- Dec 07, 2020
-
-
Benni Mack authored
A seldom used (and undocumented) feature to transfer a session via the GET parameter FE_SESSION_KEY is removed in favor of custom authentication services when integrating third-party Single-Sign-On processes. Resolves: #93002 Releases: master Change-Id: I8418bdf36ce3dd2ab63edb9a77f2db59beeaac43 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67035 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
Benjamin Franzke <bfr@qbus.de> Reviewed-by:
-
Benni Mack authored
The internal methods * BackendUtility::blindUserNames() * BackendUtility::blindGroupNames() * BackendUtility::getBackendScript() are not in use anymore by TYPO3 Core and are removed. Also fix Breaking-91473-DeprecatedFunctionalityRemoved.rst to not reference BackendUtility::getBackendScript() as breaking removal, as it was an internal method. Resolves: #93001 Releases: master Change-Id: Icd280dada15b99266dd6542f8b256f03dc3c992a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67037 Tested-by:
-
Benni Mack authored
In order to allow further manipulation of Response objects, using "throw new ImmediateResponseException" is much more flexible than calling HttpUtility::redirect() which immediately stops the PHP process. This way, it is not even possible for developers to manipulate the response, or even test this behavior in functional tests with TYPO3 Core. The change removes all usages of HttpUtility::redirect(). The method will be deprecated at a later stage. Resolves: #93004 Releases: master Change-Id: I9bd0db2b2ee0c15b39b38168d67e6d78ba4be2db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67038 Tested-by:
Daniel Gorges <daniel.gorges@b13.com> Tested-by:
-
- Dec 05, 2020
-
-
Benni Mack authored
The related HTTP no-cache headers (e.g. when a user is logged in) are now only set via PSR-15 middlewares (already in place for Backend Users, but now added for Frontend Users / Sessions as well), but not directly emitted via "header()" functions anymore. The next steps for having autonomous tests are: * Do not send cookies directly anymore * Double-check backend login cookies and * Check for ImmediateResponse / HttpUtility::redirect() methods * Evaluate the HTTP headers emitted inside the Installer. Resolves: #92997 Releases: master Change-Id: I7f1e9826b3d61977cb24e4622e0888e301b807e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67001 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Benni Mack authored
This allows to add the current request into ALL userFunctions, including Extbase, where we can then convert the request into an Extbase Request. Plus, it is injected in all ContentObjects, making it available for subsequent renderings. Resolves: #92984 Releases: master Change-Id: I7ac6872db6ea0ed8838a0d63c18b5fa53407ebed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66080 Tested-by:
Alexander Schnitzler <git@alexanderschnitzler.de> Tested-by:
-
Alexander Schnitzler authored
This patch introduces a PSR-7 compatible response class which allows users to initiate forwarding to another extbase controller action. Returning a ForwardResponse replaces the helper function forward() in the ActionController. Releases: master Resolves: #92815 Change-Id: I37b40d9e3de1125c0173d2115e0224cb1b13dc2f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66564 Tested-by:
Torben Hansen <derhansen@gmail.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
Michael Telgkamp authored
The context menu shows on right click and pressing the context menu button as well as Shift+F10 where available. Inside the menu you are able to navigate using the arrow keys, the home and end keys. Items are activated with ENTER or SPACE key. Using the ESC key you can hide the current context menu. Resolves: #89496 Releases: master Change-Id: Icb10bdb927d1891785e82929e05e90475a846f08 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66258 Tested-by:
-
Benni Mack authored
TYPO3 Core now requires the GuzzleHTTP library in version v7.2 or higher as this one explicitly states compatibility with PHP 8.0. Resolves: #92995 Releases: master Change-Id: Ib86d8fcdc6d5218269270292f71a819d47d6ef3b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67007 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
-
Benni Mack authored
Indexed search captures search statistics and which words were searched. However, TYPO3 only evaluates the searched words, which do not contain any user/IP specific values. This change removes the personalized tracking information, as only the word-based statistics are evaluated. Also the database table "index_stat_search" gets removed. Resolves: #92993 Releases: master Change-Id: I7ab5f9d4a23a79b68274db1a709551604f5479fb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66996 Tested-by:
-
Benni Mack authored
In order to set up the dependencies for the upcoming TYPO3 v11 release, Core now requires symfony components in version 5.2 or higher. Used composer command: composer require symfony/mime:^5.2 symfony/mailer:^5.2 symfony/http-foundation:^5.2 symfony/finder:^5.2 symfony/expression-language:^5.2 symfony/dependency-injection:^5.2 symfony/console:^5.2 symfony/config:^5.2 symfony/routing:^5.2 symfony/var-dumper:^5.2 symfony/yaml:^5.2 symfony/property-access:^5.2 symfony/property-info:^5.2 --update-with-all-dependencies Resolves: #92994 Releases: master Change-Id: Ia54001583919d2da9b2107e0486fe7744a2ef220 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67006 Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
- Dec 04, 2020
-
-
Benni Mack authored
TYPO3 has native Browser Notification API since a few TYPO3 versions. However, also due to recent security implementations (permission API) in browsers, and TYPO3 not strongly using this feature (only for LoginRefresh when a login is about to expire, and ONLY when this window is not focussed), this feature is dropped in favor of UX. Resolves: #92988 Releases: master Change-Id: I8e92d96bb47bf060f35b06375d8ff49ff131c185 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66997 Tested-by:
-
Benni Mack authored
The public property svConfig is just a short-hand variable for $GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth'], but should not be accessed from the outside, and is therefore moved from a public property to a local variable within the "checkAuthentication" method where it is mainly used. Resolves: #92990 Releases: master Change-Id: I1f8cadc36b22e535efb1940c8090ff5e487952bb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67002 Tested-by:
-
Benni Mack authored
Node 14 is the latest LTS version for NodeJS, and yarn v1.22 was the latest version for a long time. Resolves: #92991 Releases: master, 10.4 Change-Id: I7256865717a839cda5ea20be4b67a6a3dca3ede2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66998 Tested-by:
Simon Gilli <typo3@gilbertsoft.org>
-
Benni Mack authored
The flag AbstractUserAuthentication->loginFailure is removed. The current plans are to clean up the AbstractUserAuthentication class, and build separate concerns as much as possible. The main "monster" method "checkAuthentication" is now cleaned up, and the public property "loginFailure" is removed, as this is handled by a local variable now. Resolves: #92989 Releases: master Change-Id: I377baa94d6681fab7de04a74991254156235af52 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66999 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Andreas Fernandez authored
Resolves: #92977 Releases: master, 10.4 Change-Id: I222f2e7e1f3772d72e0da2b9b77f74cd86852086 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66967 Tested-by:
Marcus Schwemer <ms@schwemer.de> Tested-by:
-
Elias Häußler authored
With #92112, parsing of the pageUid option of the RedirectFinisher has been restricted to accept only strings as option value. Prior to this change, one could also define integer values. The previous behavior has now been restored by explicitly parsing the option value as string and then parsing it back to an integer. Resolves: #92800 Related: #92112 Releases: master, 10.4 Change-Id: I88992b309e09757ae24348c6066294effb209505 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66620 Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
-
Sebastian Michaelsen authored
The function is the same as the one in Recycler.ts and is taken from there. The pagination markup is the same, so it also works in the workspaces module. Resolves: #92978 Releases: master, 10.4 Change-Id: If2950c394741061c990f2a28218feada7d87d8fa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66969 Tested-by:
-
Oliver Hader authored
Due to a type conflict (int vs bool), nested history records (e.g. for pages) have not been shown anymore. Resolves: #92970 Releases: master, 10.4 Change-Id: Iabe8efe447578586edfe2c32ca4c392a81482a00 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66972 Tested-by:
-
Benni Mack authored
This is a pre-cursor for PHP 8.0 support as well as a preliminary change to ensure a smooth upgrade path to doctrine/dbal 3.0 Used composer command * composer req "doctrine/dbal:^2.12" Resolves: #92981 Releases: master Change-Id: Ibcf217d458a669e69c84fa93d4b8ba93461e84e5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66971 Tested-by:
Daniel Haupt <mail@danielhaupt.de> Tested-by:
-
- Dec 03, 2020
-
-
Andreas Fernandez authored
With the introduction of a new datetime picker, the listener for the event `formengine.dp.change` was not attached properly which broke the validation of updated datetime field. The listener is now attached to the datetimer field properly. To avoid introducing jQuery again, the method `FormEngineValidation.markFieldAsChanged` became aware of non-jQuery objects. Resolves: #92913 Related: #91606 Releases: master Change-Id: I3727f362a7d685fdea9bcdf0f1d3b37eca12d424 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66966 Tested-by:
-
- Dec 01, 2020
-
-
Oliver Bartsch authored
The icon of page translation rows in the web_info module "Localization overview" is now also wrapped into a context menu. This furthermore automatically adds the record title as title attribute to the icon, like it's already the case for the default records. Resolves: #92919 Releases: master, 10.4 Change-Id: I6f6ab213bd345d3a3db039c71c548cf7bcc0df56 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66879 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
-
Stefan Frömken authored
Releases: master, 10.4, 9.5 Resolves: #92954 Change-Id: Ibbe19a88a603ac1390601c8e23eae566b44ebc92 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66945 Tested-by:
-
Sebastian Michaelsen authored
Instead of having a hardcoded list of "trees" available in the configuration module a new API is introduced and all existing tree functionalities are moved into separate provider classes to use the new API. Extension authors are now able to add their own providers to expose their custom configuration in the module. It's even possible now to disable existing providers shipped by core or any third-party extension. Each provider is therefore registered in the `Services.yaml` of the specific extension by defining the provider class to be used and adding the `lowlevel.configuration.module.provider` tag with at least the unique `identifier` attribute. All providers must then implement the new `ProviderInterface` to ensure the module can acquire the necessary data to display the tree and the module menu. The registration also provides a ordering / sorting functionality using the DependencyOrderingService. Resolves: #92929 Releases: master Change-Id: I94e81e4b68ff9402444dca9449d251302380fd9f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66899 Tested-by:
-
Georg Ringer authored
Change the from address used in the test task of the scheduler by using the default address configured in `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['defaultMailFromAddress']`. Resolves: #92961 Releases: master, 10.4 Change-Id: Ib4bf998c3180fa1bd2baa5591c340f04198aa026 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66952 Tested-by:
Stefan Froemken <froemken@gmail.com> Tested-by:
-
Christian Kuhn authored
Constants TYPO3_MODE and TYPO3_REQUESTTYPE are unused in core, and we have a new helper method in typo3/testing-framework to execute sub requests. The patch switches all functional tests that execute frontend requests to use a sub request instead of handling standalone PHP processes. This patch is quite a milestone: It is the proof that TYPO3 framework state can be managed well enough to execute multiple TYPO3 application requests in one process. As a happy little side effect, the overall performance of the functional tests is increased by roughly 20 percent. This is quite a bit when considering the fact that most execution time is consumed by setting up all the database tables. Releases: master Resolves: #92966 Related: #92965 Related: #92947 Change-Id: I390baed39502ad3d30c881d6061f8ea0fad3c76c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65514 Tested-by:
-
Christian Kuhn authored
Brings an acceptance test stabilization fix and a functional test API method to execute frontend requests as sub request with core v11 / master. composer require --dev typo3/testing-framework ^6.5.0 Resolves: #92965 Releases: master, 10.4 Change-Id: Ic8600d369f436569658e7cc593c428e6eb70db0a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66960 Tested-by:
-
Christian Kuhn authored
Final patch to deprecate TYPO3_MODE and TYPO3_REQUESTTYPE with an excessive changelog file to explain details and migration for extension developers. Resolves: #92947 Related: #92948 Related: #92951 Related: #92949 Related: #92952 Related: #92953 Releases: master Change-Id: Id0570582aa08dd34faea3506d5ef8bc85afdda33 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66948 Tested-by:
-
- Nov 30, 2020
-
-
Christian Kuhn authored
Drop all usages of TYPO3_MODE and TYPO3_REQUESTTYPE by using the ApplicationType helper class when frontend or backend is detected, and by directly using the applicationType attribute of the request object in a couple of special cases that check for backend ajax or install tool. Resolves: #92953 Related: #92951 Related: #92947 Releases: master Change-Id: I98c9d5ef0e7a6409b01188ddd0bbcf94f159cbcd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66895 Tested-by:
-
Alexander Schnitzler authored
In the past, Extbase controller actions could return either void, null, a string, or an object that implemented the __toString() method. All those return types are now deprecated in favor of an instance of \Psr\Http\Message\ResponseInterface (PSR-7). Response objects can be created in the controller by using the response factory which is injected into all action controllers. Alternatively, custom response objects can be declared and used as long as they implement the interface and are therefore PSR-7 compatible. Releases: master Resolves: #92784 Change-Id: If1e778c29f870fd0e78d253f0cfcff359a0babae Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66553 Tested-by:
-
- Nov 29, 2020
-
-
Christian Kuhn authored
Code in ext_localconf.php must not create different framework state depending on the (frontend or backend) application type. The ApplicationType helper class does not work at this point in bootstrap, since the PSR-7 request object has not been created, yet. Solution is to always register the admin panel logger, and to decide within the logger instance if an incoming log record should be handled. Resolves: #92952 Related: #92951 Related: #92947 Releases: master Change-Id: If0834abff33d5ed1fa4f0e18c0f76c252db4013c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66943 Reviewed-by:
-
Christian Kuhn authored
The cardinal issue with constant 'TYPO3_MODE' is that it's value is NOT constant: It is defined early during bootstrap and derived from information that is hand over from entry point index.php's. Depending on this, value is either 'FE' or 'BE'. Using that constant or the related constant 'TYPO3_REQUESTTYPE' makes it impossible to change scope from backend to frontend in one PHP call. This actively blocks executing sub requests, use cases are for instance executing a frontend request within a running backend call (eg. view module), or executing frontend requests from cli (eg. some indexer). Dropping 'TYPO3_MODE' and its friends is thus a requirement to finally allow such scenarios. We can't get rid of the distinction between 'frontend' and 'backend' altogether since some legit use cases like different paths or security settings depend on it. Looking at TYPO3 bootstrap, the only class that 'knows' if it's frontend or backend are the Application classes of ext:frontend and ext:backend. They are the PSR-15 entry points, they create a first PSR-7 request object if it has not been given, and then call the PSR-15 middleware stack dispatcher to create a PSR-7 response, starting with this first request object. The solution to get rid of 'TYPO3_MODE' is to add the information 'I am a frontend or backend request' as attribute to the request object in the Application classes. To simplify things, the helper class ApplicationType is introduced that answers isFrontend() and isBackend() for a given request object. Documentation changelog files with full details on the impact of this change will be added with an upcoming patch that deprecates the constants in master. This patch targets master and v10: 'TYPO3_MODE' is used in extensions quite often. Having the API in both v10 and v11 helps extension developers to deliver deprecation free extensions that are compatible with both v10 and v11 in one version. Codewise, neither the 'applicationType' attribute nor the helper class harm in v10. Resolves: #92951 Related: #92947 Releases: master, 10.4 Change-Id: Ia4ea637b252b774cf72492402e6be52ee4695242 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66942 Tested-by:
-
Christian Kuhn authored
Avoid usage of constant 'TYPO3_MODE' as security gate in script files that don't run in class or callable context. Use new constant 'TYPO3' instead. Resolves: #92949 Related: #92947 Related: #92948 Releases: master Change-Id: I95618793ed29b4b71e9e97ea8da124924d6753fc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66938 Tested-by:
-
- Nov 28, 2020
-
-
Christian Kuhn authored
TYPO3 still has some script files that run in global scope without class or callable encapsulation. Those are especially ext_localconf.php, ext_tables.php and Configuration/TCA/Overrides/* script files. When those files are located within document root, they can be called directly via HTTP and may output something, which can be a security risk. To prevent this, they have a call at the very start: 'defined('TYPO3_MODE') or die();'. Unfortunately, constant 'TYPO3_MODE' is a technical debt, core tries to phase it out in v11. We thus need something equivalent for these calls. Since that test for existance of a constant is so simple and straight forward, the solution is to define a new constant to true, simply named 'TYPO3', to substitute 'TYPO3_MODE'. The call is very similar: 'defined('TYPO3') or die();'. The patch targets core master and v10: Having that constant in v10 simplifies life of extension developers who want to deliver extensions compatible with v10 and v11 in the same version, when 'TYPO3_MODE' constant is deprecated in v11 with upcoming patches. Resolves: #92948 Related: #92947 Releases: master, 10.4 Change-Id: Ib7b438422a41e242cf49cd4f87a6f8c50a9907d3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66937 Tested-by:
-
- Nov 27, 2020
-
-
Andreas Fernandez authored
If may happen that the flatpickr is rendered behind a checkbox of nullable values in FormEngine due to conflicts in z-index. This patch increases the z-index of flatpickr. Resolves: #92912 Releases: master Change-Id: I632b424e6d00c48b5aef48ec1a15fdb7149f509a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66932 Tested-by:
okmiim <okmiim@live.de> Tested-by:
-
Daniel Goerz authored
A phpstan related patch revealed a flaw in EXT:form PropertyMappingConfiguration when an "EXT:" path was passed to the FAL ResourceFactory. Instead of relying on the InvalidArgumentException this patch now prevents the invalid argument from being passed in the first place. Resolves: #92908 Related: #92264 Releases: master, 10.4 Change-Id: I09ff5e28c28e8bbc2de954c1b9077969befb3646 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66852 Tested-by:
-
Oliver Bartsch authored
Calling `AbstractTreeView::getIcon()` with the records uid as first argument is deprecated. This helps to increase type safety through the core and also properly reflects the expected value for the parameter, as its name is `$row`. Side note: There was no benefit in providing just the records uid since the full record was fetched in that case anyways internally, but without adding any restrictions or respecting any overlays. Because the method returns a string in any case, the return type is furthermore added to the method signature. Resolves: #92922 Releases: master Change-Id: I60ccaf17d8244a2a86fb3b9bc377ce19a6a58e69 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66892 Tested-by:
-
Oliver Bartsch authored
Add the missing "delete" button to the RegularExpression validator for form elements "Telephone" and "Url", allowing to remove a previously manually added validator again. Note: The "Email" and "Number" form elements do both also include validators which are missing the "delete" button. But since this validators (email validator respectively number validator) are added automatically on form element creation, it's considered intended behaviour. Only validators which were added manually must provide the option to delete them again. Resolves: #92916 Releases: master, 10.4 Change-Id: I56969395ccb8237af6b48ed1793e1af9afc21423 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66877 Tested-by:
-
- Nov 26, 2020
-
-
Benni Mack authored
The UserTsConfig setting `options.lockToIP` is removed, which was only active the global setting $GLOBALS['TYPO3_CONF_VARS']['BE']['enabledBeUserIPLock'] was active. Happy Eyeballs makes this feature very useless, but if this is still needed, it should be rather implemented as an individual AuthenticationService or PSR-15 middleware than evaluated separately. Resolves: #92941 Releases: master Change-Id: I1e2be7784a3c4b54573b3c3118db1fb3109b0ddc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66640 Tested-by:
-
Benni Mack authored
The global configuration option, which is always active by default, restricts ALL non-administrators to be locked in to their webroots (DB mounts). Disabling this option would allow any editor to see the whole page tree, overriding most of the concepts used in TYPO3 Backend and permission handling. As stated in the description of the option, it is highly recommended for security reasons to leave this option enabled. This option is removed to streamline TYPO3's permission handling. Resolves: #92940 Releases: master Change-Id: I15f6538bdb34077a99cb8d2db7a21e60492bb923 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66908 Tested-by:
-
Remo Schneider authored
The `makeSearchStringConstraints` hook in DatabaseRecordList expects a class name to be given as value. The method to be called on the instantiated hook object is fix and can not be provided in the hook registration. Releases: master, 10.4, 9.5 Resolves: #92938 Change-Id: I43b0b553901019fa299bb4c9632722cf2beb759f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66907 Tested-by:
-
