11b7111413
Use old signature for `where` method in CmsObjectCollection.
...
Refs: https://github.com/octobercms/october/pull/4893#discussion_r368408407
2020-01-20 16:25:50 +08:00
9ecad139c4
Comment tweak for CmsObjectCollection::where()
2020-01-20 13:59:29 +08:00
662b1c2e45
Fix incompatible `where` method in CmsObjectCollection
...
Signature for the `where` method changes in L6, so a wrapper has been put in place.
2020-01-19 16:35:01 +08:00
5d3d4ad0b2
Merge branch 'develop' into wip/laravel-5.9
2020-01-18 21:00:40 +08:00
cbc620c3e8
Rollback for Build 462
...
This change should be revisited since it doesn't account for database-based templates which have no file path. Upon revisit, we might want to consider adding this logic in to the afterFetch() event with detection of file based mode, or even at the lower levels where the file is first extracted from the filesystem. TBA
2019-12-19 17:42:25 +11:00
a51215b9b3
Revert "Added additional robots meta fields to CMS pages ( #4685 )" ( #4832 )
...
This reverts commit 8303e0dbb2#4685 . Should be implemented as a plugin instead.
2019-12-18 13:51:50 -06:00
8303e0dbb2
Added additional robots meta fields to CMS pages ( #4685 )
...
Credit to @FlusherDock1
2019-12-18 10:16:36 -06:00
7902cfa58a
Simplify security check
...
Logic in ComponentPartial was rolled back and moved to the Controller. Since there are issues with throwing exceptions inside the component partial lookup logic (exceptions are conditionally suppressed), it seems like it would be better to bubble up the security logic to the controller level as a simple base dir security check, which is no longer concerned about any suppression logic. This looks to have logic parity with the previous solution
Refs #4652
2019-12-14 12:37:44 +11:00
80f870c313
Allow partial overrides in subfolders ( #4652 )
...
* Allow partial overrides in subfolders + security checker
2019-12-14 12:22:30 +11:00
260e1f503f
Rollback d31006ae1a
2019-12-10 03:12:12 +11:00
864816f7f2
Make CMS object code editor read-only in safe mode ( #4769 )
...
Adds a dismissable message to the CMS object code editor indicating that the PHP code section of a CMS object cannot be edited when `cms.enableSafeMode` is `true` (or when debugging is disabled if `null`).
Credit to @mjauvin.
2019-12-09 21:05:50 +08:00
7e3136564f
Merge branch 'develop' into wip/laravel-5.9
2019-11-21 23:18:25 +08:00
8da798a5cd
Remove XSRF cookie
...
This was a contentious change is generally a bad idea to blanket all requests with a dependant cookie. We will try something else.
Revert enableXsrfCookies setting. Fixes UX issue introduced where the token expires. This should be replaced by a CSRF policy that determines whether this is needed on the front end.
2019-11-04 09:06:05 +11:00
c5bd5f0e0a
Apply ResponseMaker to backend AJAX and cms.page.display event
2019-11-03 08:02:28 +11:00
1df8e72e4a
Remove unused import
2019-11-02 19:42:09 +11:00
63f65a3f25
Add XSRF to backend, simplify CMS controller run() method
...
runInternal has been removed because we do not want to blanket our response logic over every single response, only the happy path. This is because it is impossible to remove. So it is better to take the inverted approach, where if you want the CMS' headers in your custom response, add them yourself. This becomes easy via the new makeResponse() method
2019-11-02 19:14:45 +11:00
ff8f899fbe
Move response common functions to ResponseMaker trait
2019-11-02 18:21:22 +11:00
b1fa45ee3a
Combine common CSRF logic to a trait
2019-11-02 15:15:18 +11:00
49d68f0671
Cookies are no longer serialized
...
Based on update to library 09e859a13e
2019-11-02 14:52:00 +11:00
959b85f56c
Add cms.enableXsrfCookies config value (default true) to configure whether or not the XSRF cookie is automatically sent or if CSRF tokens are solely relied on.
...
Related: https://github.com/octobercms/october/pull/4701#issuecomment-547773385 & https://github.com/laravel/framework/pull/24726
2019-10-30 08:08:54 -06:00
457466c5af
Fix typehint
2019-10-29 16:33:49 -06:00
eb4648972f
Ensure that the XSRF cookie can always be added to the response, no matter the source of the response
2019-10-28 13:33:07 -06:00
096ccf875d
Implement suggestions from @bennothommo
2019-10-28 12:58:07 -06:00
f542ca8e90
Implement XSRF checking for AJAX handlers
...
Refs #4699
Refs #4701
2019-10-24 20:19:20 +11:00
773f266373
Allow for URL parameter to be zero ( #4657 )
...
The `empty()` check previously disallowed string zeroes from being used.
Credit to @gaabora.
2019-10-08 09:04:52 +08:00
d31006ae1a
Return 403 response on CSRF fail instead of silently failing
...
Also moved backend::lang.page.invalid_token.label to system::lang.page.invalid_token.label. Fixes
2019-10-06 23:21:08 -06:00
bafd057f8c
Optimize theme recognition ( #3220 )
...
Credit to @vojtasvoboda. Will avoid asking the database for the currently active theme if there is only one theme present and its code matches the code set in cms.activeTheme
2019-09-25 12:26:54 -06:00
33d149fe1a
Replace caching of Theme config with generic YAML caching ( #4526 )
...
Credit to @Samuell1. Fixes issues related to complexity of the existing approach / cache invalidation by just using the caching built in to YAML::parseFile().
2019-09-25 11:36:35 -06:00
0240c21af6
Fail CSRF token checks if the session expires. ( #4598 )
...
Fixes #4595 . Credit to @bennothommo
2019-09-04 21:33:10 -06:00
9521dd795c
Minor Formatting Corrections in Usage Comments ( #4541 )
...
Credit to @DanHarrin
2019-08-15 09:14:54 -06:00
4434808549
Remove theme data on theme deletion ( #4529 )
...
Credit to @DanHarrin. Fixes #1292 .
2019-08-15 11:41:03 +08:00
967fd02d8c
Fix minor spelling errors and inconsistencies ( #4543 )
...
Credit to @DanHarrin.
2019-08-15 11:39:26 +08:00
0383af6282
Update __isset function to comply with the same checks as __get ( #4514 )
...
Credit to @RickAcb.
2019-08-04 19:56:15 +08:00
a59d3b83eb
Code quality clean up ( #4449 )
...
Credit to @bennothommo
2019-07-18 08:50:37 -06:00
6f583b3920
Disable theme config cache when debug mode enabled
2019-07-08 16:25:25 -06:00
1aff1e0a1e
Changed calls to the Cache to use DateTime instances instead of integers representing minutes as 5.8 changed integers into meaning seconds instead.
2019-06-12 02:33:26 -06:00
46c867e4b5
Improve API docs
...
Resolves #4214
2019-06-12 00:33:30 -06:00
f921af4199
Fix menus not being displayed with database templates ( #4362 )
...
Credit to @SebastiaanKloos.
2019-06-06 21:05:38 +08:00
e7ec0be0c1
Merge pull request #3908 from octobercms/wip/halcyon-db-datasource
...
Database layer for the CMS objects
2019-06-01 14:28:34 +10:00
8c398e7ad5
cms_theme_contents -> cms_theme_templates
2019-06-01 12:45:29 +10:00
17cea816d8
enableDatabaseLayer -> databaseTemplates
2019-06-01 12:40:17 +10:00
0fdd3c32cb
Properly isolate theme's config cache ( #4284 )
...
Fixes support for switching between themes. Credit to @Samuell1 and @w20k
2019-04-21 18:16:29 -06:00
7c7ff31cd6
Return 404 when attempting to access /error directly in production
...
Replaces #2212
2019-04-19 15:29:00 -06:00
a69455d409
Cache the theme config ( #4270 )
...
Fixes #4265 . Credit to @Samuell1
2019-04-19 10:59:27 -06:00
28ac50ab28
Fix for models that don't yet exist
...
Credit to @bennothommo. Fixes https://github.com/octobercms/october/pull/3908#issuecomment-447291101
Co-Authored-By: LukeTowers <github@luketowers.ca>
2019-04-12 00:13:39 -06:00
ab6023f3e9
Fixed typo
...
Credit to @bennothommo
Co-Authored-By: LukeTowers <github@luketowers.ca>
2019-04-11 23:36:13 -06:00
630d543959
Merge branch 'develop' into wip/halcyon-db-datasource
2019-04-11 12:30:29 -06:00
c86bec7f08
Replace deprecated Twig class references, refs: #4209 .
2019-03-27 13:15:17 -06:00
5f78fd4df9
Initial implementation attempt for theme:sync command
2018-12-16 09:43:33 -06:00
82a38bdfb6
Add ability to delete asset files ( #3933 )
...
Fixes : #3925 . Credit to @Teranode
2018-11-28 11:08:39 -06:00
Ben Thomson
Ben Thomson
Samuel Georges
Luke Towers
Nick Khaetsky
Tobias Kündig
Marc Jauvin
Luke Towers
gaabora
Vojta Svoboda
Samuell
Dan Harrin
RickAcb
Sebastiaan Kloos
Teranode