1
0
mirror of https://github.com/flarum/core.git synced 2025-10-17 17:56:14 +02:00
Commit Graph

219 Commits

Author SHA1 Message Date
Franz Liedke
4fe7acfddf Revert "Add a middleware for authentication with CGI wrap"
This reverts commit 685d5f1517.

This will now be dealt with at the Stratigility level.
2016-03-26 18:56:31 +09:00
Franz Liedke
685d5f1517 Add a middleware for authentication with CGI wrap
If the authorization header is stripped by CGI wrap,
the server can be configured to send the value along
in an environment variable. If the server admin sticks
to this convention, Flarum can now use this variable.

This is supposed to take care of #384.
2016-03-24 21:53:11 +09:00
Toby Zerner
a5c8ef0566 Tweak user email confirmation alert
- Make sure is_activated is serialized to a bool (otherwise "0" will evaluate to true)
- Remove "error" class from message so it's more friendly
- Make the alert more prominent by mounting it into a new div at the top of the page
- Add loading UX to the resend button
2016-03-23 22:17:42 +10:30
Franz Liedke
cb428f1e4a Make StyleCI happy 2016-03-23 19:54:04 +09:00
Sajjad Hasehmian
b13adfec84 Show alert for unverified User 2016-03-22 18:52:32 +04:30
Franz Liedke
588dd7b213 Fix JSON serialization error on PHP 7
Closes #685.

Thanks to @sijad.
2016-03-18 21:11:54 +09:00
Toby Zerner
e37c7a9b06 Remove sudo mode and add password confirmation when changing email address
closes #674
2016-03-11 12:44:18 +10:30
Franz Liedke
594a2ba8cc More indentation cleanup 2016-02-26 13:10:32 +09:00
Franz Liedke
b4cf197cc6 Improve alignment of string 2016-02-26 12:20:37 +09:00
Toby Zerner
a6cf10f854 Applied fixes from StyleCI 2016-02-25 22:09:39 -05:00
Daniel Klabbers
e4412178b1 refactoring to support array closures migrations and fixed issues with previous pr for extension rewriting 2016-02-25 23:26:10 +09:00
Daniel Klabbers
0ad4c0ac61 fixes #800, forgot these controllers 2016-02-13 20:33:33 +01:00
Daniel Klabbers
31be2f8f86 reordering and removing unused imports 2016-02-10 11:00:37 +01:00
Franz Liedke
97979b2189 Store discussion slug in database table
In preparation for #646.
2016-02-04 11:46:30 +01:00
Toby Zerner
2018e424ec Refactor ListPostsController, make filtering extensible
It became apparent in https://github.com/flarum/core/issues/319#issuecomment-170558573 that there was no way for extensions to add filter parameters to the /api/posts endpoint (e.g. /api/posts?filter[mentioned]=1). Simply adding an event to modify the `$where` array severely limits how much can be done with the query. This commit refactors the controller so that filters are applied directly to the query Builder, and exposes the Builder in a new `ConfigurePostsQuery` event.
2016-01-31 17:06:38 +10:30
Toby Zerner
285e397d05 Remove hack to make tag permissions work
Since we now grant these global permissions if the user has the respective permission for any individual tags.
2016-01-16 14:07:13 +10:30
Albert221
b123e435ff Unified two URL prefix variables into one 2016-01-12 22:07:47 +01:00
Franz Liedke
537ab6e41f Remove empty line 2016-01-11 08:15:14 +01:00
Daniel Klabbers
159810c335 removed patch from api routes, fixes #725 2016-01-11 08:09:01 +01:00
Albert221
096aae7919 #696 Added support for prefixes in AbstractUrlGenerator. 2016-01-04 15:28:55 +01:00
Toby Zerner
6de7038f83 Allow setting the token lifetime 2016-01-02 15:22:53 +10:30
Toby Zerner
07a20a10fd Move flood control from core to API layer
This means that flood control can be disabled depending on the nature of the request (i.e. when authenticated using a master API key). The particular use case for this is to allow using the API to migrate data from an old forum.
2016-01-02 15:22:16 +10:30
Toby Zerner
ff0ce09620 Ensure routes are only populated after extensions have registered listeners
Because extensions can have dependencies injected, a RouteCollection could potentially be instantiated, and thus the ConfigureRoutes event would be called before extensions have had a chance to subscribe to it. Instead, we instantiate the RouteCollection on demand, but only populate it when the application boots.
2016-01-02 15:03:11 +10:30
Toby Zerner
e86cc39f5b API: Add an event to configure server middleware 2016-01-02 15:00:07 +10:30
Toby Zerner
1cac48f90a Always grant master API keys sudo mode 2015-12-30 15:26:07 +10:30
Toby Zerner
d743e56bc1 Fix tests and CS 2015-12-05 22:31:33 +10:30
Toby Zerner
387109002e Rework sessions, remember cookies, and auth again
- Use Symfony's Session component to work with sessions, instead of a custom database model. Separate the concept of access tokens from sessions once again.
- Extract common session/remember cookie logic into SessionAuthenticator and Rememberer classes.
- Extract AuthenticateUserTrait into a new AuthenticationResponseFactory class.
- Fix forgot password process.
2015-12-05 15:11:25 +10:30
Toby Zerner
67e9e23df1 Fix previous commit 2015-12-03 17:56:04 +10:30
Toby Zerner
1cfae4ad14 Merge branch 'sudo-mode'
# Conflicts:
#	CHANGELOG.md
2015-12-03 15:12:51 +10:30
Toby Zerner
9896378b59 Overhaul sessions, tokens, and authentication
- Use cookies + CSRF token for API authentication in the default client. This mitigates potential XSS attacks by making the token unavailable to JavaScript. The Authorization header is still supported, but not used by default.
- Make sensitive/destructive actions (editing a user, permanently deleting anything, visiting the admin CP) require the user to re-enter their password if they haven't entered it in the last 30 minutes.
- Refactor and clean up the authentication middleware.
- Add an `onhide` hook to the Modal component. (+1 squashed commit)
2015-12-03 15:11:57 +10:30
Toby Zerner
287ce2fddd Fix crash when loading notifications in some instances
Specifically, the crash would occur when the first notification had a subject without a discussion relationship (e.g. the Subscriptions extension's newPost notification, where the subject itself was a discussion). Instead of simply eager loading the nested subject.discussion relationship, we load discussions manually instead.
2015-12-03 15:10:05 +10:30
Toby Zerner
cea1cbc2d6 Fuzzy-match global forum permissions
This means that the "Start a Discussion" button will still be enabled if the user is not allowed to start globally, but only in certain tags.

Also add some other stuff to the changelog.

closes #640
2015-12-03 15:08:28 +10:30
Franz Liedke
b3a5822ddb Rename HTTP method override header
This is the name recommended by the JSON-API spec:
http://jsonapi.org/recommendations/#patchless-clients
2015-11-26 17:43:32 +01:00
Toby Zerner
262a934747 Prevent error if no input is given in create actions 2015-11-23 14:15:30 +10:30
Toby Zerner
f13ded1255 Fix error when renaming discussion
Discussion/user info is needed when serialising posts (checking permissions, etc.) so we can't just use the ID.
2015-11-02 17:53:26 +10:30
Toby Zerner
953f81176b Fix check for whether there is a translation for a group name 2015-10-31 18:20:55 +10:30
Toby Zerner
73c44adb96 Merge pull request #615 from oldskool/ip-logging
Minor changes:
- Rename/restyle migration, fix namespace
- Make IP address optional on PostReply command
2015-10-31 10:04:06 +10:30
Toby Zerner
95e3ff8fa8 Update for new tobscure/json-api relationship handling 2015-10-30 11:03:38 +10:30
Jan Dorsman
49fddbd450 WIP IP Logging 2015-10-27 21:53:21 +01:00
Kirk Bushell
400aa4fef9 Added more tests 2015-10-27 13:22:30 +00:00
Toby Zerner
68498cedae Use exception handlers instead of JsonApiSerializableInterface 2015-10-26 11:14:48 +10:30
Toby Zerner
12830265d9 Change back to 401 error on invalid login
See 26a821e3e2 (commitcomment-13866552)
2015-10-21 09:04:58 +10:30
Toby Zerner
26a821e3e2 Improve client XHR error handling
The default XHR error handler produce an alert which is appropriate to the response status code. It can be overridden per-request (by specifying the `errorHandler` option) so that the alert can be suppressed or displayed in a different position (e.g. inside a modal).

ref #118
2015-10-20 12:48:26 +10:30
Toby Zerner
96c42ed337 Translate group names during serialization
closes #564
2015-10-19 15:44:28 +10:30
Toby Zerner
1242fa79af Implement proper update process
If the version in the settings table mismatches the code version, then we return a 503 error for all requests coming through index.php and api.php, while admin.php serves up a form prompting for the database password which will run outstanding migrations.
2015-10-19 15:09:54 +10:30
Toby Zerner
ddfedcb4dd Add Interface suffix to SettingsRepository 2015-10-19 14:58:47 +10:30
Toby Zerner
c08b62af80 Refactor translation and validation
We now use Symfony's Translation component. Yay! We get more powerful pluralisation and better a fallback mechanism. Will want to implement the caching mechanism at some point too. The API is replicated in JavaScript, which could definitely use some testing.

Validators have been refactored so that they are decoupled from models completely (i.e. they simply validate arrays of user input). Language packs should include Laravel's validation messages.

ref #267
2015-10-15 22:30:45 +10:30
Toby Zerner
4b3e1b16d9 Remove forum. prefix from permissions
closes #425
2015-10-14 16:11:00 +10:30
Toby Zerner
b53e612007 Fix failing tests + CS 2015-10-11 23:37:51 +10:30
Toby Zerner
663de42917 Fix extension uninstallation 2015-10-11 22:29:25 +10:30