The DataProviderTest calls BackendUtility::isRecordLocked
statically. We cannot mock that call, but we can
"mock" a locked record so that BackendUtility::isRecordLocked
does not query the database.

Resolves: #56472
Releases: 6.2
Change-Id: I268a7a900a0f2dcbf248f6a4d856354c7b1cdcd6
Reviewed-on: https://review.typo3.org/27975
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Introduces two new upgrade wizards in the Install tool.

The first wizard - added as first step of the upgrade wizards - adds
tables, fields and keys to comply to the database schema. When this is
necessary no other wizards can be executed until these are created.

The second wizard - added as last step of the upgrade wizards - changes
tables, fields and keys to comply to the database schema. When other
upgrade wizards are available, this one is not available to make sure
they have all necessary fields.

In order to make sure they are added as first and last step they are
added in UpdateWizard instead of ext_localconf.php.

The former "Final step" is now optional and has been renamed to "Hint".
The buttons to start the update wizards from the list have been renamed
from "Next" to "Execute".

Resolves: #53890
Releases: 6.2
Change-Id: I866b558df3325acca3122bbd4e0c2285447fcdf3
Reviewed-on: https://review.typo3.org/27240
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Keeping the old wizard script would not solve
the CSRF attack vector as they could still
be referenced in this kind of attack.

Because of that, we remove them now.

This change provides a backwards compatibility
layer in FormsEngine which takes care of rewriting
URLs which have been referenced in TCA.

Also the priority is changed in code. This means
that extension authors can reference both
configurations to stay compatible with older
TYPO3 versions.

It will however break code which link to the
old scripts directly in other places.

Resolves: #56454
Releases: 6.2
Change-Id: I15f5d929f16fdd53a8b87cd32440a3d6ce59b6ed
Reviewed-on: https://review.typo3.org/27956
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Since optimizing the retrieval of Storages the
findByStorageType() doesn't find any (also right ones)
storage, because of a wrong comparison.
This fixes also the localDriverStorageCache in
ResourceFactory, finding a bestMatchingStorageByLocalPath
in ResourceFactory, getting the right storage for a local
path as fileIdentifier and creation of duplicate entries 
in sys_file with storage 0.

Resolves: #56400
Releases: 6.2
Change-Id: I75ac357dff498f1a209d4c42896bdeddab3641ad
Reviewed-on: https://review.typo3.org/27915
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Resolves: #56436
Releases: 6.2
Change-Id: Ia789abbbdf7ab11a4ab13ea6aa195bc79ba6dc25
Reviewed-on: https://review.typo3.org/27945
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

There is a undefined variable $multiSelectId in FormEngine. This
is introduced with #46357

Resolves: #56457
Releases: 6.2
Change-Id: I88fd4f9b36e6421b338011a1cc31c22987019dc9
Reviewed-on: https://review.typo3.org/27959
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The new wizards scripts lacked a proper description.
Add the description the original files had.

Related: #56431
Releases: 6.2
Change-Id: I482d0a8c11d827c3e14da140d800df6d2caeefdc
Reviewed-on: https://review.typo3.org/27957
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Resolves: #56437
Releases: 6.2
Change-Id: I0eea59f46c74fe50eb2554898a9f64fa2a26a9b1
Reviewed-on: https://review.typo3.org/27951
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Resolves: #56438
Releases: 6.2
Change-Id: Ic5a22f6ded5bf3b5d8a6442497444296a6b3bfaa
Reviewed-on: https://review.typo3.org/27947
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

\TYPO3\CMS\T3editor\Hook\FileEditHook::save() requires
init.php which is not necessary at all as the method
itself is only called through ajax.php, which requires
init.php itself anyway.

Resolves: #55676
Releases: 6.2
Change-Id: Iaaf0805b73ebbb97e6689bcaa8064dc350187e66
Reviewed-on: https://review.typo3.org/27848
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Oliver Klee
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Resolves: #56435
Releases: 6.2
Change-Id: I180929980ade8c26a6e086f2f65d2e76cbeb19cd
Reviewed-on: https://review.typo3.org/27942
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Change-Id: Ia7db1d1b3613badc84ca3ee44ce68c154004f135
Resolves: #56080
Releases: 6.2
Reviewed-on: https://review.typo3.org/27702
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Extbase logged a code smell with a severity of 1320177676
instead of 1 ("notice").

Change-Id: If28c2d66713bdedb3094af22f8f7a00a504d995d
Resolves: #56378
Releases: 4.7, 6.0, 6.1, 6.2
Reviewed-on: https://review.typo3.org/27895
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

With the introduction of FAL the files and folders are
objects and so there is more info than just a name/extension
to determine the right icon. And with file_metadata
you have the possibility to even add more info to
a file (access rights etc).

This patch adds a new method to the IconUtility API for
generating the sprite icon for a resource. There is also
a hook where other extensions can hook in and change
the icon, options and overlays.

Furthermore, all calls in the core are changed to
IconUtility::getSpriteIconForFile where a
File or Folder object was available.

Resolves: #56211
Documentation: #56412
Releases: 6.2
Change-Id: Ifae61dd65d690fffd90c66568e2647ebd403bce5
Reviewed-on: https://review.typo3.org/27790
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Markus Klein
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Resolves: #56434
Releases: 6.2
Change-Id: Ia776874ca247b11a769a1c17ee1e6ec65047ac4c
Reviewed-on: https://review.typo3.org/27941
Reviewed-by: Alexander Schnitzler
Tested-by: Alexander Schnitzler
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Resolves: #56432
Releases: 6.2
Change-Id: Id78b3182ed6710a09a82ce69bd1f5b72f9e2a3e0
Reviewed-on: https://review.typo3.org/27939
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Adjust the @return documentation of authUser() to match the actual
implementation in
TYPO3\CMS\Core\Authentication\AbstractUserAuthentication

Change-Id: I2d94cdfee6c58de80c7ec2be2b644b5fcd6c9a97
Resolves: #56421
Releases: 6.0, 6.1, 6.2
Reviewed-on: https://review.typo3.org/27931
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

It was not possible anymore to use the "add new record" button
in TCA select fields on records with pid > 0.

This patch makes it work again; the redirect to the original page
gets prevented when a pid is set. This was handled the same way
in 4.6 and 6.1.

Change-Id: Iec058818405385efdacaebf5080f339371356810
Resolves: #56248
Related: #54085
Releases: 6.2
Reviewed-on: https://review.typo3.org/27935
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Double quotes must not be used around JS code
created by GeneralUtility::quoteJSvalue()

Resolves: #56406
Releases: 6.2
Change-Id: Ideff0a2ca475dad140a904a770561fa75f4019b9
Reviewed-on: https://review.typo3.org/27924
Reviewed-by: Thomas Sperling
Tested-by: Thomas Sperling
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The backend ajax handler that are directly registered
in DefaultConfiguration.php are now CSRF protected
if necessary.

Resolves: #56356
Releases: 6.2
Change-Id: Ia592f7f2b51c20326600b97d2ce10a5e5fdbfde7
Reviewed-on: https://review.typo3.org/27877
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Although the order of GET parameters in the URL
does not matter, the M parameter should come first
in the URL.

Resolves: #56404
Releases: 6.2
Change-Id: Id79f2f55fff2430ecce8a76bbba526dc7d175b40
Reviewed-on: https://review.typo3.org/27916
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Nicole Cordes
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The order of GET parameters changed, so we have
to adapt the tests.

Resolves: #56403
Releases: 6.2
Change-Id: I6fb8d231c71fa020677313127d453be3eab500ce
Reviewed-on: https://review.typo3.org/27917
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This change adds API to register Ajax ids with
their handler and to get an Ajax URL for
a specific AjaxID.

A token check is added to the ajax.php dispatcher
script. To stay backwards compatible, the token
is only checked, if the AjaxId is registered not
using the new API.

The new API will be used by TYPO3 core in
consecutive changes.

Resolves: #56345
Documentation: #56347
Releases: 6.2
Change-Id: I188a9312b0f4239040e461ba09dc9c8f2b93a68b
Reviewed-on: https://review.typo3.org/27873
Reviewed-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Adds a new SignalSlot possibility after the init method call.

Resolves: #56381
Releases: 6.2
Change-Id: I2357f81c40b123a7cd2eef57ef142a9e934dbc35
Reviewed-on: https://review.typo3.org/27896
Reviewed-by: Julian Kleinhans
Tested-by: Julian Kleinhans
Reviewed-by: Tomas Norre Mikkelsen
Reviewed-by: Erik Frister
Reviewed-by: Joh. Feustel
Reviewed-by: Stefan Rotsch
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

The option security_level option was deprecated
since 4.7 and can now be removed.

Also do some cleanup in related code.

Releases: 6.2
Resolves: #56256
Change-Id: I48dcb788ca654aea14fb7125128c564fd373b550
Reviewed-on: https://review.typo3.org/27825
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The process of updating the TER
extension list takes approx 1 minute
because the extension manager needs
to mark all "latest versions". This is done
via a large UPDATE query on fields
without indices, additionally this is done
in PHP and not in SQL with a
simple subselect.

Additionally the SQL file does not set
appropriate indices at all, which is also
done in this patch.

Releases: 6.2
Resolves: #56354
Change-Id: Ic46994fa1b16cce9912950520955185f3f95fe1a
Reviewed-on: https://review.typo3.org/27876
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The sorting by filename in the filelist is broken since the
introduction of sys_file_metadata. It tries to sort the file list
by property file. Before sys_file_metadata it couldn't find this
property and sorted by the default value name. But after introduction
of sys_file_metadata it has an property file, his own sys_file uid.

This patch fixes the sorting behaviour when sorting by filename.

Resolves: #56128
Releases: 6.2
Change-Id: Icd25bc2aafed4baafbaa7d9f87ce755fe9e64579
Reviewed-on: https://review.typo3.org/27881
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Frans Saris
Tested-by: Frans Saris

The compatibility layer introduced in #55809
causes trouble with the user switch feature.

User switch intentionally redirects to index.php
but the compatibility layer kicks in and redirects
back to the user module, finally leading to an
endless redirect.

This can be resolved by checking for modules which
have been changed and need that compatibility layer.

Resolves: #56364
Releases: 6.2
Change-Id: I74d8c57335af66068383b49dc7d43ea480e631b8
Reviewed-on: https://review.typo3.org/27897
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
Reviewed-by: Oliver Hader
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

FileListLocalisation.js was moved from backend to filelist
with #55810, but it was forgotten to adapt the reference
in InlineElement.

Resolves: #55979
Releases: 6.2
Change-Id: I102ffe25c255f8ac39a49d4022ee3ab73ff1914c
Reviewed-on: https://review.typo3.org/27861
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Frans Saris
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This reverts commit 9974f36d.

The 401 header code is used with HTTP based authentication schemes,
based on RFC 2617.

This is not the case here.

Resolves: #55966
Reverts: #51803
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: I134f0f1d575f3e8d4c37c2af62df8eca3f01f817
Reviewed-on: https://review.typo3.org/27888
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

The absolute link generated for mailings to
workspace editors misses the page id.

The uid has been accidentally removed with
commit for #56359

Resolves: #56375
Releases: 6.2
Change-Id: I521aee2b96c542c27a911ffeab5d9bfffc8b9a46
Reviewed-on: https://review.typo3.org/27893
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

During the addition of the token check for mod.php
some places have been missed where a correct
token needs to be added.

Resolves: #56359
Releases: 6.2
Change-Id: I435cb36641fe96ecf050c915d200f94cbb31ce9f
Reviewed-on: https://review.typo3.org/27883
Reviewed-by: Markus Klein
Tested-by: Markus Klein

At some points where a file object is retrieved, a check for
the interpretation as integer is done for the method
argument only. If the argument is 0 a exception will be
thrown from the ResourceFactory.
A file object should only be fetched if the uid is an integer
greater than zero.

Resolves: #55530
Releases: 6.2
Change-Id: I9399d58bac4a48344769ac00207b64e25eea630e
Reviewed-on: https://review.typo3.org/27304
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

In #30272 the backend formprotection has been changed
to not save flash messages in the user session if
the current request is an Ajax request.

Unfortunately the check for that is broken
since the TYPO3_AJAX global is reset in the
bootstrap now.

Introduce a method which uses the request type
constants and adapt the tests accordingly.

Resolves: #56357
Releases: 6.2
Change-Id: Idae8be036b3747ea71509cc37008a4d694390627
Reviewed-on: https://review.typo3.org/27879
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

The directory selector in a file collection now displays the folders
of all filemounts of a user. Before only the folders of the first
filemount were displayed.

Resolves: #55414
Releases: 6.2
Change-Id: Ic47f5163e2cfc7c89edcba4119f06620ed0fd56e
Reviewed-on: https://review.typo3.org/27119
Reviewed-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Frans Saris
Tested-by: Frans Saris

Add a token check in mod.php and token generation
to BackendUtility::getModuleUrl()

Adapt code to use BackendUtility::getModuleUrl()
in every place where links are hardcoded.

Releases: 6.2
Resolves: #55509
Change-Id: I952c40fc1004a0a8d77c929927d37e1d93dcfef4
Reviewed-on: https://review.typo3.org/27636
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The DataHandler function checkRecordInsertAccess() does
now check the configuration for the root level.

Resolves: #52386
Releases: 6.2, 6.1, 6.0
Change-Id: I1810ea847e631ea6b242346a0271f491fd60fdf9
Reviewed-on: https://review.typo3.org/24166
Reviewed-by: Leon de Rijke
Tested-by: Leon de Rijke
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Upload action was taken care of, but the ajax handler can be just
for all commands that ExtendedFileUtility->processData can handle.

This change checks the result set and flattens
data only when needed.

Resolves: #56084
Releases: 6.2, 6.1
Change-Id: Ic1a0bd9084b9eb206b9b53960890d22d2a9c56f5
Reviewed-on: https://review.typo3.org/27739
Reviewed-by: Alexander Schnitzler
Tested-by: Alexander Schnitzler
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Resolves: #56294
Releases: 6.2
Change-Id: I1d86f1899447feaa301474f4ed247a0ecc6c1a6e
Reviewed-on: https://review.typo3.org/27859
Reviewed-by: Markus Klein
Tested-by: Markus Klein

getTreeList calls intExplode which converts empty
arrays to 0. This patch removes empty arrays
within intExplode.

Resolves: #55384
Releases: 6.2
Change-Id: Id4ca1a15edf2cc2617d85bda765461c4cb1f105c
Reviewed-on: https://review.typo3.org/27089
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack