Added and updated tests to cover.
Also updated API auth to a narrower focus of existing session instead of also existing user auth.
This is mainly for tests, to ensure they're following the session
process we'd see for activity in the UI.
Sets some reasonable limits, which are higher when logged in since that
infers a little extra trust.
Helps prevent against large resource consuption attacks via super heavy
search queries.
Thanks to Gabriel Rodrigues AKA TEXUGO for reporting.
Checks files within the ZIP again the app upload file limit
before using/streaming/extracting, to help ensure that they do no exceed
what might be expected on that instance, and to prevent disk exhaustion
via things like super high compression ratio files.
Thanks to Jeong Woo Lee (eclipse07077-ljw) for reporting.
Includes major version change of antonioribeiro/google2fa which changes
secret length. From manual testing of old MFA secrets and new, this
should not be breaking at all.
- Added advisory on role permission form to advise which allow listing
of users/roles.
- Updated database config to avoid PHP8.5 deprecation.
- Tweaked migration to remove unused index.
- Fixed test namespace.
- Added new user notification preference, opt-in by default
- Added parser to extract mentions from comment HTML, with tests to
cover.
- Added notification and notification handling
Not yet tested, needs testing coverage.
Allows better selection.
Also updated existing decorator file names to align with classes so
they're easier to find.
Also aligned/fixed decorator constuctor/setup methods.
Updated setting display to show mulitple number inputs under one heading
group.
Updated settings to use general number field form view template.
Updated translations to match display changes, and to advise on counts.
Added page count control for search results.
Added setting service method, to get settings as integers, with
min/max/default control.
Updating sorting group to be names "Lists & Sorting".
Added tests to cover.
Which was occuring in chrome, where background requests to the PWA
manifest, or opensearch, endpoint caused OIDC to fail due to lost state
since it was only flashed to the session.
This persists it with a manual TTL.
Added tests to cover.
Manually tested against Azure.
For #5929
Fixes an error where a used relation (entity) on the comment was
resulting in null due to eager loading the notification when
deserializing from the queue, where Laravel was then mis-matching the
names when performing the eager loading.
For #5918
Had prevented public access for images when secure_restricted images was
enabled (and for just secure images) when app settings allowed public
access.
This considers the app public setting, and adds tests to cover extra
scenarios to prevent regression.
For #5885
Adds to, uses and cleans-up central permission checking in ImageService
to mirror that which would be experienced by users in the UI to result
in the same image access conditions.
Adds testing to cover.
This was hardcoded since the table was always the same, but in some
cases Laravel will auto-alias the table name (for example, when in
sub-queries) which will break MySQL 5.7 when the scope attempts to use
the table name instead of the alias.
Needs testing coverage.
For #5877
Reverted change for activities table so that a record is retained of
past activity, and added a check where the ID may be displayed to ensure
it does not mislead and accidentially reference other, newer users.
