The site-wide social login system is now backwards-compatible with how
the social_login_active core pref worked since commit
3b2d8333b6.
social_login_active's least significant bit is now treated as a global
bit, so if it's not set, no other bits are allowed to be set. This
un-breaks all existing checks for whether social_login_active is empty.
Except in themes, the social_login_active check has been replaced with
an e_user_provider API to check if social login is enabled site-wide.
- MOD: Replaced e107::getPref('social_login') with
SocialLoginConfigManager::getValidConfiguredProviderConfigs()
- FIX: signup_shortcodes updated with new social login providers
- MOD: e107::filter_request() code de-duplication: HTTP 400 exits
- MOD: Deprecated e107::getHybridAuth() to discourage direct access to
third-party dependency Hybridauth
- FIX: Updated e_user_provider for Hybridauth 3
- FIX: e_user::tryProviderSession() and Hybridauth 3
- NEW: Dynamic auth provider support in social_adminarea
- NEW: Database migration for social plugin's social_login pref
- FIX: Removed pointless (and invalid) destructor in LinkedIn::__destruct()
- FIX: All files that trigger this deprecation notice in PHP 7.4:
"Array and string offset access syntax with curly braces is deprecated"
- FIX: Do not redefine e_ADMIN_AREA in parser.php
- FIX: Null checks for e107TinyMceParser
- FIX: Array type check for e_bbcode::imgToBBcode()
- FIX: Optional query string in e_parse::thumbUrlDecode()
- FIX: Don't redefine TINYMCE_UNIT_TEST
Fixes: #4010
Related: #3111
==== Problem ====
If there are two download mirrors, `slow.example.com` and
`fast.example.com`, hotlink protection using an NGINX `secure_link_md5`
expression in the Downloads plugin cannot distinguish between these
hostnames.
This means that a user limited to `slow.example.com` can change the
download host to `fast.example.com` and download from the better mirror.
==== Solution ====
To solve this, `NginxSecureLinkMd5Decorator` needs to support the NGINX
`$host` variable. Having this variable in the expression will lock down
the secure link to the specific download host.
