Resolves: #56438
Releases: 6.2
Change-Id: Ic5a22f6ded5bf3b5d8a6442497444296a6b3bfaa
Reviewed-on: https://review.typo3.org/27947
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

\TYPO3\CMS\T3editor\Hook\FileEditHook::save() requires
init.php which is not necessary at all as the method
itself is only called through ajax.php, which requires
init.php itself anyway.

Resolves: #55676
Releases: 6.2
Change-Id: Iaaf0805b73ebbb97e6689bcaa8064dc350187e66
Reviewed-on: https://review.typo3.org/27848
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Oliver Klee
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Resolves: #56435
Releases: 6.2
Change-Id: I180929980ade8c26a6e086f2f65d2e76cbeb19cd
Reviewed-on: https://review.typo3.org/27942
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Change-Id: Ia7db1d1b3613badc84ca3ee44ce68c154004f135
Resolves: #56080
Releases: 6.2
Reviewed-on: https://review.typo3.org/27702
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Extbase logged a code smell with a severity of 1320177676
instead of 1 ("notice").

Change-Id: If28c2d66713bdedb3094af22f8f7a00a504d995d
Resolves: #56378
Releases: 4.7, 6.0, 6.1, 6.2
Reviewed-on: https://review.typo3.org/27895
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

With the introduction of FAL the files and folders are
objects and so there is more info than just a name/extension
to determine the right icon. And with file_metadata
you have the possibility to even add more info to
a file (access rights etc).

This patch adds a new method to the IconUtility API for
generating the sprite icon for a resource. There is also
a hook where other extensions can hook in and change
the icon, options and overlays.

Furthermore, all calls in the core are changed to
IconUtility::getSpriteIconForFile where a
File or Folder object was available.

Resolves: #56211
Documentation: #56412
Releases: 6.2
Change-Id: Ifae61dd65d690fffd90c66568e2647ebd403bce5
Reviewed-on: https://review.typo3.org/27790
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Markus Klein
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Resolves: #56434
Releases: 6.2
Change-Id: Ia776874ca247b11a769a1c17ee1e6ec65047ac4c
Reviewed-on: https://review.typo3.org/27941
Reviewed-by: Alexander Schnitzler
Tested-by: Alexander Schnitzler
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Resolves: #56432
Releases: 6.2
Change-Id: Id78b3182ed6710a09a82ce69bd1f5b72f9e2a3e0
Reviewed-on: https://review.typo3.org/27939
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Adjust the @return documentation of authUser() to match the actual
implementation in
TYPO3\CMS\Core\Authentication\AbstractUserAuthentication

Change-Id: I2d94cdfee6c58de80c7ec2be2b644b5fcd6c9a97
Resolves: #56421
Releases: 6.0, 6.1, 6.2
Reviewed-on: https://review.typo3.org/27931
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

It was not possible anymore to use the "add new record" button
in TCA select fields on records with pid > 0.

This patch makes it work again; the redirect to the original page
gets prevented when a pid is set. This was handled the same way
in 4.6 and 6.1.

Change-Id: Iec058818405385efdacaebf5080f339371356810
Resolves: #56248
Related: #54085
Releases: 6.2
Reviewed-on: https://review.typo3.org/27935
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Double quotes must not be used around JS code
created by GeneralUtility::quoteJSvalue()

Resolves: #56406
Releases: 6.2
Change-Id: Ideff0a2ca475dad140a904a770561fa75f4019b9
Reviewed-on: https://review.typo3.org/27924
Reviewed-by: Thomas Sperling
Tested-by: Thomas Sperling
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The backend ajax handler that are directly registered
in DefaultConfiguration.php are now CSRF protected
if necessary.

Resolves: #56356
Releases: 6.2
Change-Id: Ia592f7f2b51c20326600b97d2ce10a5e5fdbfde7
Reviewed-on: https://review.typo3.org/27877
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Although the order of GET parameters in the URL
does not matter, the M parameter should come first
in the URL.

Resolves: #56404
Releases: 6.2
Change-Id: Id79f2f55fff2430ecce8a76bbba526dc7d175b40
Reviewed-on: https://review.typo3.org/27916
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Nicole Cordes
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The order of GET parameters changed, so we have
to adapt the tests.

Resolves: #56403
Releases: 6.2
Change-Id: I6fb8d231c71fa020677313127d453be3eab500ce
Reviewed-on: https://review.typo3.org/27917
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This change adds API to register Ajax ids with
their handler and to get an Ajax URL for
a specific AjaxID.

A token check is added to the ajax.php dispatcher
script. To stay backwards compatible, the token
is only checked, if the AjaxId is registered not
using the new API.

The new API will be used by TYPO3 core in
consecutive changes.

Resolves: #56345
Documentation: #56347
Releases: 6.2
Change-Id: I188a9312b0f4239040e461ba09dc9c8f2b93a68b
Reviewed-on: https://review.typo3.org/27873
Reviewed-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Adds a new SignalSlot possibility after the init method call.

Resolves: #56381
Releases: 6.2
Change-Id: I2357f81c40b123a7cd2eef57ef142a9e934dbc35
Reviewed-on: https://review.typo3.org/27896
Reviewed-by: Julian Kleinhans
Tested-by: Julian Kleinhans
Reviewed-by: Tomas Norre Mikkelsen
Reviewed-by: Erik Frister
Reviewed-by: Joh. Feustel
Reviewed-by: Stefan Rotsch
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

The option security_level option was deprecated
since 4.7 and can now be removed.

Also do some cleanup in related code.

Releases: 6.2
Resolves: #56256
Change-Id: I48dcb788ca654aea14fb7125128c564fd373b550
Reviewed-on: https://review.typo3.org/27825
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The process of updating the TER
extension list takes approx 1 minute
because the extension manager needs
to mark all "latest versions". This is done
via a large UPDATE query on fields
without indices, additionally this is done
in PHP and not in SQL with a
simple subselect.

Additionally the SQL file does not set
appropriate indices at all, which is also
done in this patch.

Releases: 6.2
Resolves: #56354
Change-Id: Ic46994fa1b16cce9912950520955185f3f95fe1a
Reviewed-on: https://review.typo3.org/27876
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The sorting by filename in the filelist is broken since the
introduction of sys_file_metadata. It tries to sort the file list
by property file. Before sys_file_metadata it couldn't find this
property and sorted by the default value name. But after introduction
of sys_file_metadata it has an property file, his own sys_file uid.

This patch fixes the sorting behaviour when sorting by filename.

Resolves: #56128
Releases: 6.2
Change-Id: Icd25bc2aafed4baafbaa7d9f87ce755fe9e64579
Reviewed-on: https://review.typo3.org/27881
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Frans Saris
Tested-by: Frans Saris

The compatibility layer introduced in #55809
causes trouble with the user switch feature.

User switch intentionally redirects to index.php
but the compatibility layer kicks in and redirects
back to the user module, finally leading to an
endless redirect.

This can be resolved by checking for modules which
have been changed and need that compatibility layer.

Resolves: #56364
Releases: 6.2
Change-Id: I74d8c57335af66068383b49dc7d43ea480e631b8
Reviewed-on: https://review.typo3.org/27897
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
Reviewed-by: Oliver Hader
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

FileListLocalisation.js was moved from backend to filelist
with #55810, but it was forgotten to adapt the reference
in InlineElement.

Resolves: #55979
Releases: 6.2
Change-Id: I102ffe25c255f8ac39a49d4022ee3ab73ff1914c
Reviewed-on: https://review.typo3.org/27861
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Frans Saris
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This reverts commit 9974f36d.

The 401 header code is used with HTTP based authentication schemes,
based on RFC 2617.

This is not the case here.

Resolves: #55966
Reverts: #51803
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: I134f0f1d575f3e8d4c37c2af62df8eca3f01f817
Reviewed-on: https://review.typo3.org/27888
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

The absolute link generated for mailings to
workspace editors misses the page id.

The uid has been accidentally removed with
commit for #56359

Resolves: #56375
Releases: 6.2
Change-Id: I521aee2b96c542c27a911ffeab5d9bfffc8b9a46
Reviewed-on: https://review.typo3.org/27893
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

During the addition of the token check for mod.php
some places have been missed where a correct
token needs to be added.

Resolves: #56359
Releases: 6.2
Change-Id: I435cb36641fe96ecf050c915d200f94cbb31ce9f
Reviewed-on: https://review.typo3.org/27883
Reviewed-by: Markus Klein
Tested-by: Markus Klein

At some points where a file object is retrieved, a check for
the interpretation as integer is done for the method
argument only. If the argument is 0 a exception will be
thrown from the ResourceFactory.
A file object should only be fetched if the uid is an integer
greater than zero.

Resolves: #55530
Releases: 6.2
Change-Id: I9399d58bac4a48344769ac00207b64e25eea630e
Reviewed-on: https://review.typo3.org/27304
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

In #30272 the backend formprotection has been changed
to not save flash messages in the user session if
the current request is an Ajax request.

Unfortunately the check for that is broken
since the TYPO3_AJAX global is reset in the
bootstrap now.

Introduce a method which uses the request type
constants and adapt the tests accordingly.

Resolves: #56357
Releases: 6.2
Change-Id: Idae8be036b3747ea71509cc37008a4d694390627
Reviewed-on: https://review.typo3.org/27879
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

The directory selector in a file collection now displays the folders
of all filemounts of a user. Before only the folders of the first
filemount were displayed.

Resolves: #55414
Releases: 6.2
Change-Id: Ic47f5163e2cfc7c89edcba4119f06620ed0fd56e
Reviewed-on: https://review.typo3.org/27119
Reviewed-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Frans Saris
Tested-by: Frans Saris

Add a token check in mod.php and token generation
to BackendUtility::getModuleUrl()

Adapt code to use BackendUtility::getModuleUrl()
in every place where links are hardcoded.

Releases: 6.2
Resolves: #55509
Change-Id: I952c40fc1004a0a8d77c929927d37e1d93dcfef4
Reviewed-on: https://review.typo3.org/27636
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The DataHandler function checkRecordInsertAccess() does
now check the configuration for the root level.

Resolves: #52386
Releases: 6.2, 6.1, 6.0
Change-Id: I1810ea847e631ea6b242346a0271f491fd60fdf9
Reviewed-on: https://review.typo3.org/24166
Reviewed-by: Leon de Rijke
Tested-by: Leon de Rijke
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Upload action was taken care of, but the ajax handler can be just
for all commands that ExtendedFileUtility->processData can handle.

This change checks the result set and flattens
data only when needed.

Resolves: #56084
Releases: 6.2, 6.1
Change-Id: Ic1a0bd9084b9eb206b9b53960890d22d2a9c56f5
Reviewed-on: https://review.typo3.org/27739
Reviewed-by: Alexander Schnitzler
Tested-by: Alexander Schnitzler
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Resolves: #56294
Releases: 6.2
Change-Id: I1d86f1899447feaa301474f4ed247a0ecc6c1a6e
Reviewed-on: https://review.typo3.org/27859
Reviewed-by: Markus Klein
Tested-by: Markus Klein

getTreeList calls intExplode which converts empty
arrays to 0. This patch removes empty arrays
within intExplode.

Resolves: #55384
Releases: 6.2
Change-Id: Id4ca1a15edf2cc2617d85bda765461c4cb1f105c
Reviewed-on: https://review.typo3.org/27089
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack

The lowlevel array browser tries to modify the array that
is displayed if it's an object.
Now that TYPO3_LOADED_EXT is a simulated array (an object
which implements array access) modifying the data leads to
a fatal error. Instead the iterated value is now modified.

Releases: 6.2
Resolves: #54449
Change-Id: Ib1d3eb5cc76a4180ea0891d88c16191cd16f36e2
Reviewed-on: https://review.typo3.org/27850
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The functionality for having to deal with
browsers that did not support style="width: XYpx"
is not needed anymore, as any browser supported
in the TYPO3 universe can deal with that (even IE6).

This patch cleans up all the areas that dealt with
that part. Also, one dummy function in
FormEngine.php has been removed completely,
another in DocumentTemplate.php has been
deprecated.

Releases: 6.2
Resolves: #56254
Change-Id: I6f47a5f7cabfd340088c242f1ee15b83c7cba0fe
Reviewed-on: https://review.typo3.org/27824
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack

Resolves: #56290
Releases: 6.2
Change-Id: I85348aea9fd514b9774b63846f444fcb9a8310e4
Reviewed-on: https://review.typo3.org/27856
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix for #41413 did not remove a superfluous parentheses.
This is causing a JS error now.

Backports of the original patch are fixed already.

Resolves: #56289
Releases: 6.2
Change-Id: Iff0e73a28c9428d931f44b538106b6120ccc4e6a
Reviewed-on: https://review.typo3.org/27854
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Installing TYPO3 with an Oracle database (oci8) fails.
After selecting oci8 and passing the credentials,
the install wizard crashes with:

PHP Fatal error: Cannot use object of type
TYPO3\CMS\Core\Configuration\ConfigurationManager as array in
typo3/sysext/install/Classes/Controller/Action/Step/DatabaseConnect.php
on line 93

Obviously $config got mixed up with $configurationManager.
Fix this typo.

Resolves: #56253
Releases: 6.2
Change-Id: I58c1bc27f56b9a527d1d8fde7cf39b4ecd3ef7b6
Reviewed-on: https://review.typo3.org/27846
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller

The paginator in the extension list from TER is transformed into
using Ajax. This fails because this process searches for links inside
a class which is used by the frontend paginator widget. Changing it to
the id of the backend paginator widget makes the ajax calls work again.

Resolves: #56184
Releases: 6.2, 6.1, 6.0
Change-Id: I06c193b2657eb3edae623dc0126b06c240f486c6
Reviewed-on: https://review.typo3.org/27843
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The security fix introduced a bug that the title is encoded
every time the link wizard is opened, leading to multiple
encoded strings.

Solution is to not encode it centrally but encode it just
before using it in the JavaScript context.

Fixes: #41413
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Change-Id: I6b08db290d5457761edc4506105672d79840764d
Reviewed-on: https://review.typo3.org/23740
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

There are 3 methods in ElementBrowser which are never used in the core.
We deprecate them, so they can be removed two versions later.

The methods are:
 * checkFolder
 * isWebFolder
 * setRecordList

Releases: 6.2
Resolves: #55985
Change-Id: I3e4f34e7ebaba9e8eeb0332e9f43c0e4acd2e706
Reviewed-on: https://review.typo3.org/27847
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters