This no longer hinges on app.debug because it creates confusion for devops engineers. This is based on three independent reports coming from app environments that use a reverse proxy. The engineer will follow the proper security instructions by disabling debug mode, which in turn creates an infinite redirect loop when opening the back-end area, only to leave them scratching their heads
Ultimately it is the web server configuration's job to handle the enforcement of HTTPS, the app no longer enforces it as a strong opinion, but we still keep the setting available as a convenient security check for standard environments that do not use a reverse proxy
The upgrade to the latest Dropzone.js brought in a new `timeout` configuration variable, which defaults to 30s. This removes the time limit and restores original functionality.
Fixes#4869
Tested #4867 but it broke the use of pressing TAB after entering a tag to lock it in. This seems to retain that functionality and yet still fix the issue
Replaces #4867
This is a complex issues where a "model not found" exception is getting thrown during the `pageAction` cycle, then getting suppressed by the fatal error handler:
try {
// RelationController throws error here
}
catch (Exception $ex) {
$this->controller->handleError($ex);
}
Fixes#4784
- Introduce varcharmax config item, this default eventually should be increased to 255, when MySQL 5.6 support is dropped
- Config item can be kept to retain legacy support
- Only apply to mysql driver, previously was impacting other drivers
- Source true config values, previously was sourcing hard coded "mysql" connection values
Adds an Artisan command "october:passwd" to change the password of a Backend User through CLI. This command may only be run through CLI - it will not work if called through a web handler.
Refs: #3521, #4835. Docs: 1f3bfc719e
This has been benchmarked and appears to have minimal impact on performance and solves unnecessary randomness and race conditions during the app's registration and boot cycle
Fixes#4826
This change should be revisited since it doesn't account for database-based templates which have no file path. Upon revisit, we might want to consider adding this logic in to the afterFetch() event with detection of file based mode, or even at the lower levels where the file is first extracted from the filesystem. TBA
This changes the event log to use a partial for the log message which double-encodes the data. When using formatted view in the log viewer widget, the HTML entites are allowed by decoding back a step. When in raw view, the HTML entities are kept double-encoded.
Fixes#4558.
Logic in ComponentPartial was rolled back and moved to the Controller. Since there are issues with throwing exceptions inside the component partial lookup logic (exceptions are conditionally suppressed), it seems like it would be better to bubble up the security logic to the controller level as a simple base dir security check, which is no longer concerned about any suppression logic. This looks to have logic parity with the previous solution
Refs #4652
It is unsure why this was ever needed, but it appears to fix the overflow issues with the sortable plugin
Refs https://github.com/rainlab/pages-plugin/issues/384
Refs 11be3fede39024f285309f61cbf32ee4d0d5cc28
This is one step closer to fixing the sorting issues when a scrollbar is present. It still doesn't quite fix the issue, still need to find a way to get the container dimensions to update
Refs https://github.com/rainlab/pages-plugin/issues/384
Refs 1d91c221b0b32592ec93c9f4824d108fc2a5cc5e
Similarly named repeater fields being used in viewBag variables were being assigned aliases which succeeded the `strpos` check on line 407. This will more clearly look for a child repeater form and index.
Fixes#4808
