This allows the `theme:sync` command to properly sync to specified targets.
Fixes#4887. Replaces #4935. Credit to @bennothommo for the initial implementation.
When uploading file through "CMS"->"Files"->"Add" -> "Upload file(s)", uploaded file doesn't have set file permissions according to "cms.defaultMask.file" from Config.
This patch fixes it so "defaultMask" can be different from umask and file has correctly set its permissions (usefull when required permissions are other than "644") as well as it has files/directories directly created in CMS section.
Don't bother retrieving the translated URL at construction time, it will be run through the translator during the validation process so there's no need to always hit the translator on every single Page model being loaded.
The upgrade to the latest Dropzone.js brought in a new `timeout` configuration variable, which defaults to 30s. This removes the time limit and restores original functionality.
Fixes#4869
This change should be revisited since it doesn't account for database-based templates which have no file path. Upon revisit, we might want to consider adding this logic in to the afterFetch() event with detection of file based mode, or even at the lower levels where the file is first extracted from the filesystem. TBA
Logic in ComponentPartial was rolled back and moved to the Controller. Since there are issues with throwing exceptions inside the component partial lookup logic (exceptions are conditionally suppressed), it seems like it would be better to bubble up the security logic to the controller level as a simple base dir security check, which is no longer concerned about any suppression logic. This looks to have logic parity with the previous solution
Refs #4652
Adds a dismissable message to the CMS object code editor indicating that the PHP code section of a CMS object cannot be edited when `cms.enableSafeMode` is `true` (or when debugging is disabled if `null`).
Credit to @mjauvin.
This was a contentious change is generally a bad idea to blanket all requests with a dependant cookie. We will try something else.
Revert enableXsrfCookies setting. Fixes UX issue introduced where the token expires. This should be replaced by a CSRF policy that determines whether this is needed on the front end.
runInternal has been removed because we do not want to blanket our response logic over every single response, only the happy path. This is because it is impossible to remove. So it is better to take the inverted approach, where if you want the CMS' headers in your custom response, add them yourself. This becomes easy via the new makeResponse() method
