Commit graph

599 commits

Author SHA1 Message Date
Yassine Guedidi
58a0ca2622 Replace GetResponseEvent by RequestEvent 2023-08-07 22:34:47 +01:00
Nicolas Lœuillet
5fe5551972 Fix failing randomly test 2023-07-27 07:55:42 +02:00
Nicolas Lœuillet
c75d3e6961 Remove twofactor_auth parameter
Fix #6649
2023-07-15 16:18:01 +02:00
Nicolas Lœuillet
6639f7da6d Fix export for same domain entries 2023-06-29 19:59:08 +02:00
Nicolas Lœuillet
28db6c22eb
Fix duplicate tags creation when assigning search results to tag
Fixes #6330
2023-06-17 15:19:59 +02:00
Nicolas Lœuillet
7eddea6ff7
Added test 2023-06-16 14:27:27 +02:00
Nicolas Lœuillet
19322142c3
Fixed testsuite 2023-06-16 14:27:26 +02:00
Simounet
e5b72f3123
Fix Stylelint errors 2023-06-12 18:15:38 +02:00
Jérémy Benoist
bea10aacbe
Merge pull request #6562 from Simounet/fix/downloadimages-redirect-following
Fix DownloadImages not following redirections
2023-05-31 15:04:02 +02:00
Simounet
548b610a17
Fix images downloading with numeric HTML entity 2023-05-30 13:38:50 +02:00
Simounet
2f944aa74a
Fix DownloadImages not following redirections 2023-05-30 12:41:00 +02:00
Jeremy Benoist
66b7bdd07c
Merge remote-tracking branch 'origin/2.5.x' 2023-04-24 14:36:32 +02:00
Casper Meijn
5a5148707c Fix API allowed_registration
Two configuration options need to be enabled to allow user registration via the API:
1) fosuser_registration, which indicates whether registration is allowed at all (frontend and API)
2) api_user_registration, which indicates whether registration is allowed via the API
2023-03-28 20:12:55 +02:00
Jeremy Benoist
a237414f9c
Skip test because of encoding issue in PHP 8.1 2023-03-24 22:57:11 +01:00
Jeremy Benoist
f1b3d5cdd7
Fix CSRF on user deletion 2023-02-07 21:41:52 +01:00
Jeremy Benoist
b795622f06
Prepare 2.5.3 2023-02-01 09:51:02 +01:00
Jérémy Benoist
5ac6b6bff9
Merge pull request from GHSA-mrqx-mjc4-vfh3
AnnotationController: fix improper authorization vulnerability
2023-02-01 09:32:22 +01:00
Kevin Decherf
3ed7f2b751 AnnotationController: fix improper authorization vulnerability
This PR is based on 2.5.x branch.

We fix the improper authorization by retrieving the annotation using id
and user id.

We also replace the ParamConverter used to get the requested Annotation
on put and delete actions with an explicit call to AnnotationRepository
in order to prevent a resource enumeration through response discrepancy.

Fixes GHSA-mrqx-mjc4-vfh3

Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com>
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
2023-01-27 23:34:14 +01:00
Kevin Decherf
0fdd9aa991 ExportController: fix improper authorization vulnerability
We fix the improper authorization by duplicating the check done by
the private method EntryController::checkUserAction().

We also replace the ParamConverter used to get the requested Entry with
an explicit call to EntryRepository in order to prevent a resource
enumeration through response discrepancy. Thus, we get the same
exception whether the requested resource does not exist or is not owned
by the requester.

Fixes GHSA-qwx8-mxxx-mg96

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
2023-01-20 15:09:38 +01:00
Jeremy Benoist
ea189503de
Fix tests 2023-01-16 10:21:37 +01:00
Kevin Decherf
2f2cfa2c2a Add prefix for tag slugs
This should be considered as a temporary fix, we may deprecate tag
slugs in the future.

Fixes #6048

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
2023-01-11 23:20:13 +01:00
Jeremy Benoist
6aca334d53
Move to controller as a service
Mostly using autowiring to inject deps.
The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case.

Usually:
- if a controller has a constructor, it means injected services are at least re-used once in actions
- otherwise, service are injected per action
2022-12-19 10:38:08 +01:00
Jeremy Benoist
b3099f68c5
Update all Doctrine deps
Also update these deps to be compatible with latest Doctrine version:
- `friendsofsymfony/oauth-server-bundle`
- `lexik/form-filter-bundle`
- `dama/doctrine-test-bundle`
2022-12-16 10:29:42 +01:00
Jeremy Benoist
32661f380c
Replace SwiftMailer by Symfony Mailer 2022-12-16 10:03:34 +01:00
Jeremy Benoist
d47c208743
Fix EventDispatcer & events
Looks like parameter for the `->dispatch(` have been flipped (event first then event name).
Define events should now extends `Symfony\Contracts\EventDispatcher\Event`
2022-12-15 21:47:31 +01:00
Jeremy Benoist
33267f0736
Update to FOSUserBundle 3.1
Also remove some deprecation from Symfony.
Use `LegacyEventDispatcherProxy` to handle Symfony 4 dispatch from FOSUser
2022-12-14 09:42:17 +01:00
Jeremy Benoist
de5b138a59
Fix CS 2022-12-13 10:26:51 +01:00
Jeremy Benoist
e79f5c7a21
Skip MySQL test 2022-11-29 18:01:46 -08:00
Jeremy Benoist
dd2f2fe340
Fix pt_BR test 2022-11-29 18:01:46 -08:00
Jeremy Benoist
aa5c7f05b8
Upgrade to Symfony 4.4
- disable autowiring for Event (because the Entry entity was injected)
- rename `getClient()` for test to `getTestClient()` to avoid error while overriding (from `BrowserKitAssertionsTrait`)
2022-11-29 18:01:46 -08:00
Jeremy Benoist
b7dba18cb2
Cleanup 2022-11-23 15:51:33 +01:00
Yassine Guedidi
af6363bbbd
Fix missing call to parent setUp 2022-11-23 15:25:11 +01:00
Jeremy Benoist
1d3935fbd3
Remove LiipThemeBundle
As baggy theme was removed and material is the only remaining theme, we don't need a theme switched anymore.
So:
- move all `*.twig` files from the material theme folder to the root
- remove useless translations
2022-11-23 14:52:06 +01:00
Jeremy Benoist
8d3fcd4635
Merge remote-tracking branch 'origin/master' into 2.6.0 2022-11-03 10:30:17 +01:00
Nicolas Lœuillet
680da52ea8 Fixed tests 2022-11-03 09:55:24 +01:00
Nicolas Lœuillet
594c609a54 Fixed edit button for tagging rules 2022-11-03 09:55:24 +01:00
Nicolas Lœuillet
aedaa50887 Fixed tests 2022-11-03 09:55:24 +01:00
Nicolas Lœuillet
29308024ac Removed old, not so maintained and buggy baggy theme 2022-11-03 09:55:20 +01:00
Yassine Guedidi
e32794e9d6 Remove useless command input parameter 2022-10-18 15:19:07 +02:00
Yassine Guedidi
17497275b2 Use find for remaining useless addition 2022-10-18 15:19:07 +02:00
Yassine Guedidi
6915a92047 Remove useless command addition 2022-10-18 15:19:07 +02:00
Yassine Guedidi
8f20df6559 Remove InstallCommandMock 2022-10-18 15:19:07 +02:00
Jeremy Benoist
dc28d7ea0f
Add support to download SVG locally 2022-10-18 11:14:45 +02:00
Jeremy Benoist
c372d68cc1
Merge remote-tracking branch 'origin/master' into 2.6.0 2022-10-18 11:11:02 +02:00
Jeremy Benoist
d4b0b62bb5
Fix unrelated failing test
LExpansion is down ATM.
Use a website which isn't down randomly.
2022-10-17 21:49:03 +02:00
Jeremy Benoist
7b150dcd26
Add tests 2022-10-17 21:37:08 +02:00
Jeremy Benoist
53574f05d5
Fix random failing tests
Looks like `20minutos.es` sometimes does not return the expected language.
Switching to `elpais.com` fix the problem.
2022-10-10 09:15:26 +02:00
JT Smith
6da76ffaae Typofixes 2022-10-03 18:31:43 -06:00
Jeremy Benoist
812b4a906f
Add nbEntries to the API tags list response
So client will be able to do the same as in the web UI.

Also remove empty `div` from the tags template.
2022-09-23 15:16:38 +02:00
Yassine Guedidi
98af2e25f2 Use ::class notation where possible 2022-09-01 20:54:56 +02:00