- 07 Dec, 2020 1 commit
-
-
A seldom used (and undocumented) feature to transfer a session via the GET parameter FE_SESSION_KEY is removed in favor of custom authentication services when integrating third-party Single-Sign-On processes. Resolves: #93002 Releases: master Change-Id: I8418bdf36ce3dd2ab63edb9a77f2db59beeaac43 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67035 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de> Reviewed-by:
Oliver Bartsch <bo@cedev.de>
Reviewed-by:
-
- 05 Dec, 2020 1 commit
-
-
Benni Mack authored
The related HTTP no-cache headers (e.g. when a user is logged in) are now only set via PSR-15 middlewares (already in place for Backend Users, but now added for Frontend Users / Sessions as well), but not directly emitted via "header()" functions anymore. The next steps for having autonomous tests are: * Do not send cookies directly anymore * Double-check backend login cookies and * Check for ImmediateResponse / HttpUtility::redirect() methods * Evaluate the HTTP headers emitted inside the Installer. Resolves: #92997 Releases: master Change-Id: I7f1e9826b3d61977cb24e4622e0888e301b807e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67001 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
- 19 Oct, 2020 1 commit
-
-
In previous TYPO3 versions (due to historic reasons) the frontend groups were always resolved within TSFE when a page and the rootline was resolved. However, this left the actual Frontend User, which is initialized at the very beginning of a frontend request, in an incomplete state: A user was (correctly) found and "logged in", but the groups were resolved at a later point. This was due to the fact that the Admin Panel allowed to "include hidden records" which also considered fe_groups, and thus be set later-on. This change now moved the resolving of the groups (and setting the right frontend.user aspect) right after the user resolving. This means that the groups are now available much earlier, and not bound to the TSFE instance anymore, allowing to use Middlewares much more professionally without depending on TSFE for custom Routing / APIs. Future options: It would even be possible to filter out PageRouter pages that are not available, which would make the Router itself faster. Resolves: #92562 Releases: master Change-Id: Ia522697433049b0e549f3c65caf6757053ff37e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66066 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
- 08 Jun, 2020 1 commit
-
-
Direct hash comparison is replaced by cryptographic-safe `hash_equals`. Changes in this patch set basically don't have much impact regarding security aspects. This is a preparation for starting with RIPS scanner. Resolves: #91565 Releases: master, 10.4, 9.5 Change-Id: I5666e586b6b6b462f7864a597139763fd2cd2f98 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64668 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
- 04 Jun, 2020 1 commit
-
-
Benni Mack authored
Common URLs like typo3.org, tools.ietf.org or php.net are nowadays available as HTTPS, however some places in TYPO3 still use http:// as reference. This should be streamlined to resemble https:// everywhere. Resolves: #91581 Releases: master, 10.4 Change-Id: I76b5211f7e14cab0c6d190059d2be761bc664b53 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64733 Tested-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
-
- 15 Apr, 2020 1 commit
-
-
With this patch, the header comment of php files is automatically added by the php-cs-fixer, which guarantees that its format and place of occurrence remain the same in all files. Files that are copied over from other projects are excluded. Furthermore, files that are kind of inspired by other projects also get the same header comment but may have a second, additional comment explaining its origin. Used command: bin/php-cs-fixer fix --config=Build/php-cs-fixer/header-comment.php Releases: master Resolves: #91024 Change-Id: I5a040517e0fbde6e5a27d589bf2f222078326dc8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64159 Tested-by:Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
- 14 Apr, 2020 1 commit
-
-
This change adds two changes 'blank_line_after_opening_tag' => true, 'single_trait_insert_per_statement' => true, to our PHP-CS Fixer configuration, adopting more rules related to PSR-12. Resolves: #91020 Releases: master Change-Id: I180b2cbceb077911bddeb42d9f131e5b32244ed2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64158 Tested-by:Josef Glatz <josefglatz@gmail.com> Tested-by:
Oliver Bartsch <bo@cedev.de>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de> Tested-by:
Oliver Bartsch <bo@cedev.de>
Reviewed-by:
-
- 13 Apr, 2020 1 commit
-
-
As a preparation to be compatible with PSR-12, all spaces in strict type declerations are removed. Releases: master Resolves: #91009 Change-Id: I2b7c2fda42b44168b5c4c6b21711eede2eadaf2e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62104 Tested-by:
Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by:
-
- 30 Dec, 2019 1 commit
-
-
php bin/rector process A couple of rectors have been disabled due to different reasons: - Rector\Php71\Rector\FuncCall\CountOnNullRector This rector has been disabled as it creates rather long and complex structures to avoid calling count on null. This rector will be enabled as soon as TYPO3 uses at least PHP 7.3 which introduces a "is_countable" method. - Rector\Php71\Rector\Assign\AssignArrayToStringRector This rector has been disabled as it does not work properly. The default types of parameters have been changed although their types could properly be inferred by a doc block or by value assignments. - Rector\Php71\Rector\BinaryOp\BinaryOpBetweenNumberAndStringRector This rector has been disabled as it does not work properly. A bug report is filed and to be found here: https://github.com/rectorphp/rector/issues/2454 - Rector\Php71\Rector\FuncCall\RemoveExtraParametersRector This rector has been disabled as it does not work properly. It removed arguments in tests, especially when using prophecies. Releases: master Resolves: #90002 Change-Id: I6ed14d38cc697a23104286db57535d6a3c0dbf62 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62751 Tested-by:
-
- 06 Aug, 2019 1 commit
-
-
Use constructor injection for middleware dependencies, moving away from GeneralUtility::makeInstance based Singleton lookup. Dependencies which are already configured to be optionally injectable via constructor arguments (e.g. for unit tests) are changed to be required constructor arguments. Since the introduction of symfony dependency injection the fallback to GeneralUtility::makeInstance is no longer used – therefore it is dropped. Releases: master Resolves: #88800 Change-Id: I6dbec2f91fc78c1b06dd179323fb7a4810c13baa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61322 Tested-by:
Susanne Moog <look@susi.dev> Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
-
- 13 Jul, 2019 1 commit
-
-
This patch re-arranges the TYPO3 Core internally used middlewares for lifting off the weight of $GLOBALS['TSFE'] as Site Handling already introduced a lot of functionality which can now be utilized further. For this reason, the Frontend Rendering chain has been adapted. * If there is a "Site" + "Language" resolved, this information can be used directly, as there are no dependencies currently. * Frontend + Backend User Authentication works regardless of TSFE, Frontend User is added to the Request object as attribute to be added to TSFE later-on. * Resolving the Page ("slug") and mapping them to Page Arguments (URL parts + GET parameters) as well as validation against cHash is fully decoupled from TSFE. After that, TSFE is instantiated, which now gets all resolved objects injected. TSFE now only resolves the rootline against the proper permissions (auth) and validates the final page. Once done, TypoScript is compiled / cached. TSFE still contains the rootline, TypoScript, and the information about which non-cacheables are there. RequestHandler creates or fetches cached content, but currently piped through TSFE. This should be simplified further later-on. Resolves: #88717 Releases: master Change-Id: I12807455fd8b01493b2da45cf73a5c532b108cbe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61155 Tested-by:
-
- 13 Jun, 2019 1 commit
-
-
For further TSFE-related changes, the frontend request workflow now stores user-/session-related information in the middleware. This is a first step in order to reduce the dependencies of TSFE + FrontendUserAuthentication. This patch is breaking as certain hooks (like EOFE) do not have session data stored anymore. Related: #88540 Resolves: #88541 Releases: master Change-Id: I1e9a66b759d6edfd4c0e5a8ede02aa7a73b65b0f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60939 Tested-by:
-
- 07 Feb, 2019 1 commit
-
-
All PSR-15 middlewares now do not set the $GLOBALS['TYPO3_REQUEST'] object anymore. Instead, the RequestHandlers are using them for all other logic (e.g. GP etc) where the request object or any other attribute has not been handed in yet. It is now safe to say that PSR-7 request/response objects have to be used within middlewares to access or manipulate GET/POST data. Also, the safety net for overriding GET/POST again is still in place for FE (data = GP:id) in order for existing TypoScript to work still, until all other code gets global-free. There are still places in TYPO3 Core where $TYPO3_REQUEST is necessary (TypoScriptConditionMatcher, Error Handling) which are added accordingly. Resolves: #87661 Releases: master Change-Id: Ibe499b6fda86ccd3abefcb3c8be294a7cb765d74 Reviewed-on: https://review.typo3.org/59490 Reviewed-by:
-
- 07 Jan, 2019 1 commit
-
-
Due to testing framework refactoring, the 2 leftover hooks in Frontend middlewares can now be removed: $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/class.tslib_fe.php']['initFEuser'] $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/index_ts.php']['postBeUser'] Thus, Frontend Middleware stack is now free of hooks. Resolves: #87357 Releases: master Change-Id: I076d9f4aa556f4ba111196449eee6449ba8036db Reviewed-on: https://review.typo3.org/59364 Reviewed-by:
-
- 17 Sep, 2018 1 commit
-
-
Benni Mack authored
With PSR-15 it is not necessary to use any custom hooks during the frontend request setup process anymore, as middlewares are flexible enough to manipulate anything people want to do. On top, various middlewares are also declared internal as the usages are not really necessary to be publically exposed. - typo3/cms-core/normalized-params-attribute - typo3/cms-backend/legacy-document-template - typo3/cms-backend/output-compression - typo3/cms-backend/response-headers - typo3/cms-frontend/timetracker - typo3/cms-frontend/preprocessing - typo3/cms-frontend/eid - typo3/cms-frontend/content-length-headers - typo3/cms-frontend/tsfe - typo3/cms-frontend/output-compression - typo3/cms-frontend/prepare-tsfe-rendering - typo3/cms-frontend/shortcut-and-mountpoint-redirect Resolves: #86279 Releases: master Change-Id: I14fbd7b026acdc84fb23ca43cd395de5b7b9c4b6 Reviewed-on: https://review.typo3.org/58253 Reviewed-by:
TYPO3com <no-reply@typo3.com> Reviewed-by:
-
- 01 Jul, 2018 1 commit
-
-
Some usages where now-deprecated properties are used, have been adjusted. The RST file has been enhanced to clarify when to clone the context, and when to override an aspect. Additionally, the usage within TemplateService has been optimized to also receive an optional context object, similar to the initial patch's PageRepository approach. Resolves: #85408 Related: #85389 Releases: master Change-Id: I178ff07cbfe999a90bf7d5dd4f20a6170876d003 Reviewed-on: https://review.typo3.org/57396 Tested-by:
Wouter Wolters <typo3@wouterwolters.nl> Tested-by:
-
- 27 Jun, 2018 1 commit
-
-
A new "Context" concept is added which allows to keep the state of common TYPO3 Request Data in form of so-called Aspects. An aspect contains properties which can be fetched, but only the ones that are really necessary, instead of exposing a full object (e.g. BE_USER). The main goal is to centralize some global variables distributed in various places. In the first step the following variables are considered: - $TSFE->showHiddenPages - $TSFE->showHiddenRecords - $TSFE->beUserLogin - $TSFE->gr_list - $TSFE->loginUser - $GLOBALS[SIM_EXEC_TIME] - $GLOBALS['BE_USER']->workspace For now the Context is a singleton object, but should be fetched from a DI container. Sometimes a custom context is necessary, so it is cloned (see usage in TSFE). The difference to the PSR-7 request attributes is that the context is ONLY related to data access (like permissions / visibility) and also independent if TYPO3 is running via HTTP or CLI (thus, can be used in CLI mode as well). Next Steps: - Migrate PageRepository->versioningWorkspaceId - Migrate TSFE->simUserGroup - Use DateTimeAspect everywhere - Introduce Language + Page Aspects - Introduce the context object into ContentObjectRenderer and cObjects - Use Contexts in RestrictionContainers - Use Contexts in TYPO3 Backend - Decouple sys_page behaviour from TSFE where applicable - Ensure TypoScript conditions continue to work / have a documented alternative Resolves: #85389 Releases: master Change-Id: I9e27e581a1632fcd8c3c6a9e0954b76b91f42c52 Reviewed-on: https://review.typo3.org/57104 Tested-by:
Stefan Bürk <stefan.buerk@pure-metal.de> Tested-by:
-
- 02 Mar, 2018 1 commit
-
-
These parentheses are redundant and may be safely removed. Resolves: #84092 Releases: master Change-Id: I59f2b7454316ecd05f57d28e344f03a65d13e5c5 Reviewed-on: https://review.typo3.org/55952 Reviewed-by:
Mathias Schreiber <mathias.schreiber@typo3.com> Tested-by:
Frank Naegler <frank.naegler@typo3.org> Tested-by:
-
- 19 Feb, 2018 1 commit
-
-
The initialization of a frontend user is currently bound to TSFE, however, the only parts where TSFE is actually needed is to set the frontenduserauthentication object to $TSFE->fe_user and to call a post-processing hook, which could be dealt with through a middleware for extensions. Further steps are to deprecate "initFEuser()" method, and to move the transferring of the user session into the FrontendUser object itself, once this is not using superglobals instead anymore. Additional cleanups on the Authentication object will follow separately once all Middlewares and the Request object are in place. For now, this patch aims to extract the logic and keep maximum backwards- compatibility. Resolves: #83936 Releases: master Change-Id: Id51b49f41336717fde4606a71ec6b2c805662b88 Reviewed-on: https://review.typo3.org/55753 Reviewed-by:
-
