1. 02 Mar, 2014 2 commits
    • Helmut Hummel's avatar
      [BUGFIX] Mock locked records for DataProviderTest · e8bc2624
      Helmut Hummel authored
      The DataProviderTest calls BackendUtility::isRecordLocked
      statically. We cannot mock that call, but we can
      "mock" a locked record so that BackendUtility::isRecordLocked
      does not query the database.
      
      Resolves: #56472
      Releases: 6.2
      Change-Id: I268a7a900a0f2dcbf248f6a4d856354c7b1cdcd6
      Reviewed-on: https://review.typo3.org/27975
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      e8bc2624
    • Stephan Großberndt's avatar
      [TASK] Update database schema as first and last update wizard · 2e06fc19
      Stephan Großberndt authored
      Introduces two new upgrade wizards in the Install tool.
      
      The first wizard - added as first step of the upgrade wizards - adds
      tables, fields and keys to comply to the database schema. When this is
      necessary no other wizards can be executed until these are created.
      
      The second wizard - added as last step of the upgrade wizards - changes
      tables, fields and keys to comply to the database schema. When other
      upgrade wizards are available, this one is not available to make sure
      they have all necessary fields.
      
      In order to make sure they are added as first and last step they are
      added in UpdateWizard instead of ext_localconf.php.
      
      The former "Final step" is now optional and has been renamed to "Hint".
      The buttons to start the update wizards from the list have been renamed
      from "Next" to "Execute".
      
      Resolves: #53890
      Releases: 6.2
      Change-Id: I866b558df3325acca3122bbd4e0c2285447fcdf3
      Reviewed-on: https://review.typo3.org/27240
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      2e06fc19
  2. 01 Mar, 2014 4 commits
    • Helmut Hummel's avatar
      [!!!][SECURITY] Remove old wizard scripts · dfab37ac
      Helmut Hummel authored
      Keeping the old wizard script would not solve
      the CSRF attack vector as they could still
      be referenced in this kind of attack.
      
      Because of that, we remove them now.
      
      This change provides a backwards compatibility
      layer in FormsEngine which takes care of rewriting
      URLs which have been referenced in TCA.
      
      Also the priority is changed in code. This means
      that extension authors can reference both
      configurations to stay compatible with older
      TYPO3 versions.
      
      It will however break code which link to the
      old scripts directly in other places.
      
      Resolves: #56454
      Releases: 6.2
      Change-Id: I15f5d929f16fdd53a8b87cd32440a3d6ce59b6ed
      Reviewed-on: https://review.typo3.org/27956
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      dfab37ac
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] Fix StorageRepository::findByStorageType · 3d4de84e
      Marc Bastian Heinrichs authored
      Since optimizing the retrieval of Storages the
      findByStorageType() doesn't find any (also right ones)
      storage, because of a wrong comparison.
      This fixes also the localDriverStorageCache in
      ResourceFactory, finding a bestMatchingStorageByLocalPath
      in ResourceFactory, getting the right storage for a local
      path as fileIdentifier and creation of duplicate entries 
      in sys_file with storage 0.
      
      Resolves: #56400
      Releases: 6.2
      Change-Id: I75ac357dff498f1a209d4c42896bdeddab3641ad
      Reviewed-on: https://review.typo3.org/27915
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      3d4de84e
    • Alexander Schnitzler's avatar
      [TASK] Use new way to register colorpicker wizard · 498ccf37
      Alexander Schnitzler authored
      Resolves: #56436
      Releases: 6.2
      Change-Id: Ia789abbbdf7ab11a4ab13ea6aa195bc79ba6dc25
      Reviewed-on: https://review.typo3.org/27945
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      498ccf37
    • Wouter Wolters's avatar
      [BUGFIX] Undefined variable $multiSelectId in FormEngine · bb4ecb56
      Wouter Wolters authored
      There is a undefined variable $multiSelectId in FormEngine. This
      is introduced with #46357
      
      Resolves: #56457
      Releases: 6.2
      Change-Id: I88fd4f9b36e6421b338011a1cc31c22987019dc9
      Reviewed-on: https://review.typo3.org/27959
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      bb4ecb56
  3. 28 Feb, 2014 14 commits
  4. 27 Feb, 2014 11 commits
    • Helmut Hummel's avatar
      [BUGFIX] Make sure M parameter is first in URL · d9a4854f
      Helmut Hummel authored and Wouter Wolters's avatar Wouter Wolters committed
      Although the order of GET parameters in the URL
      does not matter, the M parameter should come first
      in the URL.
      
      Resolves: #56404
      Releases: 6.2
      Change-Id: Id79f2f55fff2430ecce8a76bbba526dc7d175b40
      Reviewed-on: https://review.typo3.org/27916
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      Reviewed-by: Nicole Cordes
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      d9a4854f
    • Helmut Hummel's avatar
      [BUGFIX] Fix GET parameter order in unit tests · a791531f
      Helmut Hummel authored
      The order of GET parameters changed, so we have
      to adapt the tests.
      
      Resolves: #56403
      Releases: 6.2
      Change-Id: I6fb8d231c71fa020677313127d453be3eab500ce
      Reviewed-on: https://review.typo3.org/27917
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      a791531f
    • Helmut Hummel's avatar
      [FEATURE] Add API to CSRF protect Ajax calls in Backend · 2aa83d39
      Helmut Hummel authored
      This change adds API to register Ajax ids with
      their handler and to get an Ajax URL for
      a specific AjaxID.
      
      A token check is added to the ajax.php dispatcher
      script. To stay backwards compatible, the token
      is only checked, if the AjaxId is registered not
      using the new API.
      
      The new API will be used by TYPO3 core in
      consecutive changes.
      
      Resolves: #56345
      Documentation: #56347
      Releases: 6.2
      Change-Id: I188a9312b0f4239040e461ba09dc9c8f2b93a68b
      Reviewed-on: https://review.typo3.org/27873
      Reviewed-by: Wouter Wolters
      Reviewed-by: Anja Leichsenring
      Tested-by: Anja Leichsenring
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      2aa83d39
    • Julian Kleinhans's avatar
      [TASK] Additional SignalSlot after init in EditDocumentController · 45b092d3
      Julian Kleinhans authored and Anja Leichsenring's avatar Anja Leichsenring committed
      Adds a new SignalSlot possibility after the init method call.
      
      Resolves: #56381
      Releases: 6.2
      Change-Id: I2357f81c40b123a7cd2eef57ef142a9e934dbc35
      Reviewed-on: https://review.typo3.org/27896
      Reviewed-by: Julian Kleinhans
      Tested-by: Julian Kleinhans
      Reviewed-by: Tomas Norre Mikkelsen
      Reviewed-by: Erik Frister
      Reviewed-by: Joh. Feustel
      Reviewed-by: Stefan Rotsch
      Reviewed-by: Anja Leichsenring
      Tested-by: Anja Leichsenring
      45b092d3
    • Benni Mack's avatar
      [CLEANUP] Remove security_level option from Authentications · beac969f
      Benni Mack authored
      The option security_level option was deprecated
      since 4.7 and can now be removed.
      
      Also do some cleanup in related code.
      
      Releases: 6.2
      Resolves: #56256
      Change-Id: I48dcb788ca654aea14fb7125128c564fd373b550
      Reviewed-on: https://review.typo3.org/27825
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      beac969f
    • Benni Mack's avatar
      [TASK] Speed up updating the extension list · bce23ae7
      Benni Mack authored
      The process of updating the TER
      extension list takes approx 1 minute
      because the extension manager needs
      to mark all "latest versions". This is done
      via a large UPDATE query on fields
      without indices, additionally this is done
      in PHP and not in SQL with a
      simple subselect.
      
      Additionally the SQL file does not set
      appropriate indices at all, which is also
      done in this patch.
      
      Releases: 6.2
      Resolves: #56354
      Change-Id: Ic46994fa1b16cce9912950520955185f3f95fe1a
      Reviewed-on: https://review.typo3.org/27876
      Reviewed-by: Steffen Ritter
      Tested-by: Steffen Ritter
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      bce23ae7
    • Frans Saris's avatar
      [BUGFIX] Filename sorting in filelist is broken · baa5c3e7
      Frans Saris authored
      The sorting by filename in the filelist is broken since the
      introduction of sys_file_metadata. It tries to sort the file list
      by property file. Before sys_file_metadata it couldn't find this
      property and sorted by the default value name. But after introduction
      of sys_file_metadata it has an property file, his own sys_file uid.
      
      This patch fixes the sorting behaviour when sorting by filename.
      
      Resolves: #56128
      Releases: 6.2
      Change-Id: Icd25bc2aafed4baafbaa7d9f87ce755fe9e64579
      Reviewed-on: https://review.typo3.org/27881
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      Reviewed-by: Alexander Opitz
      Tested-by: Alexander Opitz
      Reviewed-by: Stefan Froemken
      Tested-by: Stefan Froemken
      Reviewed-by: Frans Saris
      Tested-by: Frans Saris
      baa5c3e7
    • Helmut Hummel's avatar
      [BUGIFX] Fix Redirect after switch-to-user · 3241387b
      Helmut Hummel authored
      The compatibility layer introduced in #55809
      causes trouble with the user switch feature.
      
      User switch intentionally redirects to index.php
      but the compatibility layer kicks in and redirects
      back to the user module, finally leading to an
      endless redirect.
      
      This can be resolved by checking for modules which
      have been changed and need that compatibility layer.
      
      Resolves: #56364
      Releases: 6.2
      Change-Id: I74d8c57335af66068383b49dc7d43ea480e631b8
      Reviewed-on: https://review.typo3.org/27897
      Reviewed-by: Jigal van Hemert
      Tested-by: Jigal van Hemert
      Reviewed-by: Oliver Hader
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      3241387b
    • Markus Klein's avatar
      [BUGFIX] Fix reference to FileListLocalisation.js · 71a7f96c
      Markus Klein authored
      FileListLocalisation.js was moved from backend to filelist
      with #55810, but it was forgotten to adapt the reference
      in InlineElement.
      
      Resolves: #55979
      Releases: 6.2
      Change-Id: I102ffe25c255f8ac39a49d4022ee3ab73ff1914c
      Reviewed-on: https://review.typo3.org/27861
      Reviewed-by: Anja Leichsenring
      Tested-by: Anja Leichsenring
      Reviewed-by: Frans Saris
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      71a7f96c
    • Michael Knabe's avatar
      [BUGFIX] Revert "[TASK] Use a 401 header if login is not successful" · fe210c9c
      Michael Knabe authored and Jigal van Hemert's avatar Jigal van Hemert committed
      This reverts commit 9974f36d.
      
      The 401 header code is used with HTTP based authentication schemes,
      based on RFC 2617.
      
      This is not the case here.
      
      Resolves: #55966
      Reverts: #51803
      Releases: 6.2, 6.1, 6.0, 4.5
      Change-Id: I134f0f1d575f3e8d4c37c2af62df8eca3f01f817
      Reviewed-on: https://review.typo3.org/27888
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      Reviewed-by: Jigal van Hemert
      Tested-by: Jigal van Hemert
      fe210c9c
    • Helmut Hummel's avatar
      [BUGFIX] Fix link for workspace preview · 94435811
      Helmut Hummel authored
      The absolute link generated for mailings to
      workspace editors misses the page id.
      
      The uid has been accidentally removed with
      commit for #56359
      
      Resolves: #56375
      Releases: 6.2
      Change-Id: I521aee2b96c542c27a911ffeab5d9bfffc8b9a46
      Reviewed-on: https://review.typo3.org/27893
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      94435811
  5. 26 Feb, 2014 7 commits
    • Helmut Hummel's avatar
      [BUGFIX] Fix module access regressions · 8cbb774c
      Helmut Hummel authored
      During the addition of the token check for mod.php
      some places have been missed where a correct
      token needs to be added.
      
      Resolves: #56359
      Releases: 6.2
      Change-Id: I435cb36641fe96ecf050c915d200f94cbb31ce9f
      Reviewed-on: https://review.typo3.org/27883
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      8cbb774c
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] Avoid to get a file object with the uid zero · f5dd8bf2
      Marc Bastian Heinrichs authored
      At some points where a file object is retrieved, a check for
      the interpretation as integer is done for the method
      argument only. If the argument is 0 a exception will be
      thrown from the ResourceFactory.
      A file object should only be fetched if the uid is an integer
      greater than zero.
      
      Resolves: #55530
      Releases: 6.2
      Change-Id: I9399d58bac4a48344769ac00207b64e25eea630e
      Reviewed-on: https://review.typo3.org/27304
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      f5dd8bf2
    • Helmut Hummel's avatar
      [BUGFIX] Do not save failed token messages in session · e99e12a9
      Helmut Hummel authored and Anja Leichsenring's avatar Anja Leichsenring committed
      In #30272 the backend formprotection has been changed
      to not save flash messages in the user session if
      the current request is an Ajax request.
      
      Unfortunately the check for that is broken
      since the TYPO3_AJAX global is reset in the
      bootstrap now.
      
      Introduce a method which uses the request type
      constants and adapt the tests accordingly.
      
      Resolves: #56357
      Releases: 6.2
      Change-Id: Idae8be036b3747ea71509cc37008a4d694390627
      Reviewed-on: https://review.typo3.org/27879
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      Reviewed-by: Anja Leichsenring
      Tested-by: Anja Leichsenring
      e99e12a9
    • Alexander Stehlik's avatar
      [BUGFIX] Respect all filemounts in file collection · f2208e54
      Alexander Stehlik authored and Frans Saris's avatar Frans Saris committed
      The directory selector in a file collection now displays the folders
      of all filemounts of a user. Before only the folders of the first
      filemount were displayed.
      
      Resolves: #55414
      Releases: 6.2
      Change-Id: Ic47f5163e2cfc7c89edcba4119f06620ed0fd56e
      Reviewed-on: https://review.typo3.org/27119
      Reviewed-by: Wouter Wolters
      Reviewed-by: Anja Leichsenring
      Tested-by: Anja Leichsenring
      Reviewed-by: Frans Saris
      Tested-by: Frans Saris
      f2208e54
    • Helmut Hummel's avatar
      [!!!][SECURITY] Add CSRF protection to mod.php · 6e9e5455
      Helmut Hummel authored
      Add a token check in mod.php and token generation
      to BackendUtility::getModuleUrl()
      
      Adapt code to use BackendUtility::getModuleUrl()
      in every place where links are hardcoded.
      
      Releases: 6.2
      Resolves: #55509
      Change-Id: I952c40fc1004a0a8d77c929927d37e1d93dcfef4
      Reviewed-on: https://review.typo3.org/27636
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      6e9e5455
    • Benjamin Serfhos's avatar
      [BUGFIX] Allow record insert on rootlevel · 7389b684
      Benjamin Serfhos authored
      The DataHandler function checkRecordInsertAccess() does
      now check the configuration for the root level.
      
      Resolves: #52386
      Releases: 6.2, 6.1, 6.0
      Change-Id: I1810ea847e631ea6b242346a0271f491fd60fdf9
      Reviewed-on: https://review.typo3.org/24166
      Reviewed-by: Leon de Rijke
      Tested-by: Leon de Rijke
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      7389b684
    • Frans Saris's avatar
      [BUGFIX] Followup: Ajax handler TYPO3_tcefile::process is broken · 6cc6c4f7
      Frans Saris authored
      Upload action was taken care of, but the ajax handler can be just
      for all commands that ExtendedFileUtility->processData can handle.
      
      This change checks the result set and flattens
      data only when needed.
      
      Resolves: #56084
      Releases: 6.2, 6.1
      Change-Id: Ic1a0bd9084b9eb206b9b53960890d22d2a9c56f5
      Reviewed-on: https://review.typo3.org/27739
      Reviewed-by: Alexander Schnitzler
      Tested-by: Alexander Schnitzler
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      6cc6c4f7
  6. 25 Feb, 2014 2 commits