This changes how initial searches can be handled via config rather than
specific action so they can be considered in how the initial data load
is done, to prevent the default empty state loading and overwriting the
search data if it lands later (which was commonly likely).
For #4778
Query of existing entity permissions during view permission generation
could cause timeouts or SQL placeholder limits due to massive whereOr
query generation, where an "or where" clause would be created for each
entity type/id combo involved, which could be all within 20 books.
This updates the query handling to use a query per type involved, with
no "or where"s, and to be chunked at large entity counts.
Also tweaked role-specific permission regen to chunk books at
half-previous rate to prevent such a large scope being involved on each
chunk.
For #4695
Also aligned books, shelves and chapters to return description content
and some relations (where not breaking API) in create/update responses
also so that information can be seen direct from that input in a
request.
API docs and tests not yet updated to match.
For book, shelves and chapters.
Made much of the existing handling generic to entity types.
Added new MixedEntityListLoader to help load lists somewhat efficiently.
Only manually tested so far.
Rolled out HTML editor field and store logic across all target entity
types. Cleaned up WYSIWYG input logic and design.
Cleaned up some injected classes while there.
Old all-caps button design made them a bit angry, and kinda odd and
outdated. This updates them to use their original source text casing
(which may help for translation variations) while being a bit rounder
with a better defined shadow for outline buttons.
Required a lot of working around TinyMCE since it added a
preview/wrapper element in the editor which complicates things.
Added view new "fixes.js" file so large hacks to default TinyMCe
functionality are kept in one place.
- Cast send_invite value in cases where it might not have been a boolean,
which occurs on non-JSON requests.
- Added test to cover.
- Updated API docs to mention and shown boolean usage.
Cleaned up and updated page picker a bit, allowing longer names to show,
clicking through to item without triggering popup, and updated to use
hidden attributes instead of styles.
Added phpunit tests to cover supporting entity-selector-templates
endpoint.
- Adapted existing page picker to be usable elsewhere.
- Added endpoint for getting templates for entity picker.
- Added search template filter to support above.
- Updated book save handling to check/validate submitted template.
- Allows non-visible pages to flow through the save process, if not
being changed.
- Updated page deletes to handle removal of default usage on books.
- Tweaked wording and form styles to suit.
- Updated migration to explicity reflect default value.
Swapped back handling to instead be pre-determined instead of being
based upon session/referrer which would cause inconsistent results when
referrer data was not available (redirect to app-loaded images/files).
To support, this adds a mechansism to provide a URL through request
data.
Also cleaned up some imports in code while making changes.
Closes#4656.
Avoided updating markdown-it package to 14 for now since it would cause
bundle size to inflate. Don't think ESBuild is properly tree shaking
"entities" sub package which inflates size.
This changes the point-of-logout to be within the initial part of the
SAML logout flow, as per 5.3.2 of the SAML spec, processing step 2.
This also improves the logout redirect handling to use the global
redirect suggestion so that auto-login handling is properly taken into
account.
Added tests to cover.
Manual testing performed against keycloak.
For #4713
- Disabled by default due to strict rejection by auth systems.
- Fixed issue when autoloading logout URL, but not provided in
autodiscovery response.
- Added proper handling for if the logout URL contains a query string
already.
- Added extra tests to cover.
- Forced config endpoint to be used, if set as a string, instead of
autodiscovery endpoint.
Extracted logout to the login service so the logic can be shared instead
of re-implemented at each stage. For this, the SocialAuthService was
split so the driver management is in its own class, so it can be used
elsewhere without use (or circular dependencies) of the
SocialAuthService.
During review of #4467
- Updated HTML exports to have auto direction to properly react to RTL
text when in the content.
- Fixed RTL spacing issues in new editor design changes.
- Fixed pointer arrow being angled wrong on RTL languages.
Related to #4645
Managed to do this in an API-compatible way although resuling output may
differ due to new dom handling in general, although user content is used
inline to remain as comptable as possible.
- Added mulit-level depth parsing.
- Updating usage of HTML doc in page content to be efficient.
- Removed now redundant PageContentTest cases.
- Made some include system fixes based upon testing.
Expanded tests with many more cases, and added fixes for failed
scenarios.
Updated logic to specifically handling parent <p> tags, and now assume
compatibility with parent block types elswhere to allow use in a
variety of scenarios (td, details, blockquote etc...).
Implements block promoting to body (including position choosing based
upon likely tag position within parent) and block splitting where we're
only a single depth down from the body child.
Updated image loading for intervention library to be via a specific
'initFromBinary' method to avoid being overly accepting of input types
and mechansisms.
For CVE-2023-6199
Saves specifically the document element on output to HTML, since this
results in just the outer HTML being saved while not including the extra
XML tags which would show up before with the changes to force utf8
usage.
Adds a thin wrapper for DOMDocument to simplify and align usage within
all areas of BookStack.
Also means we move away from old depreacted mb_convert_encoding usage.
Closes#4638
- Merged book and chapter name items to a single page path list item
which has links to parent page/chapter.
- Added permission filtering to page path elements.
- Added page path to also be on comment notifications.
- Updated testing to cover.
- Added new Message Line objects to support.
Done during review of #4629
added book name
synced with actual file from dev branch
added book name
add book name
added book name
extended with chaptername
extended with chapter name
Update PageUpdateNotification.php
Update notifications.php
Update notifications.php
Update notifications.php
correction of chapter syntax
correction of chapter syntax
Changes since adding notifications would cause direction to be assessed
upon max height of 80vh, which caused large dropdowns like the audit log
dropdown to drop up and/or go offscreen.
This restores the default assessment of 500px, and adds dynamic
max-height adjustment to provide more room for large dropdowns.
For #4652
Change due to link color being more suitable in this case since it's not
specifically a block with light text which is what app color is suited
for.
Specifically better for dark mode when a dark app color is used.
For #4630
- Updated anchor scroll change to open up details blocks if the target
exists within.
- Updated highlighting and animation implementation to fix hardly visible highlighting.
- Removed old, now unused, handing of CM instances in details blocks.
Related to #4637.
- Updated sponsor text since it only mentioned GitHub, nothing else.
- Updated translation contribution info to dissuade code-based
contributions due to issues with conflicts/sync.
Previously we'd prevent caching of authed responses for security
(prevent back cache or proxy caching) but caching could still be an
issue in non-auth scenarios due to CSRF (eg. returning to login screen after
session expiry).
For #4600
- Fixed inital empty state margins/paddings to be aligned and not differ
when lists are empty.
- Aligned button/action display when viewing empty entities.
- Fixed use of non-existing permission in books for book empty state
button.
Fixes#4563
- Updated existing tests now affected by my-account changes.
- Updated some existing tests to more accuractly check the scenario.
- Updated some code styling in SocialController.
- Fixed redirects for social account flows to fit my-account.
- Added test for social account attaching.
- Added test for api token redirect handling.
Updated old user management routes to only be accessible with permission
to manage users, so also removed old content controls checking for that
permission.
- Moved preference views to more general "my-account" area.
- Started new layout for my-account with sidebar.
- Added MFA to prefeences view (to be moved).
Updated default homepage layout to be much nicer at ipad-like widths by
switching to css-column approach at those breakpoints.
Also neated top actions by switching to simpler flexbox layout.
Fixes#4596
Restructured tri-layout grid system, so the sidebars are contained in
their own child grid system, mimicking the parent grid, so we can treat
them as part of the same parent scroll container at smaller screen
sizes for consistent scroll/sticky behavior.
Tested on Firefox, Chromium, Gnome Web and Safari (MacOS).
For #4394
Changes made during review of #4562
- Updated to go through HomeController with the builder as a helper
class.
- Extracted some reapeated items into variables in manifest.
- Updated background color to match those used by BookStack.
- Removed reference of icon.ico since its not intended to be used.
- Added tests to cover functionality.
Review of #4430
- Moved thumnbail loading out of repo into ImageResizer.
- Updated gallery and editor image handling to show errors where
possible to indicate memory issues for resizing/thumbs.
- Updated gallery to load image data in a per-image basis via edit form
for more resiliant thumb/data fetching. Data was previously provided
via gallery listing, which could be affected by failing generation
of other images.
- Updated image manager double click handling to be more pleasant and
not flash away the edit form.
- Updated editor handlers to use main URL when thumbs fail to load.
Added since we can't always be sure of future image usage, and in many
cases we don't generate ahead-of-time.
Also:
- Simplified image handling on certain models.
- Updated various string handling operations to use newer functions.
- Added some level of app out-of-memory handling so we can show a proper
error message upon OOM events.
- Added endpoint and image-manager button/action for regenerating
thumbnails for an image so they can be re-created upon failure.
Uploads over the post max size Would previously error without a
clean user facing message. This catches that error to provide a
user friendly message, compatible with our common error handling.
Tested on image manager handling.
Added test to cover.
- Fixed missing page content for direct page children
- Fixed lack of book description.
- Fixed inconsistent spacing between items.
- Fixed lack of spacing between HTML items when HTML on same line.
For #4557
- Moved "common" template partials, that are only used in layouts, to
layouts/parts folder.
- Simplified HTML structure of header template.
- Extracted logo and links from header template to simplify.
- Added header-links-start template for easier extension/customization
without needing to override full list of links.
- Added test to cover usage of this.
For #4564
Added due to now not being able to perform an exact search where
contains a trailing backslash.
Now all backslashes in exact terms are consided escape chars
and require escaping themselves.
Potential breaking change due to search syntax handling change.
Related to #4535.
Also prevented use of empty exact matches.
Prevents issues when attempting to use exact search terms in inputs for
just search terms, and use of single " chars within search terms since
these would get auto-promoted to exacts.
For #4535
During review of #4560.
- Simplified command to share as much log as possible across different
run options.
- Extracted out user handling to share with MFA command.
- Added specific handling for disabled avatar fetching.
- Added mention of avatar endpoint, to make it clear where these avatars
are coming from (Protect against user expectation of LDAP avatar sync).
- Simplified a range of the testing.
- Tweaked wording and code formatting.
There was a lot of locale handling to get correct/expected date
formatting within the app.
Carbon now has built-in locale content rather than us needing to target
specific system locales.
This also removes setting locale via Carbon directly.
Carbon registers its own Laravel service provider which seems to
accurately pull the correct locale from the app.
For #4555
- Reduced app settings down to what's required.
- Used new view-shared $locale object instead of using globals via
config.
- Aligned language used to default on "locale" instead of mixing
locale/language.
For #4501
- Moves guest user caching from User class to app container for
simplicity.
- Updates test to use simpler $this->users->guest() method for
consistency.
- Streamlined helpers to avoid function overlap for simplicity.
- Extracted user profile dropdown while doing changes.
- Updating formatting.
- Tweaked truncation to roughly match elipsis char to width used.
- Updated testing to use existing helpers, and ran check as admin user
to avoid name conflicts.
This adds specific handling for functions.php error loading to re-throw
errors wrapped in a more descriptive message, to make it clear the error
is due to an issue in their functions.php file.
Decided to throw and stop, rather than ignore & continue, to be on the
safe side in the event auth-level (or other security level) customizations
have been made via functions.php.
Adds test to cover.
Closes#4504
The page comments component would throw an error due to references to
form elements/content, when form elements may not exist due to
permisisons.
For #4531
Tested locally before & after change, and looked at code to compare.
Nothing seen or experienced that should affect things, from testing all
is working as expected with no difference from before.
- Update composer requirement of socialite to that which included slack.
- Updated PHP depds while there.
- Updated format of socialite events to align with current documentation
and to use class references instead of strings.
- Changed use of array spread since it was not supported in PHP8.0.
- Updated issue templates based to reduce less valueable fields, update
some details, and try to help bug reports be more focused on bugs.
- Updated readme with peertube link and attribution advistory for
translations PRs.
Used an "example.com" address so we're using a propoer reserved domain,
and to avoid these trying to be delivered to the main bookstackapp
domain.
Closes#4518
- Adds filtering to the watched items list in notification preferences
so that deleted (recycle bin) items are removed via query.
- Adds relations and logic to properly remove watches upon user and
entity delete events, to old watches in database do not linger.
- Adds testing to cover the above.
Did not add migration for existing data, since patch will be close to
introduction, and lingering DB entries don't open a security concern,
just some potential confusion in specific potential scenarios.
Probably not work extra migration risk, although could add in future if
concerns/issues are found.
Related to #4499
- Passed decode flags to provide consistent behaviour across PHP
versions during testing.
- Added env option to prevent local option taking action in PHPunit
tests.
- This ensures content notifications are not translated to receiver
language.
- This adds actual plaintext support for content notifications (Was
previously just HTML as text view).
- Shares same base class across all mail notifications.
- Also cleaned up existing notification classes.
Future cleanup requested via #4501
- Covered webhook SSR allow list useage via test.
- Updated allow list handling to use trailing slash, or hash, or end of
line as late anchor for better handling for hosts (prevent .co.uk
passing for .co domain host)
Prevention of action on certain routes for guest user when public access
is enabled. Could not see a way this could be a security issue, beyond a
mild nuisance that'd only be visible if public users can edit, which
would present larger potential nuisance anyway.
- Tweaked wording of popup title.
- Updated WYSIWYG create handling to properly remove drawing container
on failure.
Tested across FF and chrome, in both editors for create & editing.
Adds just the part to store image data, and remove on successfull save.
Alters save events to properly throw upon error.
Adds IDB-Keyval library for local large-size store.
For #4421
Review of #4313
- Made constructor changes while reviewing some classes.
- Updated API examples for consistency.
- Tweaked formatting for some array changes.
- Simplified added tests.
- Tweaked chapter/page repo priority handling to be simpler.
Performed manual API endpoint testing of page/chapter create/update.
Added test and changed logic to properly check the view permissions for
the notification receiver before sending.
Required change to permissions applicator to allow the user to be
manually determined, and a service provider update to provide the class
as a singleton without a specific user, so it checks the current logged
in user on demand.
- Ensured watch options passed in all meta template usage to fix failing
scenarios where watch options did not exist.
- Fixed testing issue caused by guest user permission caching.
- Updated mail notification design to be a bit prettier, and extracted
text to new lang file for translation.
- Added debounce logic for page update notifications.
- Fixed watch options not being filtered to current user.
- Added general user preferences view and updated link in profile menu
to suit.
- Made notification permission required for notification preferences
view, added test to cover.
- Adds option filtering and alternative text for page watch options.
- Adds "Watched & Ignored Items" list to user notification preferences
page to show existing watched items.
Kept existing "COMMENTED_ON" activity for upgrade compatibility,
specifically for existing webhook usage and for showing comment
activities in activity lists.
Precursor to content notifications.
Currently untested.
Also applied some type updates.
Reverted work in 847a57a49a.
Left test in but updated to new expectation.
Left migration in but removed content to prevent new pre-v23.06
upgraders loosing shelf create permission status.
Added note to permission to describe use-case.
For #4375
Due to queue serialization.
Added a test to check a couple of delete events.
Added ApiTokenFactory to support.
Also made a couple of typing/doc updates while there.
Related to #4373
Remove the book attribute in responses because it is never returned by the API. Currently, Chapters Create does not return book_slug! (The example response is consistent with the inconsistent API behavior)
Occured when the cell contained any block content with a differnt line
height to the table cell itself.
In firefox, cells with a height would end up with an actual greater
real cell height, which messed up TinyMCE resize calculations, causing
tables to grow.
Adding default vertical-align: top, changes this behaviour to get proper
cell heights.
Related to Firefox issue: https://bugzilla.mozilla.org/show_bug.cgi?id=569645
Have tested that editor cell text align options can still be used with
this.
For #4337
Was causing confusion.
Added test to cover.
Also added migration to remove existing create entries to pre-emptively
avoid issues in future if 'create' is used again.
After full review of current MAIL_ENCRYPTION usage in laravel and
smyfony mailer, this updates the options in BookStack to be simplified
and specific in usage:
- Removed mail.mailers.smtp.encryption option since it did not actually
affect anything in the current state of dependancies.
- Updated MAIL_ENCRYPTION so values of tls OR ssl will force-enable tls
via 'scheme' option with laravel passes to the SMTP transfport, which
Smyfony uses as an indicator to force TLS.
When MAIL_ENCRYPTION is not used, STARTTLS will still be attempted by
symfony mailer.
Updated .env files to refer to BookStack docs (which was updated for
this) and to reflect correct default port.
Related to #4342
Added support for mulit-line endpoint descriptions via blank
intermediate lines in php controller method docblocks.
Also tweaks endpoint header design for better flexing and alignment.
Fixes issue where providing owner_id alongside certain
fallback_permissions would cause the owner change not to take affect,
due to bad variable shadowing.
For #4323
Remove unnecessary UnauthorizedException
and make ApiAuthException compatible with HttpExceptionInterface.
Move the creation of a rsponse for the exception
from ApiAuthenticate middleware into the application exception handler.
Within the flow of HttpFetchException, the actual exception from curl is preserved and logged. Make HttpFetchException a pretty exception for when it is shown to users.
Needed some level of harcoding though due to callouts using colors,
which can't be css colors as DOMPDF won't understand these.
Use css variables elsewhere and added new dark variants to fit a bit
better.
Provides a way for users to actually delte their user drafts where
required.
For #3927
Added test to cover new endpoint.
Makes update to MD editor #setText so that new selection is within new
range, otherwise it errors and fails operation.
Ensures some sensible text is always in webhook text data.
Also aligned some notification reporting to use centralised activity
system instead of custom success events.
For #4216
Primarily intended to show parent book for chapters when moving/copying
pages, since the default parent selector interfaces, which used the
entity-selector search endpoint, would run this popular query when no
term was present as a default backup.
For #4264
Previously additional roles would only partially apply (system or "all"
permissions). This aligns the query-handling of permissions so that
additional roles will be used for permission queries.
Adds migration to detach existing roles as a safety precaution since
this is likely to widen permissions in scenarios that the public user
has other roles assigned already.
For #1229
Updated reply inidicator to fit with new nesting system, only showing on
view when nest within nesting structure.
Updated the general design to be a bit cleaner and better adapt on
mobile.
Tested on FF+Chrome, inc. dark mode.
- Updated pointer to move within content DOM so that you can back-focus
into the pointer if desired.
- Added new "Section select mode" which toggles focusabiltiy for main
content sections, with ability to show pointer via enter press on
these.
- Updated pointer with proper input/button labelling.
Tested via orca screen reader on Firefox/Fedora/Gnome.
For #3975
Primarily updated ldap_connect to avoid usage of deprecated syntax.
Updated tests and service to handle as expected.
Cleaned up syntax and types in classes while there.
Closes#4274
- Updated tab handling to be smarter on initial tab selection, to first
target non-hidden tab panels where they may be handled server-side.
- Extracted contained search box handling styles to _forms.scss, after
merging with image-manager-specific styles since this is only usage of
contained variant.
- Aligned focus handling on image manager UI elements.
- Updated UI with image form dropdown containing delete and replace
image actions.
- Adds new endpoint and service/repo handling for replacing existing
image.
- Includes tests to cover.
Makes interface relatively usable now on mobile sizes.
Required updating of tab handling to support tabs being active at only
mobile screen sizes, include change on resize, upon support for
potentially nested tab usage.
Tab component will now search within sensible depths for finding its own
tabs and panels to control.
The default 1st line highlighting confused users when existing on
read-only blocks as it was not clear this represented the active line.
This changes the highlight to only show when the block is focused upon.
- Fixed wrong env details being used on restore.
- Updated update-url on restore actually work.
- Added better support for symlinked locations.
- Added warning against updating in docker-like (non git controlled)
environments.
Currently only link-based styles are made available in the shadow root
code editor environment, this adds normal styles to apply any user-added
via custom head content.
Fixes#4228
Focus now returns to the editor properly when you quit out the code
editor without saving.
This also sets the return location to be correct on normal saving (Would
sometimes jump to the end of the document).
For #4109.
* Adding a video { width: 100%; }
This is to prevent that videos included in pages don't exceed the page border
* Reverting precedent commit
* Adding a video { max-width: 100% } instead
* changed app/Entities/Tools/PageContent.php to accept nested include levels. Tested it and it works.
* changed recommendations
This loop is now only around parsePageIncludes and bugfixes the space indentation.
* Update PageContent.php
fix spaces
The provided partial path would be return which may not resolve to the
full URL when used on systems like those hosting BookStack on a
sub-path.
Fixes#4201
Updated dom layout of attahcments to prevent nested dropzones (No issue
but potential to be one) and updated edit form dropzone handling so the
dropzone item card was not as distracting.
- Fixes existing broken attachment edit tabs.
- Redesigns area to move away from old tabbed interface.
- Integrates new dropzone system, for both addition and edit.
- Tightened image manager styles to address things that looked akward.
- Prevented visiblity/use of upload controls for drawings.
- Updated dropzone to use error handling from validation messages.
- Added file placeholder for non-image uploads.
- Added use of upload limits.
- Removed upload timeout variable.
- Added pass-through and usage of filetypes.
- Extracted some view text to language files and made use of existing
text.
- Added new wider target handling.
- Updated upload item dom with design and seperate "landing" zone.
- Added new helper for simple dom element creation.
- Updated event naming to be "cm6" when codemirror-specific.
- Removed cm block border in md editor to prevent double bordering.
- Updated copy handling to fallback to execCommand.
- Fixed some keybindings not running as expected, due to some editor
defaults overriding or further actions taking place since the action
would not indicate it's been dealt with (by returning boolean).
- Fixed spacing/border-radius being used on codeblocks on non-intended
areas like the MD editor.
- Fixed lack of BG on default light theme, visible on full screen md
editor.
- Fixed error thrown when the user does not have access to change the
current editor (Likely non-cm related existing issue)
- Updated clipboard handling
- Removed old clipboard package for browser-native API.
- Updated codemirror editor events to use new props for new data types.
Updated selectable elements to be divs instead of buttons since Safari
akwardly does not focus on buttons on click.
Also standardised keyboard handling to our standard nav class.
Also addressed empty tag values showing in results.
For #4139
This is useful when developing and on Docker setups. Despite setting
encryption to null, if a server supports STARTTLS with a self-signed
certificate, the mailer try to upgrade the connection with STARTTLS.
Attempted to access an array that had been filtered and therefore could
have holes within, including as position 0 which would then be
accessed.
Also added cs language to internal map
Related to #4068
This new method batch-loads them from the database, and removes the
cache-layer with the intention that a couple of batch fetches from the
DB is more efficient than hitting the cache each time.
This changes how the editors interact with the parent page-editor
compontent, which handles auto-saving.
Instead of blasting the full editor content upon any change to that
parent compontent, the editors just alert of a change, without the
content. The parent compontent then requests the editor content from the
editor component when it needs that data for an autosave.
For #3981
Replaced the existing xpath-heavy system with a more manual traversal
approach. Fixes following slow areas of old system:
- Old system would repeat ID-setting action for elements (Headers could
be processed up to three times).
- Old system had a few very open xpath queries for headers.
- Old system would update links on every ID change, which triggers it's
own xpath query for links, leading to exponential scaling issues.
New system only does one xpath query for links when changes are needed.
Added test to cover.
For #3932
Added test to cover.
Did attempt a 64k limit, but values over 2k significantly increase
chance of other issues since this URL may be used in redirect headers.
Would rather catch issues in-app.
For #4044
This is to encourge the ":count" values to be used instead of 1s in the
translated variants so that non-pluralised languages are hardcoded with
"1"s in their content, even when not used in a singular context.
For #4040
Altered & updated permissions repo, and existing connected
RoleController to suit.
Also extracts in-app success notifications to auto activity system.
Tweaked tests where required.
Parallel testing paratest library caused issues due to a single version
not being compatibile across our php range. Removed for now as not
really worth the faff to get compatible.
Added use of more accessible tags to create tabbed-interfaces then
updated css and JS to require use of those attributes rather than custom
techniques.
Updated relevant parts of app.
Some custom parts using their own tabs though, something to improve in
future.
- Removed having sort items in tabbing order since they have no action.
- Updated "show other books" list to add upon single selection since it
was not clear how these were added (double press) without then seeing
the add button, and even then the add button would be after the scroll
list.
- Fixes multi-select functionality.
- Updated other books to be sticky.
- Added some general intro/desc text.
- Updated sort boxes to be collapsible.
- Cleaned up other books styling.
Prevented interferance with the user's action if they interacted with
something below the tags, since a new row would be added on blur and
hence shift down positions.
For #3931
Failure of loading drawings will now close the drawing view and show an
error message, hinting at file or permission issues, instead of leaving
the user facing a continuosly loading interface.
Adds test to cover.
This also updates errors from our HTTP service to be wrapped in a custom
error type for better identification and so the error is an actual
javascript error. Should be object compatible.
Related to #3955.
Had misalignment between query and usercan, The nuance between fallback
and entity-role permissions was not taken into account by the query
system. Now added with new test cases to cover.
Is a tweak upon the existing approach, mainly to store and query role
permission access in a way that allows muli-level states that may
override eachother. These states are represented in the new PermissionStatus
class.
This also simplifies how own permissions are stored and queried, to be
part of a single column.
Ported non-compatible elements, Now all tests passing apart from some
specific permission scenario tests which are probably correctly failing.
Updates some tests to better avoid messing environment state.
Updated language system to only use initial part of locale for
translation pluralisation to better match the hard-coded logic of the
built-in MessageSelector. Extends and overrides Laravel's default for
this system.
Added test to cover.
Related to #3976.
User roles would only be actioned if they existed in the form request,
hence removal of all roles would have no data to action upon.
This adds a placeholder 0-id role to ensure there is always role data to
send, even when no roles are selected. This field value is latter
filtered out.
Added test to cover.
Likely related to #3922.
Forces browser colorscheme based on BookStack color scheme, via
'color-scheme' css property.
Sets proper dark mode colors for some previously missed areas like
templates and attachment control buttons.
Also fixed search bar icon position for some search inputs.
Now assume, based on OIDC discovery spec, that keys without 'use' are
'sig' keys. Should not affect existing use-cases since existance of such
keys would have throw exceptions in prev. versions of bookstack.
For #3869
Old system was hard to track in terms of usage and it's application of
'components' properties directly to elements was shoddy.
This routes usage via the components service, with element-specific
component usage tracked via a local weakmap.
Updated existing found usages to use the new system.
- Updates old components to newer format, removes legacy component
support.
- Makes component registration easier and less duplicated.
- Adds base component class to extend for better editor support.
- Aligns global window exposure usage and aligns with other service
names.
To avoid non-user GET requests (Such as those from email scanners)
auto-triggering the confirm submission. Made auto-submit the form via
JavaScript in this extra added step with user-link backup to keep
existing user flow experience.
Closes#3797
Changes their endpoints and remove the user id from the URLs.
Simplifies list changes to share a single endpoint, which aligns it to
the behaviour of the existing sort preference endpoint.
Also added test to ensure user preferences are deleted on user delete.
Somehow I accidentally deleted previous line 143 in this commit:
3839bf6bf1
which would then break permission generation for content related to, or
containing, chapters in the recycle bin.
Found via user report (subz) & debugging in discord.
- Fixed inheriting control for new system.
- Tested copying shelf permissions to books.
- Added additional handling for inheriting scenario identification.
Also updates show roles on permission view to just those with
permissions applied.
Fixes rounded borders for lone permission rows.
Moves "Everyone Else" handling from role to new class.
Simplifies structure and limits content count, while allowing direct
mapping of new UI intent, where we may have entries with no permissions.
Not yet updated app logic to suit.
Tested via migrating and rolling-back, then comparing export data,
across a set of custom permission entries.
Nothing on back-end logic done to hook this new option up.
Addition of permissions for role_id=0 works out of the box, but active
"everyone else" permissions, with no priviliges, is currently not
working. Needs change of permission gen logic also.
Created a generic list formatting helper class for this, to align with
logic used on the search results endpoint and for easier future re-use
in a standardised way.
Also updated some class property types.
Added test to cover new books-contents results.
Related to #3734
Updates book drag handling to be limited to the handle so scrolling can
be done on the items themselves.
Increased handling area and improved styling to support
- Aligned prefix-type filtering with back-end.
- Increased suggestion search cut-off from 3 to 4.
- Increased amount of suggestions shown.
- Ordered suggestions to be name asc, as you'd expect on search.
- Updated front-end filtering to use full search query, instead of
truncated version, for further front-end filtering capability.
Related to #3720
Updated license copyright line to better help it be detected as MIT by
automatic license systems (Such as GitHub license detection) while
removing contributors link which would not actually list all
contributors.
Also added year range back in to be more specific about active lifetime.
Removed old pagination provider as url handling now achieved in a better
way.
Removed unused broadcast service provider.
Moved view-based tweaks into specific provider.
Reorganised provider config list.
Moved testing content out of AppServiceProvider, to a testing-specific
service provider. Updated docs and added composer commands to support
parallel testing.
Also reverted unintentional change to wysiwyg/config.js.
Brings app auth controller handling aligned within the app, rather than
having many overrides of the framwork packages causing confusion and
messiness over time.
Extracted much of the language and locale work to a seperate, focused class.
Updated php set_locale usage to prioritise UTF8 usage.
Added locale options for windows.
Clarified what's a locale and a bookstack language string.
For #3590 and maybe #3650
Caused by changes to page repo in reference work,
This adds back in the slug generate although at a more central place.
Adds a test case to cover the problematic scenario.
Explained the content-types accepted by BookStack.
Made it clear that 'Content-Type' is expected on requests.
Added example to shown how to achieve more complex formats using
non-json requests.
Also added link to api-scripts repo.
Related to #3666 and #3652
Not totally happy with implementation as is requires extra service to be
injected to core controllers, but does the job.
Included test to cover.
Updated some controller properties to be typed while there.
Updated revision listing to only fetch required fields, massively
reducing memory usage by not loading content.
This also updates user avatar handling to effectively cache the avatar
url within request to avoid re-searching from cache, which may improve
performance of others areas of the application.
This also upates handling of the revisions list view to extract table
row to its own view to break things down a bit.
For #3633
To help prevent against empty areas during inital empty-cache loads.
This delays the original layout update a little to give time for the
layout to render as expected.
For #3637
Added additional exceptions to prevent such cases in the future, so
that they are caught in dev ideally.
Added test case specifically for reported favourite scenario.
Is generally aligned with out SAML2 group sync functionality, but for
OIDC based upon feedback in #3004.
Neeeded the tangental addition of being able to define custom scopes on
the initial auth request as some systems use this to provide additional
id token claims such as groups.
Includes tests to cover.
Tested live using Okta.
The tinymce event system would not pick up the focus within the loaded
draw.io instance, after the drawing toolbar button was clicked, hence
the toolbar would hang around.
This adds a hack to dispatch a mousedown event on the body to get the
toolbar to hide.
For #3597
- Split bash from shell in language list
- Updated code-lang highlighting to be exact match only to prevent
confusion scenarios (Java matching JavaScript, etc..)
- Added design for favorites
- Changed blade language list to be generated from array.
- Added ability to search books list (Local simple text match).
- Added handles, hover-states and cursor states for better user
interaction and clearer use of drag & drop.
- Improved styles for dark mode.
- Converted shelf sort component to newer component format.
- Modernized shelf controller code a little.
Related to #3266
- Added workaround for new 'srcdoc' usage that's breaking content in
Firefox, added new 'custom-changes.md' file to document for future.
- Updated old usages of 'new' when creating nodes.
- Tested and changed logic, where required, where 'editor.dom.select'
has been used to replace the old '$' usages.
- Fixed bad boolean value being passed to 'setActive' in task list
logic.
Both caught in tests:
Fixed loss of permissions for admin users when entity restrictions were
active, since there are no entity-restrictions for the admin role but
we'd force generate them in joint permissions, which would be queried.
Fixed new role permission checks when permissions given with only the
action (eg. 'view'), since the type prefix would be required for role
permission checks. Was previously not needed as only the simpler form
was used in the jointpermissions after merge & calculation.
Cleaned up PermissionApplicator to remove old cache system which was
hardly ever actuall caching anything since it was reset after each
public method run.
Changed the scope of 'userCanOnAny' to just check entity permissions,
and added protections of action scope creep, in case a role permission
action was passed by mistake.
Updated ajax search and entity selector usage to display and handle
items that the user does not have permission to interact with.
Started logic changes to not allow permission type to be passed around,
with views instead being the fixed sole permission.
Ran a quick app run-thorugh in FireFox & Chrome, No secondary affects
immediately noticed but possible this could cause changes elsewhere due
to wide-spread grid item child targeting.
For #3523
For PR #3406
- Updated naming from 'redirect' to 'initate/initation'.
- Updated phpunit.xml and .env.example.complete files with the new
option.
- Cleaned up controller logic a bit.
- Added content and design to the new initation view to not leave user
on a blank view for a while.
- Added non-JS button to initiation view as fallback option for
progression.
- Moved new test to it's own Test class and expanded with additional
scenario tests for better functionality coverage.
TinyMCE was adding attributes to <br> elements within code blocks which
would then not be converted to newlines by our code regex match.
This changes the conversion to use dom querying instead.
Fixes#3507
Linebreaks would previously essentially be removed during index and
hence joined to adjacent words, breaking prefix matching.
Added test to cover.
For #3508
- Also extracted shelf to book view elements to own partial.
- Fixed some existing logic including image param handling in update
request and activity logging against correct element.
- Updates book/shelf cover image handling for easier cloning/handling.
- Adds core logic for promoting books/chapters up a level.
- Enables usage of book/shelf cover image via API.
Related to #1087
Moved export templates elements into their own folder for better
grouping of logical usage.
Within the base export template, added some body classes to allow easier
targeted customisation via custom head css.
Split content of export templates into smaller partials for easier
future customization.
Closes#3443
Uses vdom system to diff and update the current markdown preview view
instead of requiring a full HTML replace change.
This should provide better performance, expecially where dynamically
loaded content such as iframes were in use.
Closes#3454
Now uses the previously timestamp gen name as a backup to the original
name. Aligns with the image manager upload which uses the original name
where given.
Closes#3470
- Allows easier accessibility of inline attachments.
- Introduces a new split-icon-list-item thingy to support such cases
where only part of the button is actually linked.
- Now has a hover state to match other items.
- Now spans the full sidebar with like other items.
- Also updated chapter-toggle to a chapter-contents component, following
the newer component system.
- Improves animation smoothness
- Changed animation slideup/down animations to use max-height instead of height
to better avoid jutter at the end.
- Cleaned spacing to match page items in books listing.
Was reporting wrong due to use of old polymorphic namespace references.
Test was not picking up as assertElementContains had wider scope than
expected, looking within the HTML of the element instead of the text
which you might expect. Updated test helper to look at text instead.
Specifically updates dropdown search and user-search implementation,
although does affect all inputs.
Decouples breadcrum and select-style dropdown search toggles.
Addresses #2678
Would cause effect where scroll area would be cut of by spacing which
looked a bit strange. This retains the same padding sizes but cuts the
content at the header or top of viewport.
Animates the height on breadcrumb dropdown menus to transition to the
loaded animations quicker. Includes a new animation helper for doing
similar tasks in future.
Loading animation would show in an unready state due to animation-delay
on components. Updated to a negative delay to ensure elements were in
correct positions right away upon show.
- Removed harsh theme color border between search and content.
- Prevented intermediate focus on list container to align arrow & tab
behaviour, and to get to content quicker.
- Removed border and rounded list item styles to make hover states have
less edge detail and to align with other UI elements.
- In expanded-detail view, removed space used for entity description if
there is not description content existing.
- Removed background track line since it would darken entity item bars.
- Updated item spacing to be a bit tighter.
- Updated action hover styles to be a bit lighter, and visible on dark
mode, to fit rest of system.
- Tweaked styling to add a little extra shadow and be more rounded to
match other UI areas.
- Added slight horizontal inset when in right sidebar to prevent shadow
being cut-off in most cases.
- Added logic to "drop upwards" if dropping down would take the menu
offscreen.
Updated default value for APP_URL so that the startsWith call is not
passed null, since that causes deprecation notice in PHP8.1.
Would show when APP_URL was not set, adding extra confusiion.
Dumping details that were binary, such as the jpegphoto data, would
cause the dump to fail on the encoding to JSON.
This change forces content to be UTF8 before dumping.
Updated existing test to cover.
Closes#3396
Call to `ob_end_clean` would error if the environment did not use the
PHP `output_buffering` option. This adds an additional check and updates
the comment to be more specific to the exact scenario of the condition.
Tested with output_buffering=Off and output_buffering=4096
Closes#3415
Made the following changes, many of these are just to align with
existing conventions.
- Updated urls to be hypenated, instead of underscored, to match other system endpoints.
- Updated URL parameter to be `deletionId` instead of `id`, and removed the ID-based comment on controller methods, so the required ID model is clear from the URL alone, since its not clear from the URL endpoint alone like existing endpoints. This follows the pattern used in the "web" routes.
- Added extra detail on some controller method comments, and copied permission comment to each method.
- Removed existing field visibility mechanisms to use simpler model-based visibility since we didn't need anything too special here (After some of my other changes).
- Allowed the "deletable" model to be shown in response to provide a little more detail on the main deleted item.
- Updated parent/child-count loading to be on the "deletable" model instead of additional properties which results in simpler controller logic and enforces the idea these are relations on the deletable, not the deletion itself. It also removes additional exposure of model namespacing.
- Updated (int) casts to intval, just since that's our most common conversion method in the codebase.
- Testing: Removed `actingAsAuthorizedUser` and used the admin user instead to prevent extra auth steps on each test.
- Testing: Cut logic/data-checks from tests if already covered by other tests.
- Testing: Added simple assertions for delete/restore response data.
- Examples: Updated list example to reflect changes.
Review of PR #3377
To be followed up with changes to polymorphic relations to hide
namespacing.
- Updated all dropdown list item actions into three specific styles:
icon-item, text-item & label-item. Allows a stronger structure while
prevents mixing of styles as we were getting for header dropdown in
dark mode.
- Extracted out page editor top toolbar to its own view file & split
editor switch options to different markdown options.
Extracted page editor view data gathering to its own class for
alignment. Updated the data used in views as part of the process to use
view-specific variables instead of custom attributes added to models.
Also moved tinymce library loading so it's not loaded when not using the
wysiwyg editor.
Allows us to use NodeJS code for file/directory locating to not be
shell/os specific, while also also reducing duplicated complexity within
packages.json file.
Related to #3323
Decided it's relevant to entity updated_at since tags are now indexed
alongside content.
- Also fixed tags not applied on shelf.
- Also enforced proper page API update validation.
- Adds tests to cover.
For #3319Fixes#3370
- Added testing check to buffer stop/clear on streaming output due to
interference during tests.
- Made content-disposition header a little safer in download responses.
- Also aligned how we check for testing environment.
Fixes hitting memory limits where downloaded file sizes are much greater
than memory limit. Stopping and flushing output buffer seemed to stop
limits causing issues when fpassthru is used.
Tested with 24M memory limit and 734M file
This allows download of attachments that are larger than current memory
limits, since we're not loading the entire file into memory any more.
For inline file responses, we take a 1kb portion of the file to sniff
before to check mime before we proceed.
This updates the custom Request handler to provide only the scheme and
host on the `getSchemeAndHttpHost` call, instead of providing the whole
APP_URL value, while adding an override to the 'getBaseUrl' to use the
APP_URL content instead of the guessed/detected Symfony value.
Untested apart from simple local setup.
Related to #2765
- Fixed issue where redirect for `/settings` view would not be ran
through base url generator so would not create a correct path in some
cases. Now routed through controller with normal redirect.
- Fixed custom head content being active on settings pages due to route
name changes, for when viewing settings, in last release.
Fixes#3356 and #3355
- Updated PhpStan PHP version option to match project.
- Applied StyleCI changes.
- Updated static to self in WebhookFormatter, following static analysis
guidance.
- Fixed mis-matched header tags.
- Split settings out to new views using a core shared layout.
- Extracted added language text to translation files.
- Updated settings routes to be dynamic to category.
- Added redirect for old primary settings route.
- Updated existing tests to cover settings route changes.
- Added tests to cover settings view.
- Improved contrast of settings links for dark mode.
Creates a new organsied formatting system for webhook data, with
interfaces for extending with custom model formatting rules.
Allows easy usage & extension of the default bookstack formatting
behaviour when customizing webhook events via theme system, and keeps
default data customizations organised.
This also makes the following webhook data changes:
- owned_by/created_by/updated_by user details are loaded for events with
Entity details. (POTENTIALLY BREAKING CHANGE).
- current_revision details are loaded for page update/create events.
Added testing to cover added model formatting rules.
For #3279 and #3218
Uses original image data to extract orientation exif to apply image
transformations before scaling and save. Manually done due to issues
with exif data loss during the existing Invervention image path.
For #1854
Sets sizes on WYSIWYG code block sections based on content lines
as an early pre-codemirror height prediction to avoid excessive
jumping in the editor.
For #3326
This filters out <br> elements within code blocks and replaces them with
newlines. The editor started using <br>'s more harshley after some
configuration changes upon upgrading tinymce, in which we standardised
on forced br tags to avoid empty elements.
For #3327
- Updated styles to better align checkboxes within page content.
- Updated functionality to use a cross-compatible property on checkbox
click within the editor.
- Configurable via 'ALLOWED_IFRAME_SOURCES' .env option.
- Also updated how CSP rules are set, with a single header being used
instead of many.
- Also applied CSP rules to HTML export outputs.
- Updated tests to cover.
For #3314
- For some reason, TinyMCE would handle empty paragraphs with a ' '
by default but this would be removed when the paragraph had an
attribute. This was fine in the old editor.
- This changes the approach to use '<br>' tags within elements
for "spaced emptiness".
- For compatbility with any existing empty paragraphs, I updated the
styles to show default height for empty paragraph sections.
- This also makes changes to help preserve encoded html tags
since they were getting converted along the journey.
Related to #3302
- Allows for easy unlinking, link preview or link editing.
- Created custom one to limit actions available.
- Performed refactoring of non-plugin toolbar editor code to extact into
its own file.
Related to #3276
- Fixed issues with new code blocks breaking or acting odd due to
misnamed contenteditable attribute.
- Helped fix issue where code blocks may show in a strage blank state
due to timing within shadow dom loading.
- Fixed some function timing issues where some functions required their
async predecessor to have finished.
Tested rather heavily in firefox and brave.
Fixes#3292
- Removed titles since they don't provide added benefit upon the labels
and would often lead to being submitted with just the placeholder
title.
- Feature request form
- Added further context to benefits field for hopefully better
responses that target the core goal.
- Added a field to ask if feature can already be achieved, to
gain an idea if the submitter has explored other options (if
existing).
- Added a field to ensure the submitter has search the issue list
before submitting.
- Added a field to ask existing BookStack usage time to understand
potential evolution of usage and/or influence of other platforms.
Fixes issue where certain errors would not show to the user
due to extra navigation jumps which lost the error message
in the process.
This simplifies and aligns exceptions with more directly
handled exception usage at the controller level.
Fixes#3264
Old branch filters did not seem to work since they are supposed to
reference the target branch, not source branch.
Instead used if statement to prevent run on crowdin branch.
Code blocks in tinymce could sometimes end up exploded into the sub
elements of the codemirror display.
This changes the strategy to render codemirror within the shadow dom of
a custom element while preserving the normal pre/code DOM structure.
Still a little instability when moving/adding code blocks within details
blocks but much harder to break things now.
- Ensures padding works across FF & Chrome, was only working on FF
before.
- Fixes sketchy editor positioning focus on FF, since tinyMCE would
add a hidden element to the bottom of the body which would remove/add
our body padding causing unstable positioning.
* New translations activities.php (Hebrew)
* New translations auth.php (Hebrew)
* New translations common.php (Hebrew)
* New translations activities.php (Hebrew)
* New translations common.php (Hebrew)
* New translations entities.php (Hebrew)
* New translations errors.php (Hebrew)
* New translations validation.php (Spanish)
- Removed old 'editor-*-update' commands to instead use the aligned
'editor::replace' command that we already have.
- Changed the way custom styles are loaded for the WYSIWYG editor so we
don't need an API call but instead scape content from the parent page
header using comments as identifiers. Added tests to ensure comments
exist and align.
- To display license info along with shortcuts.
- Extracted out plain layout from 503 error page.
- Added tests to ensure license references are as expected.
- Updated code content to get specific text selection instead of using
node-based handling which could return the whole document when
multiple top-level nodes were in selection.
- Simplified how code gets applied into the page to not be node based
but use native editor methods to replace the selection. Allows
creation from half-way through a block.
Tested on chrome+Firefox on Fedora 35.
Builds upon changes in #3246.
For #3200.
- Split everything into specific plugin/concern files to make things
more managable. Means original component file is now simple and much
of the core config is focused in one place.
- Required extracting logic into repo.
- Changed some existing creation paths to standardise behaviour.
- Added test to cover new endpoint.
- Added extra test for user delete to test migration.
- Changed how permission errors are thrown to ensure the right status
code can be reported when handled in API.
- Required changing the docs generator to handle more complex
object-style rules. Bit of a hack for some types (password).
- Extracted core update logic to repo for sharing with API.
- Moved user update language string to align with activity/logging
system.
- Added tests to cover.
- Updated routes to use new format.
- Changed how hidden fields are exposed to be more flexible to different
use-cases.
- Updated properties available on read/list results.
- Started adding testing coverage.
- Removed old unused UserRepo 'getAllUsers' function.
Related to #2701, Progression of #2734
- Added tests to cover.
- Refactored some existing testing.
- Requires password or external_auth_id to be provided. Defaults to
password.
- Randomly sets password to 32 digit random chars if external_auth_id
provided instead.
For #3222
Intended to fix positioning quirks caused by changing codemirror
instance size when you have lines that wrap and cause line height
changes. Often caused by editor toolbox expand/collapse.
This adds a debounced resize observer to refresh editor layout on size
change.
Also tweaks toolbox expand/collapse to more consistently set aria
attribute.
For #3186
Quick patch to clear the gallery display when getting the first page.
Duplication of the galler was occuring due to the mulitple upload events
loading the gallery mulitple times while only clearing the existing
gallery at the start of all refreshes.
A bit flashy in terms of user experience, as there will still be
mulitple load/clear events but fixes the duplication. Could be done more
elegently in future by communicating up image upload counts.
For #3160
Further fixes for #3120, Adds DOMPDF specific adjustments to prevent
full width linked images being cut-off as per last tweak.
This does not fix usage in smaller cases (tables) but tested on
master DOMPDF branch shows that will likely be fixed in next DOMPDF
upstream release.
DOMPDF fixes would break WKHTMLTOPDF presentation so system updated
to conditionally apply styles.
Updated the getUrl method on deletions to not require any passed
params to align with usage in webhooks.
Probably better to have a proper interface but would require a wider
change.
Fixes#3154
Custom homepage usage will now be checked before any actioning
of deletion rather than potentially causing an exception acting
during the deletion.
Previously a deletion could still be created, within the recycle bin,
for the parent which may lead to the page being deleted anyway.
For #3150
- Aligned permissions control with move operations to check
delete/create permissions against old/new locations.
- Added tests to cover additional permissions scenarios.
Previous implemenations were hard to read so changing to be more
logically simplistic. Still needs further coverage in tests and
review/alignment of permissions to use.
Models are now loaded into their own map to then be used for sorting and
reporting back of changed books. Prevents akward logic ordering issues
of before where some bits of code assumed/hoped for loaded models on
abstract data structures.
New levels of permissions are now checked for items within the
sort operation. Needs testing to cover.
Adds apng sniffing when generating thumbnails with retained ratios to
serve the original image files, as we do for GIF images, to prevent
the image being resized to a static version.
Is more tricky than GIF since apng file mimes and extensions
are the same as png, we have to detect part of the file header
to sniff the type. Means we have to sniff at a later stage
than GIF since we have to load the image file data.
Made some changes to the image thubmnail caching while doing
this work to fit in with this handling.
Added test to cover.
For #3136.
Language parsing of code blocks could falter on pasted code blocks due
to the lanuage being parsed with a space which would throw an error when
used as a css class.
This adds more extensive language parsing to be safer.
Fixes#3133
- Added a user-configurable timeout option to webhooks.
- Added webhook fields for last-call/error datetime, in addition to last
error string, which are shown on webhook edit view.
Related to #3122
Was caused by max-width: 100% causing confusion when images were
inside an anchor. This change resets that property on PDF
exports allowing full width images to be shown as so
without affecting smaller sizes.
Fixes#3120
- Copies via loading in model on create view.
- Updated role views while editing to bring up to similar format as
that used for more modern app areas.
- Added tests to cover.
Related to #1123
Updated all password validation to use central password defaults
system while updating length requirements to now all match
at 8 characters minimum.
Some language text was technically correct (More than 7 characters)
but this has been updated for clarity and to prompt other translations
to be updated.
Closes#2237
Altered access & usage of the /search/users/select endpoint with the
following changes:
- Removed searching of email address to prevent email detail discovery
via hunting via search queries.
- Required the user to be logged in and have permission to manage users
or manage permissions on items in some way.
- Removed the user migration option on user delete unless they have
permission to manage users.
For #3108
Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/
Reported by @haxatron
- Renamed to "ActivityLogger" to be more focused in usage.
- Extracted out query elements to seperate "ActivityQueries" class.
- Removed old 'addForEntity' activity method to limit activity record
points.
Allows easy direct linking and usage of the HTML preview content
we show in the UI when viewing search results.
Note: preview_html content is a rough representation only, it does not
match exactly what was matched in the database-search-operation which
finds the results.
For #3096 and #3080
Page-related items added on drafts could be visible in certain scenarios
since the applied permissions query filters would not consider
page draft visibility.
This commit alters queries on related items to apply such filtering.
Included test to cover API scenario.
Thanks to @haxatron for reporting.
- Replaced iframe elements with anchor elements wrapped in a paragraph.
- Extracted PDF generation action to seperate class for easier mocking
within testing.
- Added test to cover.
For #3077
Used upon areas we usually fade-out to provide a focused user
experience. If the user desires more contrasted we prevent this
behaviour using the prefers-contrast media query.
Related to #2634
Old command registration method was interfering with default commands,
causing only a limited subset of commands to show overall.
This change follows the method the frameworks uses when loading in from a
directory to prevent issues with run/load order.
Changed how the command registration was handled due to complications of
action order found during testing. Now the theme service will resolve
and directly register the command on the Kernel instead of them being
fetched from the ThemeService from within Kernel.
More direct, Seems to work.
Adding tabindex=0 means when pressing tab the focus goes right to the TOTP input field. When using a Password Manager this makes it easier than having to hit tab 3X to get the right focus.
Updated the back button to be a proper link instead of a reference to
the last viewed URL since it could break if the last page was the
current one (On validation for example).
Includes test to cover.
Also applied some styleCI changes.
Fixes#2834
Was done for convenience but could potentially be exploited by an
attacker using signing up via one of these routes, then forwarding
an email confirmation to another user so they unknowingly utilise
an account someone else controls.
Tweaks the flow of confirming email, and the user invite flow.
For #3050
This change means that code blocks are now included still wrapped in
their pre tags, as we do for tables and lists.
Previously the <code> inner content would be included which would lead
to a generally bad/broken presentation.
Hopefully should not be a breaking change as section include tags for
code was tricky to get to, and it was in a semi-broken state.
For #2406
Replaces the old suggestion of setting JS head 'window.uploadLimit'
variable. This new env option will be used by back-end validation and
front-end libs/logic too.
Limits already likely exist within prod environments at a PHP and
webserver level but this allows an app-level limit and centralises the
option on the BookStack side into the .env
Closes#3033
As per #3047.
Also made some SAML specific fixes:
- IDP initiated login was broken due to forced default session value.
Double checked against OneLogin lib docs that this reverted logic was fine.
- Changed how the saml login flow works to use 'withoutMiddleware' on
the route instead of hacking out the session driver. This was due to
the array driver (previously used for the hack) no longer being
considered non-persistent.
Is a little awkward, emulates a 'list' API endpoint but has unstable
paging and does not support filters/sort. This is detailed on the
endpoint though.
Made some updates to the docs system to better support parameters
and examples on GET requests.
Includes tests to cover.
For #909
Removing prefix route groups out of visual preference.
Those don't really save much and I prefer seeing the complete
paths when going down the list to better guage where I am.
Updating filters via sidebar would wipe the created_by/update_by filters
since these were not part of the sidebar filter form.
This adds them, if existing, as hidden inputs.
Includes tests to cover.
Closes#2736
Markdown content was not being stored, only the sent
HTML representation, causing the draft to show as HTML upon next edit.
Added test to cover.
Fixes#3054
- Updated page names to not be limited to a certain length.
- Added better start/end fill logic.
- Prevented <strong> tags from being counted towards the target content
length desired from the formatter.
Created a new class to manage formatting of content for search results.
Turned out to be quite a complex task. This only does the preview text
so far, not titles or tags.
Not yet tested.
This adds parsing of page content so that headers apply a boost to
scores in the search term index.
Additionally, this merges title and content terms to reduce the amount
of stored terms a little.
Includes testing to cover.
Checked over latest changes for potential SQL injection, all variable
usages are either (from trusted sourced AND case) or using
parameters/bindings to ensure it's handled at driver/lib level.
Relations now loaded during back-end query phase instead of being lazy
loaded one-by-one within views.
Reduced queries in testing from ~60 to ~20.
Need to check other areas list-item.php's "showPath" option is used to
ensure relations are properly loaded for those listings.
Adds adjustment of search term 'score' (Using in result ranking) so that
a relative 0.3 to 1.3 mulitplier is applied based upon relative
popularity within the whole database. At this point the term popularity
is still done via a prefix match against the search term.
Uses a SUM(IF(cond, a, IF(cond, a, ...))) chain to produce the scoring
result in the select query.
* New translations errors.php (Polish)
* New translations activities.php (Dutch)
* New translations auth.php (Dutch)
* New translations common.php (Dutch)
* New translations entities.php (Dutch)
* New translations auth.php (Dutch)
* New translations auth.php (Dutch)
* New translations auth.php (Dutch)
* New translations settings.php (Latvian)
- Moved out extension check to ImageService as that seems more relevant.
- Updated models to use static-style references instead of facade to align with common modern usage within the app.
- Updated custom image_extension validation rule to use shared logic in image service.
Since AzureAD graph is going away.
Tested using old AzureAD graph usage for backwards-compatbility, did not
seem to break things. Could not test with conditional access though due
to azure never enforcing it no matter what I attempted.
Fpr #3028
- Scoped padding change to just entity-list-items within the sidebar
side reduction of right-hand-padding to zero was causing other
entity-list-items, such as those in the homepage listing, would then
have no padding.
- Updated styles to use css logical properties to retain support for RTL
languages such as Arabic, where the whole interface flips around.
Related: https://css-tricks.com/css-logical-properties-and-values/
- Migrated env usages to config.
- Removed potentially unneeded config options or auto-set signed options
based upon provision of certificate.
- Aligned SP certificate env option naming with similar IDP option.
Tested via AFDS on windows server 2019. To test on other providers.
Session was being lost due to the callback POST request cookies
not being provided due to samesite=lax. This instead adds an additional
hop in the flow to route the request via a GET request so the session is
retained. SAML POST data is stored encrypted in cache via a unique ID
then pulled out straight afterwards, and restored into POST for the SAML
toolkit to validate.
Updated testing to cover.
Provides a simple bookstack focused view that does not rely on JavaScript.
Contains links to BookStack specific resources in addition to commonly
desired debug details.
Relevant to comments in 7224fbcc89.
Added test cases. Ensured they failed pre-commit.
Also tested a range of the altered endpoints manually on both local and
s3-like filesystems.
- Files within the storage/ path could be accessed via path traversal
references in content, accessed upon HTML export.
- This addresses this via two layers:
- Scoped local flysystem filesystems down to the specific image &
file folders since flysystem has built-in checking against the
escaping of the root folder.
- Added path normalization before enforcement of uploads/{images,file}
prefix to prevent traversal at a path level.
Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
- Prevents authenticated responses being visible when back button
pressed in browser.
- Previously, 'no-cache, private' was added by default by Symfony which
would have prevents proxy cache issues but this adds no-store and a
max-age option to also invalidate all caching.
Thanks to @haxatron via huntr.dev
Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/
- Removed uneeded custom refresh or logout actions for OIDC.
- Restructured how the services and guards are setup for external auth
systems. SAML2 and OIDC now directly share a lot more logic.
- Renamed any OpenId references to OIDC or OpenIdConnect
- Removed non-required CSRF excemption for OIDC
Not tested, Come to roadblock due to lack of PHP8 support in upstream
dependancies. Certificate was deemed to be non-valid on every test
attempt due to changes in PHP8.
- Made oidc config more generic to not be overly reliant on the library
based upon learnings from saml2 auth.
- Removed any settings that are redundant or not deemed required for
initial implementation.
- Reduced some methods down where not needed.
- Renamed OpenID to OIDC
- Updated .env.example.complete to align with all options and their
defaults
Related to #2169
- Added testing to cover warning cases.
- Refactored logic to be simpler and move much of the business out of
the controller.
- Added new message that's more suitable to the case this was handling.
- For detecting an outdated draft, checked the draft created_at time
instead of updated_at to better fit the scenario being checked.
- Updated some method types to align with those potentially being used
in the logic of the code.
- Added a cache of shown messages on the front-end to prevent them
re-showing on every save during the session, even if dismissed.
Review of #2935
- Removed from .env files and added warnings for use if found in config
file.
- Updated permission service to use whereColumn queries to auto-handle
use of prefixes.
Review of #2936
- Added testing to cover
- Added APP_PROXIES to .env.example.complete with details.
- Renamed migration to better align the name and to set the migration
date to fit with production deploy order.
- Removed index from IP column in migration since an index does not yet
provide any value.
- Updated table header text label.
- Prevented IP recording when in demo mode.
Done a little reorganisation while there of misplaced tests.
Moved MarkdownTest to a new PageEditorTest to avoid confusion with
other markdown elements and to align with other page tests.
* New translations auth.php (Spanish)
* New translations activities.php (Italian)
* New translations settings.php (Italian)
* New translations entities.php (Italian)
* New translations validation.php (Italian)
* New translations activities.php (Danish)
* New translations auth.php (Danish)
* New translations common.php (Danish)
* New translations settings.php (Danish)
* New translations entities.php (Danish)
* New translations auth.php (Danish)
* New translations common.php (Danish)
* New translations errors.php (Danish)
* New translations validation.php (Danish)
* New translations activities.php (Russian)
* New translations auth.php (French)
* New translations auth.php (French)
* New translations settings.php (French)
* New translations entities.php (French)
* New translations auth.php (French)
Was causing things like emjoi within script content to be somewhat
mangled. Instead we force UTF8 only parsing via XML declaration.
Added test to cover.
For #2923
Fixes a strange issue of HTML tags within script tags being malformed
when part of the HTML custom head content due to the PHP parsing we do.
DOMDocument seemed to cause this upon load.
Adding LIBXML_SCHEMA_CREATE to the ->loadHTML call seems to fix this but
not really sure why. Doesn't seem to cause further issues though.
Tested with multiple scripts and styles and comments and meta tags.
- Also added new testing class to cover.
- As part of testing, added new folder within tests to house setting
specific tests.
For #2914
In particular, That around the casing of dangerous values within
attributes. This uses some xpath translation to handle different casing
in contains searching.
Injected db instance was causing the DB connection to be
made a lot earlier than desired or required.
Swapped to a facade for now but ideally this extension of services needs
to be cleaned up with a better approach in general.
WKHTMLtoPDF provides limited control for external fetching
so that will now be disabled by default unless
ALLOW_UNTRUSTED_SERVER_FETCHING=true is specifically set.
This new option will also control DOMPDF fetching.
During writing of the update notes, found that the upgrade path would be
tricky from a security point of view. If people were pending email
confirmation but had an active session, they could technically be
actively logged in after the next release.
Added middlware as an extra precaution for now.
- Numbered and bullet list margins have been made consistent
- Numbered lists margins were increase at some point to handle 3-digit
numbers, Normal bullet margins updated to match this.
- Consistent margin for sub-lists.
- System back-end markdown renderer (For pages) updated with a custom
list item renderer to apply class for to align with front-end renderer.
- This means that task list items will be consistent with the preview
and not render a number/bullet.
- Indentation styles for task list items fixed to be visually indented.
For #2854 and #2837
- Primarily moved and re-organised view files.
- Included readme within views to document the convention.
- Fixed some issues with page field select list in previous commit.
- Tweaked some route names while going through.
- Split some views out further.
Closes#2805
- Loaded book_slug as part of chapter/page queries instead of books
being loaded in afterwards.
- Removed unused page method.
- Updated some page queries to load specific attributes.
- Updated auth system for mfa to not update intended URL so that the
user is not redirected to mfa setup after eventual login.
- Added notification for users setting up MFA, after setup when
redirected back to login screen to advise that MFA setup was complete
but they need to login again.
- Updated some bits of wording to display better.
- Restructured some of the route naming to be a little more consistent.
- Moved the routes about to be more logically in one place.
- Created a new middleware to handle the auth of people that should be
allowed access to mfa setup routes, since these could be used by
existing logged in users or by people needing to setup MFA on access.
- Added testing to cover MFA setup required flow.
- Added TTL and method tracking to session last-login tracking system.
Also added testing to cover as part of this in addition to adding the
core backup code handling required.
Also added the standardised translations for switching mfa mode and
adding testing for this switching.
Also continued a bit on the MFA verification system.
Moved some MFA routes to public space using updated login service to get
the current user that is either logged in or last attempted login (With
correct creds).
Discovered some difficult edge cases:
- User image loading in header bar when using local_secure storage
- 404s showing user-specific visible content due to content listing on
404 page since user is in semi-logged in state. Maybe need to go
through and change up how logins are handled to centralise and
provide us better control at login time to prevent any auth level.
- Added new DB column for control and role updated create/update actions.
- Created new middleware as a start to actual enforcement logic.
- Added indicator to role list of whether MFA is enforced.
Trying out StyleCI as an automated easy way to ensure code style is
consistent across the PHP codebase.
PHPCS+PHPCBF was good but I wouldn't run it enough then I'd get paranoid
about running it with pending PRs. Better to let the robots stay on top
of things.
On restore, added a link to the parent deletion restore if any exists
on a cascading parent. Added a test to cover this case to ensure its shown.
Also tweaked default empty state message on recycle bin item list to align
with new column count.
Also done a little existing code cleanup including a getUrl helper on
the deletion items.
Related to #2682 & #2594
For review of meta tag additions as per PR #2393.
This commit removes any image guesswork and only uses images that have
been set by the author for the specific content.
This also adds tests to cover the expected OG tags.
- Removed ZIP system for now, until the idea can be fleshed out.
- Added testing to cover.
- Upgraded used library.
- Added custom handling for BookStack callouts.
- Added HTML cleanup to better produce output for things like code
blocks.
description:Create a report to help us fix bugs & issues in existing supported functionality
labels:[":bug: Bug"]
body:
- type:markdown
attributes:
value:|
Thanks for taking the time to fill out a bug report!
Please note that this form is for reporting bugs in existing supported functionality.
If you are reporting something that's not an issue in functionality we've previously supported and/or is simply something different to your expectations, then it may be more appropriate to raise via a feature or support request instead.
- type:textarea
id:description
attributes:
label:Describe the Bug
description:Provide a clear and concise description of what the bug is.
validations:
required:true
- type:textarea
id:reproduction
attributes:
label:Steps to Reproduce
description:Detail the steps that would replicate this issue.
placeholder:|
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
validations:
required:true
- type:textarea
id:expected
attributes:
label:Expected Behaviour
description:Provide clear and concise description of what you expected to happen.
validations:
required:true
- type:textarea
id:context
attributes:
label:Screenshots or Additional Context
description:Provide any additional context and screenshots here to help us solve this issue.
validations:
required:false
- type:input
id:browserdetails
attributes:
label:Browser Details
description:|
If this is an issue that occurs when using the BookStack interface, please provide details of the browser used which presents the reported issue.
placeholder:(eg. Firefox 97 (64-bit) on Windows 11)
validations:
required:false
- type:input
id:bsversion
attributes:
label:Exact BookStack Version
description:This can be found in the settings view of BookStack. Please provide an exact version(s) you've tested on.
description:Request a new feature or idea to be added to BookStack
labels:[":hammer: Feature Request"]
body:
- type:textarea
id:description
attributes:
label:Describe the feature you'd like
description:Provide a clear description of the feature you'd like implemented in BookStack
validations:
required:true
- type:textarea
id:benefits
attributes:
label:Describe the benefits this would bring to existing BookStack users
description:|
Explain the measurable benefits this feature would achieve for existing BookStack users.
These benefits should details outcomes in terms of what this request solves/achieves, and should not be specific to implementation.
This helps us understand the core desired goal so that a variety of potential implementations could be explored.
This field is important. Lack if input here may lead to early issue closure.
validations:
required:true
- type:textarea
id:already_achieved
attributes:
label:Can the goal of this request already be achieved via other means?
description:|
Yes/No. If yes, please describe how the requested approach fits in with the existing method.
validations:
required:true
- type:checkboxes
id:confirm-search
attributes:
label:Have you searched for an existing open/closed issue?
description:|
To help us keep these issues under control, please ensure you have first [searched our issue list](https://github.com/BookStackApp/BookStack/issues?q=is%3Aissue) for any existing issues that cover the fundamental benefit/goal of your request.
options:
- label:I have searched for existing issues and none cover my fundamental request
required:true
- type:dropdown
id:existing_usage
attributes:
label:How long have you been using BookStack?
options:
- Not using yet, just scoping
- Under 3 months
- 3months to 1 year
- 1to 5 years
- Over 5 years
validations:
required:true
- type:textarea
id:context
attributes:
label:Additional context
description:Add any other context or screenshots about the feature request here.
about: Request a new language to be added to Crowdin for you to translate
---
### Language To Add
_Specify here the language you want to add._
----
_This issue template is to request a new language be added to our [Crowdin translation management project](https://crowdin.com/project/bookstack). Please don't use this template to request a new language that you are not prepared to provide translations for._
description:Request a new language to be added to Crowdin for you to translate
labels:[":earth_africa: Translations"]
assignees:
- ssddanbrown
body:
- type:markdown
attributes:
value:|
Thanks for offering to help start a new translation for BookStack!
- type:input
id:language
attributes:
label:Language to Add
description:What language (and region if applicable) are you offering to help add to BookStack?
validations:
required:true
- type:checkboxes
id:confirm
attributes:
label:Confirmation of Intent
description:|
This issue template is to request a new language be added to our [Crowdin translation management project](https://crowdin.com/project/bookstack).
Please don't use this template to request a new language that you are not prepared to provide translations for.
options:
- label:I confirm I'm offering to help translate for this new language via Crowdin.
required:true
- type:markdown
attributes:
value:|
*__Note: New languages are added at specific points of the development process so it may be a small while before the requested language is added for translation.__*
description:Request support for a specific problem you have not been able to solve yourself
labels:[":dog2: Support"]
body:
- type:checkboxes
id:useddocs
attributes:
label:Attempted Debugging
description:|
I have read the [BookStack debugging](https://www.bookstackapp.com/docs/admin/debugging/) page and seeked resolution or more
detail for the issue.
options:
- label:I have read the debugging page
required:true
- type:checkboxes
id:searchissue
attributes:
label:Searched GitHub Issues
description:|
I have searched for the issue and potential resolutions within the [project's GitHub issue list](https://github.com/BookStackApp/BookStack/issues)
options:
- label:I have searched GitHub for the issue.
required:true
- type:textarea
id:scenario
attributes:
label:Describe the Scenario
description:Detail the problem that you're having or what you need support with.
validations:
required:true
- type:input
id:bsversion
attributes:
label:Exact BookStack Version
description:This can be found in the settings view of BookStack. Please provide an exact version.
placeholder:(eg. v23.06.7)
validations:
required:true
- type:textarea
id:logs
attributes:
label:Log Content
description:If the issue has produced an error, provide any [BookStack or server log](https://www.bookstackapp.com/docs/admin/debugging/) content below.
placeholder:Be sure to remove any confidential details in your logs
validations:
required:false
- type:textarea
id:hosting
attributes:
label:Hosting Environment
description:Describe your hosting environment as much as possible including any proxies used (If applicable).
placeholder:(eg. PHP8.1 on Ubuntu 22.04 VPS, installed using official installation script)
Only the [latest version](https://github.com/BookStackApp/BookStack/releases) of BookStack is supported.
We generally don't support older versions of BookStack due to maintenance effort and
since we aim to provide a fairly stable upgrade path for new versions.
## Security Notifications
If you'd like to be notified of new potential security concerns you can [sign-up to the BookStack security mailing list](https://updates.bookstackapp.com/signup/bookstack-security-updates).
## Reporting a Vulnerability
If you've found an issue that likely has no impact to existing users (For example, in a development-only branch)
feel free to raise it via a standard GitHub bug report issue.
If the issue could have a security impact to BookStack instances,
please directly contact the lead maintainer [@ssddanbrown](https://github.com/ssddanbrown).
You will need to log in to be able to see the email address on the [GitHub profile page](https://github.com/ssddanbrown).
Alternatively you can send a DM via Mastodon to [@danb@fosstodon.org](https://fosstodon.org/@danb).
Please be patient while the vulnerability is being reviewed. Deploying the fix to address the vulnerability
can often take a little time due to the amount of preparation required, to ensure the vulnerability has
been covered, and to create the content required to adequately notify the user-base.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
