- Added handling to not include parent of top-most list range selection
so that it's not also changed while not visually part of the
selection range.
- Fixed issue where list items could be left over after unnesting, due
to empty checks/removals occuring before all child handling.
- Added node sorting, applied to list items during nest operations so
that selection range remains reliable.
Found that saving via Ctrl+Enter did not save as logic to load editor
output into form was bypassed, which this fixes by ensuring submit
events are raised during for this shortcut.
Submit handling also gets a timeout added since, at least in FF,
requestSubmit did not re-submit a form while in a submit event.
- Fixed name numeric sorting not working as expected due to bad
comparison.
- Added name numeric desc operation option.
- Added test to ensure each operating has a comparison function.
Code in lists could throw error on parse due to inner <code> tag being
parsed but not actually used within a <pre>, so this updates the
importDOM to disregard childdren for code blocks.
This also improves the invariant implementation to not be so
dev/debugger based, and to include vars in the output.
This changes indexing so that a.b now indexes as "a", "b" AND "a.b"
instead of just the first two, for periods and hypens, so terms
containing those characters can be searched within.
Adds hypens as a delimiter - #2095
- Renamed AssignSortSetCommand to AssignSortRuleCommand, updated
contents and testing.
- Updated sorting operations to not update timestamps if only priority
is changed.
- Changes to a sort set will now auto-apply to assinged books (basic
chunck through all on save).
- Added book count indicator to sort set list items.
- Deletion now has confirmation and auto-handling of assigned
books/settings.
Only actuall added YT in the end.
Google had changed URL scheme, and Vimeo seems to just be something else
now, can't really browse video pages like before.
Existing mime sniffer wasn't great at distinguishing between plaintext
file types, so added a custom extension based mapping for common web
formats that may be expected to be used with this.
Allows files to be placed within a "public" folder within a theme
directory which the contents of will served by BookStack for access.
- Only "web safe" content-types are provided.
- A static 1 day cache time it set on served files.
For #3904
- Fixed failing tests due to Laravel 11 changes
- Updated phpstan to 3.x branch
- Removed some seemingly redundant comment code, which was triggering
phpstan.
Just as a measure to prevent potential abuse of these potentially
longer-running endpoints.
Adds test to cover for ZIP exports, but applied to all formats.
Re-used existing route and moved tinymce help to its own different
route. Added test to cover.
Added new external-content block to support in editor UI.
Sibling/child items will now remain at the same visual level during
nesting/un-nested, so only the selected item level is visually altered.
Also added new model-based editor content matching system for tests.
- Makes enter on empty nested list item un-nest instead of just creating
new list items.
- Also updated existing lists tests to use newer helper setup.
Also:
- Added svg loading support (dummy stub) for jest.
- Updated headless test case due to node changes.
- Split out editor change detected to where appropriate.
- Added functions to help with testing, like mocking our context.
To provide more control of the summary as part of details.
To support, added a way to ignore elements during import DOM, allowing
up to read summaries when parsing details without duplicate nodes
involved.
Adds dynamic and fixed (out of DOM order) positioning with location
adjustment depending on space.
Also adds smarter hiding to prevent disappearing when mouse leaves but
within the same space as the toggle.
Hiding since it's not really used, and may mislead on how to set default
app language (which should be done via env options).
Updated test to cover.
For #5356
Failed notification sends could block the user action, whereas it's
probably more important that the user action takes places uninteruupted
than showing an error screen for the user to debug.
Logs notification errors so issues can still be debugged by admins.
Closes#5315
Due to hitting statement placeholder limits (typically 65k)
when inserting index terms for single page.
Added test to cover.
Also added skipped tests for tests we don't always want to run.
For #5322
Hardened things to enforce the intent that the guest account should not
be used for logins.
Currently this would not be allowed due to empty set password, and no
password fields on user edit forms, but an error could occur if the
login was attempted.
This adds:
- Handling to show normal invalid user warning on login instead of a
hash check error.
- Prevention of guest user via main login route, in the event that
inventive workarounds would be used by admins to set a password for
this account.
- Test for guest user login.
Changes the name of our spacing variables due to the prefixing -/_
meaning private in the use of new "use" rather than include.
All now modular too, so all variables/mixins are accessed via their
package.
Also renamed variables file to vars for simpler/cleaner access/writing.
eg. '$-m' is now 'vars.$m'
Review of #5280.
- Removed additional non-needed loads which could ignore permissions.
- Updated new formatter method name to be more specific on use.
- Added test case to cover changes.
- Updated API examples to align parent id/info in info to be
representative.
Migrations run without force could fail startup in certain environment
conditions (when testing production env).
Also updated paths permission handling to update more needed locations.
We were not responsing with a range request, where the requested range
was for the full extent of content. This changes things to always
provide a range request, even for the full range.
Change made since our existing logic could cause problems in chromium
browsers.
Elseif statement removed as its was likley redundant based upon other
existing checks.
This also changes responses for requested ranges beyond content, but I
think that's technically correct looking at the spec (416 are for when
there are no overlapping request/response ranges at all).
Updated tests to cover.
For #5342
- Handled links to within-zip page images found in chapter/book
descriptions; Added test to cover.
- Fixed session showing unrelated success on failed import.
Tested import file-create undo on failure as part of this testing.
And disable button after submit.
Added here because the import could take some time, so it's best to show
an indicator to the user to show that something is happening, and help
prevent duplicate submission or re-submit attempts.
Images were missing their extension after import since it was
(potentially) not part of the import data.
This adds validation via mime sniffing (to match normal image upload
checks) and also uses the same logic to sniff out a correct extension.
Added tests to cover.
Also fixed some existing tests around zip functionality.
Added file creation reverting and DB rollback on error.
Added error display on failed import.
Extracted likely shown import form/error text to translation files.
* New translations common.php (Ukrainian)
* New translations entities.php (Ukrainian)
* New translations errors.php (Ukrainian)
* New translations activities.php (Czech)
* New translations entities.php (Czech)
- Added extra column/value check for page revision test for accuracy.
- Changed search sort test to use more reliable values.
- Change due to database seeding somtimes generating values that
proceeded the test value, expected to be first, in sort results.
- Migrated translation service to TS, stripping a lot of now unused code
along the way.
- Added test to cover translation service.
- Fixed some comment count issues, where it was not showing correct
value. or updating, on comment create or delete.
- Fixed new code block insertion to remove selection area instead of
just adding after.
- Added default table column widths to not be collapsed
- Updated table dom export to not duplicate colgroups.
Prevents polluting global scope with variables since we're using the
module format bundler in esbuild.
Also cleaned up unused yields.
Fixed bad reference in our tinymce fixes.
For #5232
Added specific handling to show relevant error message when user
creation fails due to invite sending errors, while also returning user
to the form with previous input.
Includes test to cover.
For #5195
- Updated toolbar to match existing editor, including dynamic RTL/LTR
controls.
- Updated text node handling to not include spans and extra classes when
not needed. Added & update tests to cover.
Imported at 0.17.1, Modified to work in-app.
Added & configured test dependancies.
Tests need to be altered to avoid using non-included deps including
react dependancies.
Added list nesting support to allow li > ul style nesting which lexical
didn't do by default.
Adds tab handling for inset/outset controls.
Will be a range of edge-case bugs to squash during testing.
- Improved node resizer positioning to be more accurate
- Fixed drop handling not running within editor margin space
- Made media dom update smarter to reduce reloads
- Fixed media alignment, broken due to added wrapper
Changed from using a decorator to using a helper that watches for image
selections to then display a resize helper.
Also changes resizer to use a ghost and apply changes on end instead of
continuosly during resize.
Also added smarter above/below positioning to respond if toolbar would
be off the bottom of the editor, and added hide/show when they'd go
outside editor scroll bounds.
Added new options that sits on the context, for things needed but not
for the core editor, which are defined out of the editor (drawio URL,
error message text, pageId etc...)
Previously if a custom port was used in the DRAWIO option it would not
be considered in the CSP handling, which would block loading.
Added test to cover.
For #5107
An empty (but valid formed) groups list provided via the OIDC ID token
would be considered as a lacking detail, and therefore trigger a lookup
to the userinfo endpoint in an attempt to get that information.
This fixes this to properly distinguish between not-provided and empty
state, to avoid userinfo where provided as valid but empty.
Includes test to cover.
For #5101
Changes GIF image thumbnail handling to direcly load via gd instead of
going through interventions own handling (which supports frames) since
we don't need animation for our thumbnails, and since performance issues
could arise with GIFs that have large frame counts.
For #5029
Remove the Shift for the numeric shortcut for incline code.
Ctrl+8 instead of Ctrl+Shift+8
I assume Mac is the same but I do not have a Mac to test with.
Started basic playground for testing lexical as a new WYSIWYG editor.
Moved out tinymce to be under wysiwyg-tinymce instead so lexical is the
default, but TinyMce code remains.
Change made during Laravel 10 updates to align (Laravel made this change
much earlier in 5.x series) but it caused issues due to folder not
pre-existing and due to potentiall permission issues.
(CLI could create this during update, with non-compatible permissions
for webserver).
For #4999
To help override & gain control of setting text alignment in tables.
- Adds support of clearing "align" attributes in certain operations.
- Updates cell range action handling to dedupe execcommand handling.
- Adds clearing of additional alignment classes on direction control.
Closes#5011
Editor popup will now reflect the direction of the opened code block.
This also updates in-editor codemirror instances to correcly reflect/use
the direction if set on the inner code elem.
This also defaults new code blocks, when in RTL languages, to be started
in LTR, which can then be changed via in-editor direction controls if
needed. This is on the assumption that most code will be LTR (could not
find much examples of RTL code use).
Fixes#4943
Review of #4913
Added testing to cover option.
Updated option so it can be used for a CA directory, or a CA file.
Updated option name to be somewhat abstracted from original underling
PHP option.
Tested against Jumpcloud.
Testing took hours due to instability which was due to these settings
sticking and being unstable on change until php process restart.
Also due to little documentation for these options.
X_TLS_CACERTDIR option needs cert files to be named via specific hashes
which can be achieved via c_rehash utility.
This also adds detail on STARTTLS failure, which took a long time to
discover due to little detail out there for deeper PHP LDAP debugging.
Removes an editor-specific line-height which was overriding cell
paragraph line height, causing mis-aligned style compared to viewing.
Checked a range of styles and looked at history, could not see original
purpose of the line-height removed here.
Closes#4960
- Prevented image toolbars showing for objects embeds due to tinymce
image placeholder, and added media toolbar.
- Fixed height of object embed placeholder being forced to auto
when in the editor, allowing height attributed to be properly
reflected as it would on normal page view.
Closes#4974
Seemed to be chrome specific from testing.
Required editors to have preventDefault called on dragover.
Tested in Chrome, FF, & Safari.
Tested in both editors, and re-tested text/image drop to ensure still
works.
Fixed#4975
Fixes custom table cell clear-format handling since it was being called
on many format removals, not just the clear-formatting action.
This updates the code to specifically run on the RemoveFormat action
which is triggered by the clear formatting button.
Fixes#4964
To not conflict with env variables, and to align with placeholders used
for PDF gen command.
Added test to cover, including old format supported for
back-compatibility.
For #4967
- Updated DOMPDF to direcly use library instead of depending on barry
wrapper.
- Merged existing export options file into single exports file.
- Defined option for new command option.
Related to #4732
Wrapped userinfo response in its own class for additional handling and
validation.
Updated userdetails to take abstract claim data, to be populated by
either userinfo data or id token data.
Allows a proper defined object instead of an array an extracts related
logic out of OidcService.
Updated userinfo to only be called if we're missing details.
- Added endpoint validation to ensure HTTPS as per spec
- Added some missing types
- Removed redirectUri from OidcProviderSettings since it's not a
provider-based setting, but a setting for the oauth client, so
extracted that back to service.
Inline with A11y recommendations where color may not be reliable on its
own.
Tested various content link scenarios across chrome, safari & FF.
For #4939
Markdown-related code was growing, representing half of app.js main
bundle code while only being needed in one view/scenario.
This extracts markdown related code to its own built file.
Related to #4858
Count and reference list would get references then attempt to load
entities, which could fail to load if in the recycle bin.
This updates the queries to effectively ignore references for items we
can't see (in recycle bin).
Added test to cover.
For #4918
Using the env LDAP_TLS_CACERTFILE to set a file to use to override
the CA CERT used to verify LDAPS connections. This is to make this
process easier for docker use.
- Updated license year
- Updated some readme wording, removed lapsed sponsor, Removed twitter
link, added link to alt github source
- Update cache action for GH workflows since GH was complaining
Avoided updating markdown-it package to 14 for now since it would cause
bundle size to inflate. Don't think ESBuild is properly tree shaking
"entities" sub package which inflates size.
(Copied this message from december deps update).
- Removes 'span' from being a valid part of alignment formats so it's
not used to align contents, since it's going to mostly be an inline
format, wheras you'd really want alignment on the parent block.
- Adds direction cleaning to all direction change events, to remove
direction styles and child direction controls which may complicate
matters and cause direction changes not to show.
- Makes text direction controls work with table cell range selections,
which TinyMCE does not consider by default, via manual handling.
For #4843
Ensures fields returned match API docs and previous versions of
BookStack where we were accidentally returning more fields than
expected.
Updates tests to cover many of these.
Also updated clockwork to ignore image requests for less noisy
debugging.
Also updated chapter page query to not be loading all page data, via new
query in PageQueries.
- Updated name to align, and differentate from new 'XQueries' clases.
- Removed old sketchy base class with app resolving workarounds, to a
proper injection-based approach.
- Also fixed wrong translation text used in PageQueries.
Updated query classes to align to interface for common aligned
operations.
Extracted repeated string-identifier-based finding from page/chapter
repos to shared higher-level entity queries.
Changed the orientation settings in PwaManifestBuilder.php from 'portrait' to 'any'. This allows the PWA to adjust to any screen orientation, enhancing user flexibility.
Also moved to a non-static approach, and added a high-level class to
allow easy access to all other entity queries, for use in mixed-entity
scenarios and easier/simpler injection.
Removes page/chpater addSelect global query, to load book slug, and
instead extracts base queries to be managed in new static class, while
updating specific entitiy relation loading to use our more efficient
MixedEntityListLoader where appropriate.
Related to #4823
- Updated existing book tests to be generic to all default templates,
and updated with chapter testing.
- Extracted repeated logic in the Book/Chapter repos to be shared in the
BaseRepo.
Review of #4750
- Added filter on load to help prevent potentially dangerous comment
HTML in DB at load time (if it gets passed input filtering, or is
existing).
- Added TinyMCE valid_elements for input wysiwygs, to gracefully degrade
content at point of user-view, rather than surprising the user by
stripping content, which TinyMCE would show, post-save.
Updated to parse and add as DOM nodes instead of innerHTML to avoid
triggering an update of all head content, which would throw warnings in
chromium in regard to setting the base URI.
For #4814
This changes how initial searches can be handled via config rather than
specific action so they can be considered in how the initial data load
is done, to prevent the default empty state loading and overwriting the
search data if it lands later (which was commonly likely).
For #4778
This was the default option anyway, just adding here for
better visibility of this being set.
Can't enable without issues as the app will attempt to seek which does
not work for these streams. Also have not tested on non-s3, s3-like
systems.
Query of existing entity permissions during view permission generation
could cause timeouts or SQL placeholder limits due to massive whereOr
query generation, where an "or where" clause would be created for each
entity type/id combo involved, which could be all within 20 books.
This updates the query handling to use a query per type involved, with
no "or where"s, and to be chunked at large entity counts.
Also tweaked role-specific permission regen to chunk books at
half-previous rate to prevent such a large scope being involved on each
chunk.
For #4695
Also aligned books, shelves and chapters to return description content
and some relations (where not breaking API) in create/update responses
also so that information can be seen direct from that input in a
request.
API docs and tests not yet updated to match.
For book, shelves and chapters.
Made much of the existing handling generic to entity types.
Added new MixedEntityListLoader to help load lists somewhat efficiently.
Only manually tested so far.
Rolled out HTML editor field and store logic across all target entity
types. Cleaned up WYSIWYG input logic and design.
Cleaned up some injected classes while there.
Old all-caps button design made them a bit angry, and kinda odd and
outdated. This updates them to use their original source text casing
(which may help for translation variations) while being a bit rounder
with a better defined shadow for outline buttons.
Required a lot of working around TinyMCE since it added a
preview/wrapper element in the editor which complicates things.
Added view new "fixes.js" file so large hacks to default TinyMCe
functionality are kept in one place.
BooksStack's OIDC Client requests the 'profile' and 'email' scope values
in order to have access to the 'name', 'email', and other claims. It
looks for these claims in the ID Token that is returned along with the
Access Token.
However, the OIDC-core specification section 5.4 [1] only requires that
the Provider include those claims in the ID Token *if* an Access Token is
not also issued. If an Access Token is issued, the Provider can leave out
those claims from the ID Token, and the Client is supposed to obtain them
by submitting the Access Token to the UserInfo Endpoint.
So I suppose it's just good luck that the OIDC Providers that BookStack
has been tested with just so happen to also stick those claims in the ID
Token even though they don't have to. But others (in particular:
https://login.infomaniak.com) don't do so, and require fetching the
UserInfo Endpoint.)
A workaround is currently possible by having the user write a theme with a
ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE hook that fetches the UserInfo
Endpoint. This workaround isn't great, for a few reasons:
1. Asking the user to implement core parts of the OIDC protocol is silly.
2. The user either needs to re-fetch the .well-known/openid-configuration
file to discover the endpoint (adding yet another round-trip to each
login) or hard-code the endpoint, which is fragile.
3. The hook doesn't receive the HTTP client configuration.
So, have BookStack's OidcService fetch the UserInfo Endpoint and inject
those claims into the ID Token, if a UserInfo Endpoint is defined.
Two points about this:
- Injecting them into the ID Token's claims is the most obvious approach
given the current code structure; though I'm not sure it is the best
approach, perhaps it should instead fetch the user info in
processAuthorizationResponse() and pass that as an argument to
processAccessTokenCallback() which would then need a bit of
restructuring. But this made sense because it's also how the
ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE hook works.
- OIDC *requires* that a UserInfo Endpoint exists, so why bother with
that "if a UserInfo Endpoint is defined" bit? Simply out of an
abundance of caution that there's an existing BookStack user that is
relying on it not fetching the UserInfo Endpoint in order to work with
a non-compliant OIDC Provider.
[1]: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
- Cast send_invite value in cases where it might not have been a boolean,
which occurs on non-JSON requests.
- Added test to cover.
- Updated API docs to mention and shown boolean usage.
Cleaned up and updated page picker a bit, allowing longer names to show,
clicking through to item without triggering popup, and updated to use
hidden attributes instead of styles.
Added phpunit tests to cover supporting entity-selector-templates
endpoint.
- Adapted existing page picker to be usable elsewhere.
- Added endpoint for getting templates for entity picker.
- Added search template filter to support above.
- Updated book save handling to check/validate submitted template.
- Allows non-visible pages to flow through the save process, if not
being changed.
- Updated page deletes to handle removal of default usage on books.
- Tweaked wording and form styles to suit.
- Updated migration to explicity reflect default value.
Swapped back handling to instead be pre-determined instead of being
based upon session/referrer which would cause inconsistent results when
referrer data was not available (redirect to app-loaded images/files).
To support, this adds a mechansism to provide a URL through request
data.
Also cleaned up some imports in code while making changes.
Closes#4656.
Avoided updating markdown-it package to 14 for now since it would cause
bundle size to inflate. Don't think ESBuild is properly tree shaking
"entities" sub package which inflates size.
This changes the point-of-logout to be within the initial part of the
SAML logout flow, as per 5.3.2 of the SAML spec, processing step 2.
This also improves the logout redirect handling to use the global
redirect suggestion so that auto-login handling is properly taken into
account.
Added tests to cover.
Manual testing performed against keycloak.
For #4713
- Disabled by default due to strict rejection by auth systems.
- Fixed issue when autoloading logout URL, but not provided in
autodiscovery response.
- Added proper handling for if the logout URL contains a query string
already.
- Added extra tests to cover.
- Forced config endpoint to be used, if set as a string, instead of
autodiscovery endpoint.
Extracted logout to the login service so the logic can be shared instead
of re-implemented at each stage. For this, the SocialAuthService was
split so the driver management is in its own class, so it can be used
elsewhere without use (or circular dependencies) of the
SocialAuthService.
During review of #4467
- Updated HTML exports to have auto direction to properly react to RTL
text when in the content.
- Fixed RTL spacing issues in new editor design changes.
- Fixed pointer arrow being angled wrong on RTL languages.
Related to #4645
Managed to do this in an API-compatible way although resuling output may
differ due to new dom handling in general, although user content is used
inline to remain as comptable as possible.
- Added mulit-level depth parsing.
- Updating usage of HTML doc in page content to be efficient.
- Removed now redundant PageContentTest cases.
- Made some include system fixes based upon testing.
Expanded tests with many more cases, and added fixes for failed
scenarios.
Updated logic to specifically handling parent <p> tags, and now assume
compatibility with parent block types elswhere to allow use in a
variety of scenarios (td, details, blockquote etc...).
Implements block promoting to body (including position choosing based
upon likely tag position within parent) and block splitting where we're
only a single depth down from the body child.
Updated image loading for intervention library to be via a specific
'initFromBinary' method to avoid being overly accepting of input types
and mechansisms.
For CVE-2023-6199
Saves specifically the document element on output to HTML, since this
results in just the outer HTML being saved while not including the extra
XML tags which would show up before with the changes to force utf8
usage.
Adds a thin wrapper for DOMDocument to simplify and align usage within
all areas of BookStack.
Also means we move away from old depreacted mb_convert_encoding usage.
Closes#4638
- Merged book and chapter name items to a single page path list item
which has links to parent page/chapter.
- Added permission filtering to page path elements.
- Added page path to also be on comment notifications.
- Updated testing to cover.
- Added new Message Line objects to support.
Done during review of #4629
added book name
synced with actual file from dev branch
added book name
add book name
added book name
extended with chaptername
extended with chapter name
Update PageUpdateNotification.php
Update notifications.php
Update notifications.php
Update notifications.php
correction of chapter syntax
correction of chapter syntax
Changes since adding notifications would cause direction to be assessed
upon max height of 80vh, which caused large dropdowns like the audit log
dropdown to drop up and/or go offscreen.
This restores the default assessment of 500px, and adds dynamic
max-height adjustment to provide more room for large dropdowns.
For #4652
Change due to link color being more suitable in this case since it's not
specifically a block with light text which is what app color is suited
for.
Specifically better for dark mode when a dark app color is used.
For #4630
- Updated anchor scroll change to open up details blocks if the target
exists within.
- Updated highlighting and animation implementation to fix hardly visible highlighting.
- Removed old, now unused, handing of CM instances in details blocks.
Related to #4637.
- Updated sponsor text since it only mentioned GitHub, nothing else.
- Updated translation contribution info to dissuade code-based
contributions due to issues with conflicts/sync.
Previously we'd prevent caching of authed responses for security
(prevent back cache or proxy caching) but caching could still be an
issue in non-auth scenarios due to CSRF (eg. returning to login screen after
session expiry).
For #4600
- Fixed inital empty state margins/paddings to be aligned and not differ
when lists are empty.
- Aligned button/action display when viewing empty entities.
- Fixed use of non-existing permission in books for book empty state
button.
Fixes#4563
- Updated existing tests now affected by my-account changes.
- Updated some existing tests to more accuractly check the scenario.
- Updated some code styling in SocialController.
- Fixed redirects for social account flows to fit my-account.
- Added test for social account attaching.
- Added test for api token redirect handling.
Updated old user management routes to only be accessible with permission
to manage users, so also removed old content controls checking for that
permission.
- Moved preference views to more general "my-account" area.
- Started new layout for my-account with sidebar.
- Added MFA to prefeences view (to be moved).
Updated default homepage layout to be much nicer at ipad-like widths by
switching to css-column approach at those breakpoints.
Also neated top actions by switching to simpler flexbox layout.
Fixes#4596
Restructured tri-layout grid system, so the sidebars are contained in
their own child grid system, mimicking the parent grid, so we can treat
them as part of the same parent scroll container at smaller screen
sizes for consistent scroll/sticky behavior.
Tested on Firefox, Chromium, Gnome Web and Safari (MacOS).
For #4394
Changes made during review of #4562
- Updated to go through HomeController with the builder as a helper
class.
- Extracted some reapeated items into variables in manifest.
- Updated background color to match those used by BookStack.
- Removed reference of icon.ico since its not intended to be used.
- Added tests to cover functionality.
Review of #4430
- Moved thumnbail loading out of repo into ImageResizer.
- Updated gallery and editor image handling to show errors where
possible to indicate memory issues for resizing/thumbs.
- Updated gallery to load image data in a per-image basis via edit form
for more resiliant thumb/data fetching. Data was previously provided
via gallery listing, which could be affected by failing generation
of other images.
- Updated image manager double click handling to be more pleasant and
not flash away the edit form.
- Updated editor handlers to use main URL when thumbs fail to load.
Added since we can't always be sure of future image usage, and in many
cases we don't generate ahead-of-time.
Also:
- Simplified image handling on certain models.
- Updated various string handling operations to use newer functions.
- Added some level of app out-of-memory handling so we can show a proper
error message upon OOM events.
- Added endpoint and image-manager button/action for regenerating
thumbnails for an image so they can be re-created upon failure.
Uploads over the post max size Would previously error without a
clean user facing message. This catches that error to provide a
user friendly message, compatible with our common error handling.
Tested on image manager handling.
Added test to cover.
- Fixed missing page content for direct page children
- Fixed lack of book description.
- Fixed inconsistent spacing between items.
- Fixed lack of spacing between HTML items when HTML on same line.
For #4557
- Moved "common" template partials, that are only used in layouts, to
layouts/parts folder.
- Simplified HTML structure of header template.
- Extracted logo and links from header template to simplify.
- Added header-links-start template for easier extension/customization
without needing to override full list of links.
- Added test to cover usage of this.
For #4564
Added due to now not being able to perform an exact search where
contains a trailing backslash.
Now all backslashes in exact terms are consided escape chars
and require escaping themselves.
Potential breaking change due to search syntax handling change.
Related to #4535.
Also prevented use of empty exact matches.
Prevents issues when attempting to use exact search terms in inputs for
just search terms, and use of single " chars within search terms since
these would get auto-promoted to exacts.
For #4535
During review of #4560.
- Simplified command to share as much log as possible across different
run options.
- Extracted out user handling to share with MFA command.
- Added specific handling for disabled avatar fetching.
- Added mention of avatar endpoint, to make it clear where these avatars
are coming from (Protect against user expectation of LDAP avatar sync).
- Simplified a range of the testing.
- Tweaked wording and code formatting.
There was a lot of locale handling to get correct/expected date
formatting within the app.
Carbon now has built-in locale content rather than us needing to target
specific system locales.
This also removes setting locale via Carbon directly.
Carbon registers its own Laravel service provider which seems to
accurately pull the correct locale from the app.
For #4555
- Reduced app settings down to what's required.
- Used new view-shared $locale object instead of using globals via
config.
- Aligned language used to default on "locale" instead of mixing
locale/language.
For #4501
- Moves guest user caching from User class to app container for
simplicity.
- Updates test to use simpler $this->users->guest() method for
consistency.
- Streamlined helpers to avoid function overlap for simplicity.
- Extracted user profile dropdown while doing changes.
- Updating formatting.
- Tweaked truncation to roughly match elipsis char to width used.
- Updated testing to use existing helpers, and ran check as admin user
to avoid name conflicts.
This adds specific handling for functions.php error loading to re-throw
errors wrapped in a more descriptive message, to make it clear the error
is due to an issue in their functions.php file.
Decided to throw and stop, rather than ignore & continue, to be on the
safe side in the event auth-level (or other security level) customizations
have been made via functions.php.
Adds test to cover.
Closes#4504
The page comments component would throw an error due to references to
form elements/content, when form elements may not exist due to
permisisons.
For #4531
Tested locally before & after change, and looked at code to compare.
Nothing seen or experienced that should affect things, from testing all
is working as expected with no difference from before.
- Update composer requirement of socialite to that which included slack.
- Updated PHP depds while there.
- Updated format of socialite events to align with current documentation
and to use class references instead of strings.
- Changed use of array spread since it was not supported in PHP8.0.
- Updated issue templates based to reduce less valueable fields, update
some details, and try to help bug reports be more focused on bugs.
- Updated readme with peertube link and attribution advistory for
translations PRs.
Used an "example.com" address so we're using a propoer reserved domain,
and to avoid these trying to be delivered to the main bookstackapp
domain.
Closes#4518
- Adds filtering to the watched items list in notification preferences
so that deleted (recycle bin) items are removed via query.
- Adds relations and logic to properly remove watches upon user and
entity delete events, to old watches in database do not linger.
- Adds testing to cover the above.
Did not add migration for existing data, since patch will be close to
introduction, and lingering DB entries don't open a security concern,
just some potential confusion in specific potential scenarios.
Probably not work extra migration risk, although could add in future if
concerns/issues are found.
Related to #4499
- Passed decode flags to provide consistent behaviour across PHP
versions during testing.
- Added env option to prevent local option taking action in PHPunit
tests.
- This ensures content notifications are not translated to receiver
language.
- This adds actual plaintext support for content notifications (Was
previously just HTML as text view).
- Shares same base class across all mail notifications.
- Also cleaned up existing notification classes.
Future cleanup requested via #4501
- Covered webhook SSR allow list useage via test.
- Updated allow list handling to use trailing slash, or hash, or end of
line as late anchor for better handling for hosts (prevent .co.uk
passing for .co domain host)
Prevention of action on certain routes for guest user when public access
is enabled. Could not see a way this could be a security issue, beyond a
mild nuisance that'd only be visible if public users can edit, which
would present larger potential nuisance anyway.
- Tweaked wording of popup title.
- Updated WYSIWYG create handling to properly remove drawing container
on failure.
Tested across FF and chrome, in both editors for create & editing.
Adds just the part to store image data, and remove on successfull save.
Alters save events to properly throw upon error.
Adds IDB-Keyval library for local large-size store.
For #4421
Review of #4313
- Made constructor changes while reviewing some classes.
- Updated API examples for consistency.
- Tweaked formatting for some array changes.
- Simplified added tests.
- Tweaked chapter/page repo priority handling to be simpler.
Performed manual API endpoint testing of page/chapter create/update.
Added test and changed logic to properly check the view permissions for
the notification receiver before sending.
Required change to permissions applicator to allow the user to be
manually determined, and a service provider update to provide the class
as a singleton without a specific user, so it checks the current logged
in user on demand.
- Ensured watch options passed in all meta template usage to fix failing
scenarios where watch options did not exist.
- Fixed testing issue caused by guest user permission caching.
- Updated mail notification design to be a bit prettier, and extracted
text to new lang file for translation.
- Added debounce logic for page update notifications.
- Fixed watch options not being filtered to current user.
- Added general user preferences view and updated link in profile menu
to suit.
- Made notification permission required for notification preferences
view, added test to cover.
- Adds option filtering and alternative text for page watch options.
- Adds "Watched & Ignored Items" list to user notification preferences
page to show existing watched items.
Kept existing "COMMENTED_ON" activity for upgrade compatibility,
specifically for existing webhook usage and for showing comment
activities in activity lists.
Precursor to content notifications.
Currently untested.
Also applied some type updates.
Reverted work in 847a57a49aef525d2f7f429a30e58a34cf69d43f.
Left test in but updated to new expectation.
Left migration in but removed content to prevent new pre-v23.06
upgraders loosing shelf create permission status.
Added note to permission to describe use-case.
For #4375
Due to queue serialization.
Added a test to check a couple of delete events.
Added ApiTokenFactory to support.
Also made a couple of typing/doc updates while there.
Related to #4373
Remove the book attribute in responses because it is never returned by the API. Currently, Chapters Create does not return book_slug! (The example response is consistent with the inconsistent API behavior)
Occured when the cell contained any block content with a differnt line
height to the table cell itself.
In firefox, cells with a height would end up with an actual greater
real cell height, which messed up TinyMCE resize calculations, causing
tables to grow.
Adding default vertical-align: top, changes this behaviour to get proper
cell heights.
Related to Firefox issue: https://bugzilla.mozilla.org/show_bug.cgi?id=569645
Have tested that editor cell text align options can still be used with
this.
For #4337
Was causing confusion.
Added test to cover.
Also added migration to remove existing create entries to pre-emptively
avoid issues in future if 'create' is used again.
After full review of current MAIL_ENCRYPTION usage in laravel and
smyfony mailer, this updates the options in BookStack to be simplified
and specific in usage:
- Removed mail.mailers.smtp.encryption option since it did not actually
affect anything in the current state of dependancies.
- Updated MAIL_ENCRYPTION so values of tls OR ssl will force-enable tls
via 'scheme' option with laravel passes to the SMTP transfport, which
Smyfony uses as an indicator to force TLS.
When MAIL_ENCRYPTION is not used, STARTTLS will still be attempted by
symfony mailer.
Updated .env files to refer to BookStack docs (which was updated for
this) and to reflect correct default port.
Related to #4342
Added support for mulit-line endpoint descriptions via blank
intermediate lines in php controller method docblocks.
Also tweaks endpoint header design for better flexing and alignment.
Fixes issue where providing owner_id alongside certain
fallback_permissions would cause the owner change not to take affect,
due to bad variable shadowing.
For #4323
Remove unnecessary UnauthorizedException
and make ApiAuthException compatible with HttpExceptionInterface.
Move the creation of a rsponse for the exception
from ApiAuthenticate middleware into the application exception handler.
Within the flow of HttpFetchException, the actual exception from curl is preserved and logged. Make HttpFetchException a pretty exception for when it is shown to users.
Needed some level of harcoding though due to callouts using colors,
which can't be css colors as DOMPDF won't understand these.
Use css variables elsewhere and added new dark variants to fit a bit
better.
Provides a way for users to actually delte their user drafts where
required.
For #3927
Added test to cover new endpoint.
Makes update to MD editor #setText so that new selection is within new
range, otherwise it errors and fails operation.
Ensures some sensible text is always in webhook text data.
Also aligned some notification reporting to use centralised activity
system instead of custom success events.
For #4216
Primarily intended to show parent book for chapters when moving/copying
pages, since the default parent selector interfaces, which used the
entity-selector search endpoint, would run this popular query when no
term was present as a default backup.
For #4264
Previously additional roles would only partially apply (system or "all"
permissions). This aligns the query-handling of permissions so that
additional roles will be used for permission queries.
Adds migration to detach existing roles as a safety precaution since
this is likely to widen permissions in scenarios that the public user
has other roles assigned already.
For #1229
Updated reply inidicator to fit with new nesting system, only showing on
view when nest within nesting structure.
Updated the general design to be a bit cleaner and better adapt on
mobile.
Tested on FF+Chrome, inc. dark mode.
- Updated pointer to move within content DOM so that you can back-focus
into the pointer if desired.
- Added new "Section select mode" which toggles focusabiltiy for main
content sections, with ability to show pointer via enter press on
these.
- Updated pointer with proper input/button labelling.
Tested via orca screen reader on Firefox/Fedora/Gnome.
For #3975
Primarily updated ldap_connect to avoid usage of deprecated syntax.
Updated tests and service to handle as expected.
Cleaned up syntax and types in classes while there.
Closes#4274
- Updated tab handling to be smarter on initial tab selection, to first
target non-hidden tab panels where they may be handled server-side.
- Extracted contained search box handling styles to _forms.scss, after
merging with image-manager-specific styles since this is only usage of
contained variant.
- Aligned focus handling on image manager UI elements.
- Updated UI with image form dropdown containing delete and replace
image actions.
- Adds new endpoint and service/repo handling for replacing existing
image.
- Includes tests to cover.
Makes interface relatively usable now on mobile sizes.
Required updating of tab handling to support tabs being active at only
mobile screen sizes, include change on resize, upon support for
potentially nested tab usage.
Tab component will now search within sensible depths for finding its own
tabs and panels to control.
description:Create a report to help us improve or fix things
description:Create a report to help us fix bugs & issues in existing supported functionality
labels:[":bug: Bug"]
body:
- type:markdown
attributes:
value:|
Thanks for taking the time to fill out a bug report!
Please note that this form is for reporting bugs in existing supported functionality.
If you are reporting something that's not an issue in functionality we've previously supported and/or is simply something different to your expectations, then it may be more appropriate to raise via a feature or support request instead.
- type:textarea
id:description
attributes:
@ -13,7 +20,7 @@ body:
id:reproduction
attributes:
label:Steps to Reproduce
description:Detail the steps that would replicate this issue
description:Detail the steps that would replicate this issue.
placeholder:|
1. Go to '...'
2. Click on '....'
@ -32,7 +39,7 @@ body:
id:context
attributes:
label:Screenshots or Additional Context
description:Provide any additional context and screenshots here to help us solve this issue
description:Provide any additional context and screenshots here to help us solve this issue.
validations:
required:false
- type:input
@ -48,23 +55,7 @@ body:
id:bsversion
attributes:
label:Exact BookStack Version
description:This can be found in the settings view of BookStack. Please provide an exact version.
placeholder:(eg. v21.08.5)
validations:
required:true
- type:input
id:phpversion
attributes:
label:PHP Version
description:Keep in mind your command-line PHP version may differ to that of your webserver. Provide that relevant to the issue.
placeholder:(eg. 7.4)
validations:
required:false
- type:textarea
id:hosting
attributes:
label:Hosting Environment
description:Describe your hosting environment as much as possible including any proxies used (If applicable).
placeholder:(eg. Ubuntu 20.04 VPS, installed using official installation script)
description:This can be found in the settings view of BookStack. Please provide an exact version(s) you've tested on.
label:Have you searched for an existing open/closed issue?
description:|
To help us keep these issues under control, please ensure you have first [searched our issue list](https://github.com/BookStackApp/BookStack/issues?q=is%3Aissue) for any existing issues that cover the fundemental benefit/goal of your request.
To help us keep these issues under control, please ensure you have first [searched our issue list](https://github.com/BookStackApp/BookStack/issues?q=is%3Aissue) for any existing issues that cover the fundamental benefit/goal of your request.
options:
- label:I have searched for existing issues and none cover my fundemental request
- label:I have searched for existing issues and none cover my fundamental request
// Spec: v1.0 5.3.2: The sub (subject) Claim MUST always be returned in the UserInfo Response.
if(!is_string($sub)||empty($sub)){
thrownewOidcInvalidTokenException("No valid subject value found in userinfo data");
}
// Spec: v1.0 5.3.2: The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token;
// if they do not match, the UserInfo Response values MUST NOT be used.
if($idTokenSub!==$sub){
thrownewOidcInvalidTokenException("Subject value provided in the userinfo endpoint does not match the provided ID token value");
}
// Spec v1.0 5.3.4 Defines the following:
// Verify that the OP that responded was the intended OP through a TLS server certificate check, per RFC 6125 [RFC6125].
// This is effectively done as part of the HTTP request we're making through CURLOPT_SSL_VERIFYHOST on the request.
// If the Client has provided a userinfo_encrypted_response_alg parameter during Registration, decrypt the UserInfo Response using the keys specified during Registration.
// We don't currently support JWT encryption for OIDC
// If the response was signed, the Client SHOULD validate the signature according to JWS [JWS].
// This is done as part of the validateCommonClaims above.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
