pageUid option of the RedirectFinisher has
been restricted to accept only strings as option value. Prior to this
change, one could also define integer values. The previous behavior has
now been restored by explicitly parsing the option value as string and
then parsing it back to an integer.

Resolves: #92800
Related: #92112
Releases: master, 10.4
Change-Id: I88992b309e09757ae24348c6066294effb209505
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66620


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>