Helmut Hummel authored Aug 05, 2020 and Benni Mack committed Nov 17, 2020

To avoid loss of quality and spawning unnecessary imagemagick
processes, cropping and scaling of images is now done
with a single imagemagick process.

By doing so, the code for SVG processing is streamlined.
SVG processing code can further be improved later,
by putting it into a dedicated file processing task processor.

Releases: master, 10.4
Resolves: #91855
Change-Id: I3bf735e74dd46dec73431405f37616506747ccdf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65187

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Oliver Hader authored Nov 17, 2020 and Oliver Hader committed Nov 17, 2020

Instead of storing session IDs with their corresponding storage
backends in plain text, their HMAC-SHA256 (Redis) or HMAC-MD5 (DB)
is being used. HMAC-MD5 had to be chosen to avoid breaking changes
for limited field size in database fields (32 characters currently).

This change also allows a fallback to non-hashed-session values,
meaning that
* set() and update() will create new session records with the hashed
  identifier
* get() contains a fallback to the non-hashed-version when no session
  with a hashed identifier is found

Resolves: #91854
Releases: master, 10.4, 9.5
Change-Id: Ia57acc5e0d0cf71088af1aaff1ab894bd1d4e3dd
Security-Bulletin: TYPO3-CORE-SA-2020-011
Security-References: CVE-2020-26228
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66664

Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Oliver Hader authored Nov 17, 2020 and Oliver Hader committed Nov 17, 2020

* XSS in `f:be.labels.csh` in argument `label`
* XSS in `f:be.menus.actionMenu` in argument `label`
* XSS in `f:form` in argument `fieldNamePrefix`

Resolves: #92602
Releases: master, 10.4, 9.5
Change-Id: I7574bfb60eb2e11ecfb98d187f2edd580f43cd93
Security-Bulletin: TYPO3-CORE-SA-2020-010
Security-References: CVE-2020-26227
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66663

Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Markus Klein authored Oct 28, 2020 and Benni Mack committed Nov 17, 2020

The access settings is an exclude field and hence
the value is synchronized to the translation.
Fetching the translation overlay therefore does
not need to evaluate the fe_groups again.

Resolves: #91725
Releases: master, 10.4, 9.5
Change-Id: Ie6ec2208d15f67eafb6a48627c5f1b76ffdc5725
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66330

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Benni Mack authored Nov 02, 2020 and Georg Ringer committed Nov 16, 2020

With this change an undefined symbol is included when not having
AdminPanel loaded: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66218

This change aims to change the logic for checking if the preview
flag is enabled.

Resolves: #92746
Reverts: #92242
Releases: master, 10.4, 9.5
Change-Id: I1005424a86f1ced595b23938bd6dcc70ff2f00c9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66372

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Benni Mack authored Nov 10, 2020 and Christian Kuhn committed Nov 16, 2020

In order to build the group resolving more flexible, the major method
"fetchGroupData()" is now separated into a smaller chunk
as a pre-patch.

Resolves: #92814
Releases: master
Change-Id: Id688355a869948e1b4eb57f06ed23cee0e2d513c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66598

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Helmut Hummel authored Jul 29, 2020 and Georg Ringer committed Nov 14, 2020

Change the implementation of backend deferred image processing
to use a file processor, which is only but always used in the backend.

By doing so all limitations of the current implementation are resolved,
which means, width and height of the image can be set in HTML, to avoid
layout shifts and once the images are processed, they will simply
be delivered by the web server.

Inconsistencies with thumbnail ratio (depending on crop being defined
or not) are also tackled on the go.

While this changes processing configuration for some files,
which triggers a re-generation, it should not matter, as image
processing will be done in parallel on request, making such changes
viable in a bugfix release.

The introduced database field is neither used nor required for the
current implementation, but is introduced to provide a possibility for
third party processors to replace the current implementation with simple
(and persisted) URLs to third party SaaS image processing services.

Resolves: #92188
Releases: master, 10.4
Change-Id: I8d1e14324085c5b6ba646475206c8cb10a1fc10d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65237

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Creating a new record in a workspace adds two database rows.

One that is the "placeholder", which - since v10.4 - contains
the same metadata as the other record:

* t3ver_wsid = workspaceID
* t3ver_oid = 0 (simulating behavior of an "online pendant record")
* t3ver_state = 1

And the "versionized" record, identified by:

* t3ver_wsid = workspaceID
* t3ver_oid = uid of the new placeholder record
* t3ver_state = -1

As of TYPO3 v10, the first record is not needed anymore,
the versioned record can be queried directly, however, since
the relations (except MM) point to the placeholder record,
this one is kept.

As result, only one record is created from now on:

* t3ver_wsid = workspaceID
* t3ver_oid = 0 (no online counterpart)
* t3ver_state = 1

On reading, the record is queried directly (no overlay needed anymore!)
with the existing Database Doctrine Restrictions. On publishing, the
record just gets the state/stage/wsid set and is "live".

This brings fundamental benefits:

* No overlays needed when querying
* Fewer database records (placeholders are not helpful)
* Conceptual problems with placeholder and shadowed fields are removed

Resolves: #92791
Releases: master
Change-Id: I0288cc63fe72d8442d586f309bd4054ac44e829b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65587

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Benjamin Franzke authored Sep 03, 2020 and Anja Leichsenring committed Nov 11, 2020

No need to use a fully qualified namespace for
3rd party modules that are placed in TYPO3/CMS/Core/Contrib.
There are usually aliases configured in the requirejs configuration,
and if they are missing, we add them now.

This change additionally drops an unneded module declaration
for "TYPO3/CMS/Core/Contrib/imagesloaded.pkgd.min" which is
not needed when simply using "imagesloaded" as module name.

Commands used:

  grunt build

Releases: master, 10.4
Resolves: #92725
Change-Id: I6e7c02104050202d5c1a8bd0d7546a1496f5636c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65693

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Benni Mack authored Sep 03, 2020 and Georg Ringer committed Nov 10, 2020

It is recommended for <style> and <link> HTML tags
to not use the "type" attribute anymore.

Details:
* https://developer.mozilla.org/en-US/docs/Web/HTML/Element/link
* https://developer.mozilla.org/en-US/docs/Web/HTML/Element/style

The patch drops the attribute from rendering. The patch is
marked as a breaking since it changes frontend output.

Resolves: #45512
Releases: master
Change-Id: I073d7ef6c40a824755768d33fcc71c9f26090801
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65548

Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Benni Mack authored Nov 09, 2020 and Christian Kuhn committed Nov 09, 2020

One of TYPO3's major "fat" classes AbstractUserAuthentication
is now thinned out as the "email when X failed login have been
reached within a certain period of time" is moved to
a hook implementation.

AbstractUserAuthentication now does not have
- public property $warningEmail
- public property $warningPeriod
- public property $warningMax
- public method checkLogFailures()
anymore, as this functionality were only
used for this separate logic.

Resolves: #92801
Releases: master
Change-Id: Ib022af408a740bc6c5bbbb219f23e665182ae83c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66594

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The AbstractUserAuthentication property "auth_timeout_field"
was used in the past (until TYPO3 8.0) to be filled for backend purposes
with "$GLOBALS['TYPO3_CONF_VARS']['BE']['sessionTimeout']"
and for backend with the lifetime field.

This field was not properly filled since TYPO3 v8.0, see
issue #68890 for details.

As the field had a dual-use but now is unused, it is properly
removed as TYPO3 Core never implemented this on a per-userrecord-basis
but handles this via the sessionTimeout propery now.

Resolves: #92802
Related: #68890
Releases: master
Change-Id: I760b50a292b93229bbebffac08e11393fe53393f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66595

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Christian Kuhn authored Nov 03, 2020 and Benni Mack committed Nov 09, 2020

* (v10) Moving a page that exists in live within
  workspaces multiple times does not upate the pid of
  the t3ver_state=4 overlay.

* (v10, master) Moving a page that has translations
  in workspaces multiple times does not always properly
  update the pid of the translation overlay records to the
  new location.

The patch fixes both issues and adds a series of functional
tests to verify db state of these more complex / chained
scenarios.

It also marks one scenario as todo where a delete overlay
is wrongly turned into a move overlay, effectively loosing
the 'shall be deleted in live during publish' information.
This can be fixed with another patch.

Change-Id: If678440c980b8847232a6d146855025ff0091795
Resolves: #92779
Releases: master, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66452

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Andreas Fernandez authored Oct 09, 2020 and Anja Leichsenring committed Nov 04, 2020

This patch updates @typo3/icons to version 2.x delivering icon sprites.
Using icon sprites greatly improves backend performance for several
reasons:

- A single sprite file contains multiple icons which need to be loaded
  once only
- The DOM is reduced as it's not necessary to load SVG icons inline
  anymore to apply styling

Todo for a later patch:

- Replace aliases with "real" icon identifiers

Resolves: #92689
Releases: master, 10.4
Change-Id: Ib3018c4e7f5471274e10c261438792b530c77cde
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66094

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Benni Mack authored Oct 27, 2020 and Georg Ringer committed Nov 01, 2020

This is a pre-cursor for enhancing Backend Routing in general.

This change implements Symfony Routing for Backend
Routes (currently based on the "route" GET/POST argument)
internally to make use of their compiled routes later-on.

This was previously done in a simplified version where only
the path was checked against, and most Symfony features
were not in use, which we still don't use yet, but more can now
be added.

When Backend Routing was added in TYPO3 v7, the API
was heavily influenced by Symfony but we did not have
a lot of experience yet, which we benefitted in TYPO3 v9+
for Frontend Routing.

With this experience (and with PSR-15) we can gradually
move to a more streamlined and faster API.

The proposed solution still works as expected with &route
GET parameters, but opens up the door for flexible Route arguments.

Resolves: #92723
Releases: master
Change-Id: I48475fcb3cc15f99cc102dac36ae15bca9f3032e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66316

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Oliver Bartsch authored Oct 30, 2020 and Georg Ringer committed Nov 01, 2020

The DateTimeAspect which supersedes the superglobals
like $GLOBALS['EXEC_TIME'] now properly returns the
timestamp as integer.

Resolves: #92736
Releases: master
Change-Id: Ib16cc1131024bdc208526a57332bec80817e75c3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66357

Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Resolves: #92739
Related: #92735
Releases: master, 10.4, 9.5
Change-Id: I94dc49ec3ef1c55a565cecab8a4d1553099acefa
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66358

Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Susanne Moog <look@susi.dev>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Susanne Moog <look@susi.dev>

Alexander Schnitzler authored May 11, 2020 and Benni Mack committed Oct 29, 2020

This patch fixes incompatible type usage in function arguments
and is preparatory work for introducing native type hints and
strict mode in all core files.

Releases: master, 10.4
Resolves: #92273
Change-Id: Ifb45f980a08efd79f5e3f288e0f20e1ac283e1f0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65664

Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Christian Kuhn authored Oct 19, 2020 and Daniel Goerz committed Oct 28, 2020

A couple of not needed assignments throughout the
core and a 'too many arguments' fix.

Resolves: #92605
Releases: master
Change-Id: I883dc2fcc12c72c525bc7a44236cac8311d96f11
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66182

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Danilo Caccialanza authored Sep 16, 2020 and Benni Mack committed Oct 22, 2020

Consider the case you have N workspaces and some BE "advanced users"
and "limited users” having access to a workspace.

"Advanced users" have access to all workspace’s page tree and
also LIVE workspace, in this case everything works correctly.

"Limited users" have access only to a limited page tree of the workspace
and cannot access to LIVE workspace. When the user logs in, the page
tree doesn’t show up and the system indicate the following error:
"Page tree error Got unexpected response from the server.
Please check logs for details"

This patch fixes the "limited user" problem.

Resolves: #91918
Resolves: #91594
Releases: master, 10.4
Change-Id: I0029add1940504ad1d274eac4ab02ff2af69f96d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Danilo Caccialanza <supercaccia@bluewin.ch>
Tested-by: cbugada <christian.bugada@ti.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Danilo Caccialanza <supercaccia@bluewin.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

Georg Ringer authored Oct 21, 2020 and Daniel Goerz committed Oct 21, 2020

Attribute alt is not allowed on span elements.

See: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/span#Attributes

Resolves: #92632
Releases: master, 10.4
Change-Id: If4e5762cf95535130b373d4e297a28b547686702
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66223

Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Haupt <mail@danielhaupt.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Daniel Haupt <mail@danielhaupt.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Oliver Bartsch authored Oct 20, 2020 and Georg Ringer committed Oct 20, 2020

Since over a decade (according to the timestamp),
GeneralUtility::uniqueList() does not allow an array as
first argument and furthermore doesn't use the second
parameter anymore. Since then, both have thrown an
`InvalidArgumentException`. Furthermore, this method
does not belong to GeneralUtility at all.

Therefore this method is now deprecated and a new one,
using proper type hints, a return type, no second argument
and a correct PHPDoc is added to StringUtility.

All usages in the core are replaced with the new method,
ensuring proper types.

Resolves: #92607
Releases: master
Change-Id: Ibca5c2c312258dfc63c74f0ff11408d11226f7b6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66190

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Georg Ringer authored Oct 19, 2020 and Daniel Goerz committed Oct 20, 2020

The method :php`\TYPO3\CMS\Core\Utility\GeneralUtility::validEmail`
is used to validate a given email address through the core
and TYPO3 extensions.

The validation can now be configured by providing the used
validators to be used in the LocalConfiguration.php or
AdditionalConfiguration.php.

Example:

   $GLOBALS['TYPO3_CONF_VARS']['MAIL']['validators'] = [
     \Egulias\EmailValidator\Validation\RFCValidation::class,
     \Egulias\EmailValidator\Validation\DNSCheckValidation::class'
   ];

The RFCValidation validator is still be used as default.

Furthermore, following validators are available:

- Egulias\EmailValidator\Validation\DNSCheckValidation
- Egulias\EmailValidator\Validation\SpoofCheckValidation
- Egulias\EmailValidator\Validation\NoRFCWarningsValidation

It is also possible to provide own validators which must implement
the Egulias\EmailValidator\Validation\EmailValidation interface.

If multiple validators are provided, each validator must return TRUE.

Resolves: #92531
Releases: master
Change-Id: I9c5a0573c2f9bff56bf869dc221a2c0ffd75417b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66179

Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Benni Mack authored Oct 18, 2020 and Christian Kuhn committed Oct 19, 2020

In the past, the API methods:
* PageRepository->versionOL()
* BackendUtility::workspaceOL()

returned the PID of the moved record in a workspace in the field
_ORIG_PID and the live record value in "pid".

The methods "fixVersioningPid()" were used to return the
moved PID (of the versioned records) and set the "_ORIG_PID"
to the value of the live record.

This inconsistency can be overcome by simply using workspaceOL
returning the newly moved location as "pid" and keep the "_ORIG_pid"
of the live record for later purposes.

This way, fixVersioningPid is not needed anymore, if workspaceOL/versionOL
is applied. TYPO3 Core is not using the fixVersioningPid methods
anymore now and they are marked as deprecated.

As this is a breaking change ("behavior of overlay and value of _ORIG_pid")
an RST explains the new behavior.

Resolves: #92598
Releases: master
Change-Id: I618d282d490b386e1a75caae3ab657f1605e3cb3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66169

Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

This drops all left over calls that suppress the refindex
integrity checks in DataHandler functional tests, except those
within ManyToMany tests: This area needs more work before the
reference index can be fixed.

Two bugs indirectly related to the reference index are fixed
along the way, those can't be separated as standalone patches:

* When a translated page is deleted in workspaces, the
  DataHandler deleted live records on this page, too. This
  is fixed by adding a proper db restriction. This also
  fixes the reference index state in this scenario.

* When publishing a delete placeholder that has inline children,
  workspace delete placeholders are created for the children, which
  is wrong. This happens because the user is not set to the live
  workspace during the publish operation. Temporarily changing the
  user workspace to live not only fixes the reference index, but
  does not create the bogus inline children placeholder records
  anymore, too.

Change-Id: I897f6a93b1d5a579bfa5c52e93e65119a018e4aa
Resolves: #92589
Related: #92467
Releases: master, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66152

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: David Steeb <david.steeb@b13.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The 'Make textareas resizable' setting is quite ancient.
The patch drops this option from the user settings and
enables 'growing' text areas by default. To prevent text
areas from growing indefinitely, the user setting
'max height' with a default of 500px is kept.

Change-Id: I0497c6823b96b077c05d25a2e63ae58c079400b7
Resolves: #92582
Releases: master
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66162

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Benni Mack authored Oct 19, 2020 and Christian Kuhn committed Oct 19, 2020

Since the move placeholder code is gone, some variables / methods
are still "cryptic" and some comments are outdated.

This change modifies some places to make the code
more readable for its current state.

In addition, the RootlineUtility code is now more focussed
and explained on the move pointer retrieval.

Resolves: #92592
Releases: master
Change-Id: I651bcad138cffc9fc0bdfe2d21a9a7666b93e4ff
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66172

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Benni Mack authored Oct 14, 2020 and Daniel Goerz committed Oct 18, 2020

When using workspaces, the computed field "_ORIG_pid" is the
same value as "pid" when using the workspace-related methods

* PageRepository->versionOL()
* PageRepository->fixVersioningPid()
* BackendUtility::workspaceOL()
* BackendUtility::fixVersioningPid()

The field "_ORIG_uid" which keeps the UID of the versioned/workspace
record, is still set.

Resolves: #92571
Releases: master
Change-Id: I53fc4a00915d070f2f45495b51269ebf21d27637
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66138

Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

This patch replaces the bootstrap-datetimepicker with flatpickr which
is pretty lightweight.

Since this datetimepicker also has some sanity validation on board, much
custom datetime parsing in FormEngine can and has been removed,
including magic date manipulation by using addition or subtraction.

The year format for momentjs has been changed from `YYYY` to `Y` as well
to support years < 1000.

Currently the datepicker is not able to select a date < 100.
By manual selection, the picker jumps back to 1999 and not to 99 as
expected.

Resolves: #91606
Releases: master
Change-Id: Id723c5200c797019f6de0ed5a4c15b2137a32995
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64833

Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Xavier Perseguers authored Oct 06, 2020 and Daniel Goerz committed Oct 16, 2020

When a UserAspect is constructed without any associated
AbstractUserAuthentication user (first constructor argument is null)
as created during Application bootstrap within
\TYPO3\CMS\Frontend\Http\Application::initializeContext(), the
alternative list of group uids needs to be made accessible. This
implies that method getGroupIds() should only check for a
BackendUserAuthentication for a special handling and not do the
erroneous check that it could alternatively be a
FrontendUserAuthentication.

Resolves: #92489
Releases: master, 10.4
Change-Id: I0342c86939fdcf03239c20fe95ae020d3d7bfc6a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66053

Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Xavier Perseguers <xavier@typo3.org>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Xavier Perseguers <xavier@typo3.org>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Helmut Hummel authored Oct 01, 2020 and Georg Ringer committed Oct 15, 2020

When creating a new image file the indexing process must not
try to extract width and height, when the file is empty
to avoid warnings.

Resolves: #92455
Releases: master, 10.4, 9.5
Change-Id: I6e906285c2767c8997c77df258ce6fe085e12790
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65968

Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Simon Gilli authored Oct 14, 2020 and Christian Kuhn committed Oct 15, 2020

This patch ensure the message send loop breaks after a message was sent
successfully. The doSend() method is rewritten to increase the
readability. Also a minimal unit test is added to verify the
functionality of the FileSpool.

Resolves: #91764
Releases: master, 10.4
Change-Id: I5fce3c98fc302739da071f0a5f1f16de61eb198b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66139

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Markus Gerdes <markus@madaxel.de>
Reviewed-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Benni Mack authored Sep 17, 2020 and Christian Kuhn committed Oct 15, 2020

This also deprecates two GeneralUtility methods which
do not belong in this class, and makes the API more
understandable and better documented.

Resolves: #92551
Releases: master
Change-Id: Ibb8b02ae11c76f3f7f65bf0a3eb22c82e94127e5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65749

Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Benni Mack authored Oct 15, 2020 and Christian Kuhn committed Oct 15, 2020

Since TYPO3 v10 the history is connected via
the correlationId in DataHandler and the setHistory()
method does not need the third argument anymore.

This change removes the third argument, and removes
the only two usages in Workspaces.

The method is marked as internal, and the argument
has no value. For this reason, we can remove the
method argument.

Resolves: #92569
Releases: master
Change-Id: I298e24b81336dbddfd477f0881f752f99300a894
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66144

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Christian Kuhn authored Oct 13, 2020 and Benni Mack committed Oct 14, 2020

The 'you can not delete pages that have sub pages' user
settings restriction has been annoying ever since. Users
who actually want to delete a full tree were annoyed by
this flag if they did not had it and had to rely on an
administrator action to actually give it to them, and
had to delete pages on a one-by-one base meanwhile.
Clever admins thus often enabled that flag by default.

It was meant as a feature to prevent casual users from
commiting accidential harm to a site tree. There are
better ways to achieve this goal however: Admins
can set proper access rights for important key pages
preventing editors from deleting them. Furthermore,
a better 'prevent editors from doing harm in live'
way is available by using the workspaces extension. And,
in case of accidental deletion, admins can always
resurrect full page trees using the recycler extension.

The patch drops the 'recursive delete' option from
specific user settings and always allows deleting
pages including sub pages.

Resolves: #92560
Releases: master
Change-Id: I8401edc10daece7f83d0c5f85f99129616fac957
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66136

Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

The IP-locking functionality is disabled in TYPO3 v10 by default due to
IPv4/IPv6 hopping ("Happy eyeballs"), however the per-Backend-User
option is now removed, as it effectively needs custom enablement.

IF IP locking is needed for the backend, this is now configurable
only on a per-installation basis. If needed, it is recommended to
implement this feature, which was disabled by default
(which depends on a feature, which is disabled by default) as
a custom extension.

Resolves: #92559
Releases: master
Change-Id: I9b9b70dab4d3240bd72d8b3979140fc1a5a46811
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66093

Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Simon Gilli authored Oct 06, 2020 and Christian Kuhn committed Oct 13, 2020

The interface Symfony\Component\Mailer\Transport\TransportInterface
expects a RawMessage and an optional Envelope if it's not already part
of RawMessage. Currently an instance of Symfony\Component\Mailer\SentMessage
is sent which is not compatible.

This patch changes this behavior to send the original message and the
envelope like already done in the MemorySpool.

Resolves: #92053
Releases: master, 10.4
Change-Id: I2eb1a6a40c192ac433c6cc112b05432018411312
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66058

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Gerdes <markus@madaxel.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Markus Gerdes <markus@madaxel.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Christian Kuhn authored Oct 13, 2020 and Anja Leichsenring committed Oct 13, 2020

Since the removal of t3ver_state=3 move placeholders,
the db field t3ver_move_id is obsolete and can be dropped.

The patch drops field creation from DefaultTcaSchema for
workspace enabled TCA database tables and removes the
field from all functional test related CSV fixuture files.

Change-Id: I3f1a0e07c415bc6bf3e44d4b30358561123ec9d8
Resolves: #92555
Related: #92497
Releases: master
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66111

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Thomas Löffler authored May 16, 2020 and Benni Mack committed Oct 13, 2020

A couple of functions in PageRepository allow to define the fields
to be selected. Because the `uid` is used internally to further
process the selected row, this field is mandatory and must be
present in a custom fields list.

This fact is now documented in all corresponding PHPDoc blocks.

Resolves: #91421
Releases: master, 10.4
Change-Id: I957da54a8fd399e375cd601e89a735821d04c3f0
Signed-off-by: Thomas Löffler <loeffler@spooner-web.de>
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64506

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Benni Mack authored Sep 21, 2020 and Christian Kuhn committed Oct 12, 2020

Workspaces ("Element-based versioning") previously had - due to
the "pid=-1" logic until TYPO3 v10 - a so-called "MOVE PLACEHOLDER".

This was indicated by t3ver_state = 3, all relevant fields:
* t3ver_state = 3 (move placeholder)
* t3ver_oid = 0 no connected live record, it allowed fetching these records
  with one query together with live records as db restrictions t3ver_oid > 0
* t3ver_wsid = workspace UID
* t3ver_move_id = UID of the live record
* pid = new PID the version was moved to
* sorting - when a record was moved within page with activated sorting

Other record fields were not important. However, when moving a record, the
value from TCA ctrl section "shadowColumnsForMovePlaceholders" was used to
fill in gaps from the live record.

The ACTUAL versioned record was indicated by t3ver_state = 4, the so-called
"MOVE POINTER". In previous version until TYPO3 v10, it's PID field was set
to -1, but since TYPO3 v10, it has the same PID as the "MOVE PLACEHOLDER".

Characteristics of the move pointer as of TYPO3 v10:
* t3ver_state = 4 (move pointer)
* t3ver_oid = UID of the live record
* t3ver_wsid = workspace UID
* t3ver_move_id = 0
* pid = PID the version was moved to
* sorting - same value as the live record (not evaluated until now)
* All other fields with optionally modified content

Both move placeholder and move pointer did not know each other directly.
Fetching the move pointer for a move placeheldor (or the other way around)
involved the live record, leading to many queries.

The patch obsoletes the move placeholder records, moving necessary
information to the move pointer: It now contains the updated sorting
and is considered in the Database Restrictions to be fetched.

In general, when publishing, the moved record now
behaves identical to the other versioned types.

This makes the internal code much easier, creates less DB queries
on read + write and leads to less DB records in the database.

The change removes creation of move placeholders, and considers the
move pointers when evaluating sorting and PID in DataHandler.

Read functionality from BackendUtility and PageRepository don't need an
additional step to fetch the live version of a move placeholder anymore.

An upgrade wizard takes existing move placeholders (state=3), updates
pid+sorting (PID generally not needed, just to be sure) of the move
pointer (state=4) and then deletes the move placeholder.

TCA definition $TCA[my-table][ctrl][shadowColumnsForMovePlaceholders]
is not needed anymore and removed by an auto TCA migration.

Finally, workspace enabled tables do not need the t3ver_move_id field
anymore: The live record UID is already in t3ver_oid field for state=4
records, just like with all other versioned records. The field will
be fully removed with a separate patch in order to keep the actual CSV
tests readable for this patch.

Resolves: #92497
Releases: master
Change-Id: I206336aec8be8a324fefdfd69f648f5a298c6ad1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65797

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>