mirror_php/winter
1
0
Fork 0
mirror of https://github.com/wintercms/winter.git synced 2024-06-28 05:33:29 +02:00
Code Issues Projects Releases Wiki Activity
5,171 Commits 35 Branches 172 Tags
Commit Graph

201 Commits

Author SHA1 Message Date
Ben Thomson
96c062bb47
Allow dot-notation for specifying external parameters for a component (#4978) 2020-03-13 09:03:18 +08:00
Samuel Georges
cbc620c3e8 Rollback for Build 462 
This change should be revisited since it doesn't account for database-based templates which have no file path. Upon revisit, we might want to consider adding this logic in to the afterFetch() event with detection of file based mode, or even at the lower levels where the file is first extracted from the filesystem. TBA
 2019-12-19 17:42:25 +11:00
Samuel Georges
7902cfa58a Simplify security check 
Logic in ComponentPartial was rolled back and moved to the Controller. Since there are issues with throwing exceptions inside the component partial lookup logic (exceptions are conditionally suppressed), it seems like it would be better to bubble up the security logic to the controller level as a simple base dir security check, which is no longer concerned about any suppression logic. This looks to have logic parity with the previous solution

Refs #4652
 2019-12-14 12:37:44 +11:00
Tobias Kündig
80f870c313 Allow partial overrides in subfolders (#4652) 
* Allow partial overrides in subfolders + security checker
 2019-12-14 12:22:30 +11:00
Samuel Georges
260e1f503f Rollback d31006ae1a1f5a709e9a100d0096a5633ab820b5 2019-12-10 03:12:12 +11:00
Samuel Georges
8da798a5cd Remove XSRF cookie 
This was a contentious change is generally a bad idea to blanket all requests with a dependant cookie. We will try something else.

Revert enableXsrfCookies setting. Fixes UX issue introduced where the token expires. This should be replaced by a CSRF policy that determines whether this is needed on the front end.
 2019-11-04 09:06:05 +11:00
Samuel Georges
c5bd5f0e0a Apply ResponseMaker to backend AJAX and cms.page.display event 2019-11-03 08:02:28 +11:00
Samuel Georges
1df8e72e4a Remove unused import 2019-11-02 19:42:09 +11:00
Samuel Georges
63f65a3f25 Add XSRF to backend, simplify CMS controller run() method 
runInternal has been removed because we do not want to blanket our response logic over every single response, only the happy path. This is because it is impossible to remove. So it is better to take the inverted approach, where if you want the CMS' headers in your custom response, add them yourself. This becomes easy via the new makeResponse() method
 2019-11-02 19:14:45 +11:00
Samuel Georges
ff8f899fbe Move response common functions to ResponseMaker trait 2019-11-02 18:21:22 +11:00
Samuel Georges
b1fa45ee3a Combine common CSRF logic to a trait 2019-11-02 15:15:18 +11:00
Samuel Georges
49d68f0671 Cookies are no longer serialized 
Based on update to library 09e859a13e we no longer serialize cookies, so the decrypter no longer needs to apply a serialization layer
 2019-11-02 14:52:00 +11:00
Luke Towers
959b85f56c Add cms.enableXsrfCookies config value (default true) to configure whether or not the XSRF cookie is automatically sent or if CSRF tokens are solely relied on. 
Related: https://github.com/octobercms/october/pull/4701#issuecomment-547773385 & https://github.com/laravel/framework/pull/24726
 2019-10-30 08:08:54 -06:00
Luke Towers
457466c5af Fix typehint 2019-10-29 16:33:49 -06:00
Luke Towers
eb4648972f Ensure that the XSRF cookie can always be added to the response, no matter the source of the response 2019-10-28 13:33:07 -06:00
Luke Towers
096ccf875d Implement suggestions from @bennothommo 2019-10-28 12:58:07 -06:00
Samuel Georges
f542ca8e90 Implement XSRF checking for AJAX handlers 
Refs #4699
Refs #4701
 2019-10-24 20:19:20 +11:00
Luke Towers
d31006ae1a Return 403 response on CSRF fail instead of silently failing 
Also moved backend::lang.page.invalid_token.label to system::lang.page.invalid_token.label. Fixes
 2019-10-06 23:21:08 -06:00
Ben Thomson
0240c21af6 Fail CSRF token checks if the session expires. (#4598) 
Fixes #4595. Credit to @bennothommo
 2019-09-04 21:33:10 -06:00
Dan Harrin
9521dd795c Minor Formatting Corrections in Usage Comments (#4541) 
Credit to @DanHarrin
 2019-08-15 09:14:54 -06:00
Dan Harrin
967fd02d8c Fix minor spelling errors and inconsistencies (#4543) 
Credit to @DanHarrin.
 2019-08-15 11:39:26 +08:00
Ben Thomson
a59d3b83eb Code quality clean up (#4449) 
Credit to @bennothommo
 2019-07-18 08:50:37 -06:00
Luke Towers
46c867e4b5 Improve API docs 
Resolves #4214
 2019-06-12 00:33:30 -06:00
Luke Towers
7c7ff31cd6 Return 404 when attempting to access /error directly in production 
Replaces #2212
 2019-04-19 15:29:00 -06:00
Luke Towers
c86bec7f08 Replace deprecated Twig class references, refs: #4209. 2019-03-27 13:15:17 -06:00
Luke Towers
900220b079 Documented more inline events: 
cms.page.beforeDisplay
cms.page.display
cms.page.init
cms.page.beforeRenderPage
cms.page.start
cms.page.end
cms.page.postprocess
cms.page.initComponents
cms.page.render
cms.page.beforeRenderPartial
cms.page.renderPartial
cms.page.beforeRenderContent
cms.page.renderContent
 2018-10-11 20:10:28 -06:00
Alexander Shapoval
709790a05d Added method getLayout() to Controller (#3765) 
Credit to @ebashu-on-holidays
 2018-09-09 18:55:10 -06:00
Nathan van der Werf
8fd16d4db6
Merge branch 'develop' into feature/cleanup 
# Conflicts:
#	modules/backend/formwidgets/FileUpload.php
 2018-08-24 19:52:54 +02:00
Nathan van der Werf
0f0d108da0
Remove unused imports 2018-08-24 19:51:59 +02:00
Nathan van der Werf
66fa03f17e
Revert "Remove unused imports" 
This reverts commit 742a5f415bc45819b11c77402efc114fa2f4451e.
 2018-08-24 19:40:40 +02:00
Luke Towers
1032fd0cc1 Added more inline API event docs: 
Added docs for:
cms.component.beforeRunAjaxHandler
cms.component.runAjaxHandler

Improved docs for:
cms.ajax.beforeRunHandler
 2018-08-18 09:05:38 -06:00
Nathan van der Werf
8b6f11e6ac Extract child instructions 2018-08-15 19:25:42 +02:00
Nathan van der Werf
62c59a4903 Refactor ternary operators to null coalescing operators 2018-08-15 19:15:13 +02:00
Nathan van der Werf
a3d7a028b4 Replace is_null with "=== null" comparison 2018-08-15 18:54:46 +02:00
Nathan van der Werf
77b6f07291 Modify conditions to use elvis operators 2018-08-15 18:53:11 +02:00
Nathan van der Werf
123145fd54 Remove unnecessary parentheses 2018-08-15 18:49:52 +02:00
Nathan van der Werf
02bd38cfb1 Merge if constructs 2018-08-15 18:45:37 +02:00
Nathan van der Werf
3a918ad200 Remove "null" assignments 2018-08-15 18:33:24 +02:00
Nathan van der Werf
742a5f415b Remove unused imports 2018-08-15 18:27:36 +02:00
Luke Towers
92e346296e Added cms.ajax.beforeRunHandler event 2018-04-19 10:26:50 -06:00
Arthur Kushman
c78b3ef786 Code formatting changes (#3363) 
Code formatting improvements submitted by @arthurkushman.
 2018-03-22 10:55:13 -06:00
Matteo
678916854e Add config to enable Twig strict_variables (#3370) 
Adds the cms.enableTwigStrictVariables config option to enable strict_variables in Twig for debugging purposes. See https://twig.symfony.com/doc/2.x/api.html#environment-options. Credit to @matteotrubini
 2018-01-26 10:59:45 -06:00
Samuel Georges
e6de2a5521 Fixes exception on empty token 2017-11-02 19:53:20 +11:00
Samuel Georges
4a6e0e1e0e Implement CSRF token by default 
Implement CSRF protection on CMS for postback handling
 2017-10-30 09:00:17 +11:00
Luke Towers
08f9cd8448 Moved the |media twig filter from the CMS module to the System module 2017-09-27 22:15:01 -06:00
Samuel Georges
96d0535d09 Add generic onAjax handler that does nothing 2017-07-29 22:55:58 +10:00
Samuel Georges
1db67af8e8 Merge remote-tracking branch 'remotes/origin/develop' into l55upgrade 
Conflicts:
	modules/system/lang/en/lang.php
 2017-07-11 10:48:54 +10:00
Max Schmitt
aeba740243 Add getStatusCode() in Cms\Classes\Controller (#2959) 
Related: #2953. Provide a method to access the current statusCode of a CMS controller.
 2017-07-08 08:53:08 -06:00
Samuel Georges
d1c160f9dc Check both instances to fix #1854 
It appears there is no way around this. All directories should be lower case in October, prior to this, October wanted uppercase characters. Make up your mind guy, come on! ;-)
 2017-07-01 12:26:55 +10:00
Samuel Georges
87f8f8feb1 Fixes inconsistency in component partial folder names 
This is a breaking change that will require further attention - refs #1854

Eg: myComponent, the default component partial would use lower case folders
- /plugins/acme/test/components/mycomponent/default.htm

The theme component partial override would use case sensitive folders
- /themes/foobar/partials/myComponent/default.htm

This is fixed as
- /themes/foobar/partials/mycomponent/default.htm

Minor code fix to ModelBehavior class
 2017-06-27 05:34:13 +10:00