chore: prep 1.8.3 release

* chore: create tests to highlight the conditional instantiation problem

* Apply fixes from StyleCI

* add callback and invokable class + tests

* Apply fixes from StyleCI

* address stan issue on php 8.2

* Revert "address stan issue on php 8.2"

This reverts commit 1fc2c8801a2b75f462251be8ae266e1699497f95.

* attempt to make stan happy

* Revert "attempt to make stan happy"

This reverts commit 1cc327bb3b1cc52273b18488f9cc926f43d8858e.

* is it really that simple?

* Revert "is it really that simple?"

This reverts commit 2006755cf17157e653c610e222377cac5f127e50.

* let's try this

* Update framework/core/src/Extend/Conditional.php

Co-authored-by: Sami Mazouz <sychocouldy@gmail.com>

---------

Co-authored-by: StyleCI Bot <bot@styleci.io>
Co-authored-by: Sami Mazouz <sychocouldy@gmail.com>

.github/workflows/frontend.yml

@@ -10,7 +10,7 @@ jobs:
       backend_directory: ./
       js_package_manager: yarn
       cache_dependency_path: ./yarn.lock
-      main_git_branch: main
+      main_git_branch: 1.x
       enable_tests: true
       # @TODO: fix bundlewatch
       enable_bundlewatch: false

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [v1.8.3](https://github.com/flarum/framework/compare/v1.8.2...v1.8.3)
+### Fixed
+* Console extender does not accept ::class [#3900]
+* Conditional extender instantiation [#3898]
+
+## [v1.8.2](https://github.com/flarum/framework/compare/v1.8.1...v1.8.2)
+### Fixed
+* suspended users can abuse avatar upload [#3890]
+* missing compat exports [#3888]
+
 ## [v1.8.1](https://github.com/flarum/framework/compare/v1.8.0...v1.8.1)
 ### Fixed
 * recover temporary solution for html entities in browser title (e72541e35de4f71f9d870bbd9bb46ddf586bdf1d)

extensions/mentions/src/Formatter/FormatPostMentions.php

@@ -11,7 +11,6 @@ namespace Flarum\Mentions\Formatter;
 
 use Flarum\Discussion\Discussion;
 use Flarum\Http\SlugManager;
-use Flarum\Post\CommentPost;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use s9e\TextFormatter\Renderer;
 use s9e\TextFormatter\Utils;

extensions/suspend/src/Access/UserPolicy.php

@@ -25,4 +25,11 @@ class UserPolicy extends AbstractPolicy
             return $this->deny();
         }
     }
+
+    public function uploadAvatar(User $actor, User $user)
+    {
+        if ($actor->suspended_until && $actor->suspended_until->isFuture()) {
+            return $this->deny();
+        }
+    }
 }

extensions/suspend/tests/integration/api/users/UploadAvatarTest.php

@@ -0,0 +1,103 @@
+<?php
+
+/*
+ * This file is part of Flarum.
+ *
+ * For detailed copyright and license information, please view the
+ * LICENSE file that was distributed with this source code.
+ */
+
+namespace Flarum\Suspend\Tests\integration\api\users;
+
+use Carbon\Carbon;
+use Flarum\Testing\integration\RetrievesAuthorizedUsers;
+use Flarum\Testing\integration\TestCase;
+use Laminas\Diactoros\UploadedFile;
+use Psr\Http\Message\ResponseInterface;
+
+class UploadAvatarTest extends TestCase
+{
+    use RetrievesAuthorizedUsers;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->extension('flarum-suspend');
+
+        $this->prepareDatabase([
+            'users' => [
+                ['id' => 1, 'username' => 'Muralf', 'email' => 'muralf@machine.local', 'is_email_confirmed' => 1],
+                $this->normalUser(),
+                ['id' => 3, 'username' => 'acme', 'email' => 'acme@machine.local', 'is_email_confirmed' => 1, 'suspended_until' => Carbon::now()->addDay(), 'suspend_message' => 'You have been suspended.', 'suspend_reason' => 'Suspended for acme reasons.'],
+                ['id' => 4, 'username' => 'acme4', 'email' => 'acme4@machine.local', 'is_email_confirmed' => 1],
+                ['id' => 5, 'username' => 'acme5', 'email' => 'acme5@machine.local', 'is_email_confirmed' => 1, 'suspended_until' => Carbon::now()->subDay(), 'suspend_message' => 'You have been suspended.', 'suspend_reason' => 'Suspended for acme reasons.'],
+            ],
+            'groups' => [
+                ['id' => 5, 'name_singular' => 'can_edit_users', 'name_plural' => 'can_edit_users', 'is_hidden' => 0]
+            ],
+            'group_user' => [
+                ['user_id' => 2, 'group_id' => 5]
+            ],
+            'group_permission' => [
+                ['permission' => 'user.edit', 'group_id' => 5],
+            ]
+        ]);
+    }
+
+    /**
+     * @dataProvider allowedToUploadAvatar
+     * @test
+     */
+    public function can_suspend_user_if_allowed(?int $authenticatedAs, int $targetUserId, string $message)
+    {
+        $response = $this->sendUploadAvatarRequest($authenticatedAs, $targetUserId);
+
+        $this->assertEquals(200, $response->getStatusCode(), $response->getBody()->getContents());
+    }
+
+    /**
+     * @dataProvider unallowedToUploadAvatar
+     * @test
+     */
+    public function cannot_suspend_user_if_not_allowed(?int $authenticatedAs, int $targetUserId, string $message)
+    {
+        $response = $this->sendUploadAvatarRequest($authenticatedAs, $targetUserId);
+
+        $this->assertEquals(403, $response->getStatusCode(), $response->getBody()->getContents());
+    }
+
+    public function allowedToUploadAvatar(): array
+    {
+        return [
+            [1, 2, 'Admin can upload avatar for any user'],
+            [2, 3, 'User with permission can upload avatar for suspended user'],
+            [2, 2, 'User with permission can upload avatar for self'],
+            [2, 4, 'User with permission can upload avatar for other user'],
+            [1, 1, 'Admin can upload avatar for self'],
+            [5, 5, 'Suspended user can upload avatar for self if suspension expired'],
+        ];
+    }
+
+    public function unallowedToUploadAvatar(): array
+    {
+        return [
+            [3, 3, 'Suspended user cannot upload avatar for self'],
+            [3, 2, 'Suspended user cannot upload avatar for other user'],
+            [4, 3, 'User without permission cannot upload avatar for suspended user'],
+            [4, 2, 'User without permission cannot upload avatar for other user'],
+            [5, 2, 'Suspended user cannot upload avatar for other user if suspension expired'],
+        ];
+    }
+
+    protected function sendUploadAvatarRequest(?int $authenticatedAs, int $targetUserId): ResponseInterface
+    {
+        return $this->send(
+            $this->request('POST', "/api/users/$targetUserId/avatar", [
+                'authenticatedAs' => $authenticatedAs,
+            ])->withHeader('Content-Type', 'multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW')->withUploadedFiles([
+                'avatar' => new UploadedFile(__DIR__.'/../../../fixtures/avatar.png', 0, UPLOAD_ERR_OK, 'avatar.png', 'image/png')
+            ])
+        );
+    }
+}

framework/core/js/dist-typings/admin/compat.d.ts

@@ -122,6 +122,7 @@ declare const _default: {
     'components/TextEditorButton': typeof import("../common/components/TextEditorButton").default;
     'components/Tooltip': typeof import("../common/components/Tooltip").default;
     'components/EditUserModal': typeof import("../common/components/EditUserModal").default;
+    'components/LabelValue': typeof import("../common/components/LabelValue").default;
     Model: typeof import("../common/Model").default;
     Application: typeof import("../common/Application").default;
     'helpers/fullTime': typeof import("../common/helpers/fullTime").default;

framework/core/js/dist-typings/common/compat.d.ts

@@ -86,6 +86,7 @@ import isObject from './utils/isObject';
 import AlertManagerState from './states/AlertManagerState';
 import ModalManagerState from './states/ModalManagerState';
 import PageState from './states/PageState';
+import LabelValue from './components/LabelValue';
 declare const _default: {
     extenders: {
         Model: typeof import("./extenders/Model").default;
@@ -174,6 +175,7 @@ declare const _default: {
     'components/TextEditorButton': typeof TextEditorButton;
     'components/Tooltip': typeof Tooltip;
     'components/EditUserModal': typeof EditUserModal;
+    'components/LabelValue': typeof LabelValue;
     Model: typeof Model;
     Application: typeof Application;
     'helpers/fullTime': typeof fullTime;

framework/core/js/dist-typings/forum/compat.d.ts

@@ -71,6 +71,7 @@ import BasicEditorDriver from '../common/utils/BasicEditorDriver';
 import routes from './routes';
 import ForumApplication from './ForumApplication';
 import isSafariMobile from './utils/isSafariMobile';
+import AccessTokensList from './components/AccessTokensList';
 declare const _default: {
     extenders: {
         Model: typeof import("../common/extenders/Model").default;
@@ -159,6 +160,7 @@ declare const _default: {
     'components/TextEditorButton': typeof import("../common/components/TextEditorButton").default;
     'components/Tooltip': typeof import("../common/components/Tooltip").default;
     'components/EditUserModal': typeof import("../common/components/EditUserModal").default;
+    'components/LabelValue': typeof import("../common/components/LabelValue").default;
     Model: typeof import("../common/Model").default;
     Application: typeof import("../common/Application").default;
     'helpers/fullTime': typeof import("../common/helpers/fullTime").default;
@@ -276,6 +278,7 @@ declare const _default: {
     'components/DiscussionListItem': typeof DiscussionListItem;
     'components/LoadingPost': typeof LoadingPost;
     'components/PostsUserPage': typeof PostsUserPage;
+    'components/AccessTokensList': typeof AccessTokensList;
     'resolvers/DiscussionPageResolver': typeof DiscussionPageResolver;
     routes: typeof routes;
     ForumApplication: typeof ForumApplication;

framework/core/js/src/common/compat.ts

@@ -90,6 +90,7 @@ import isObject from './utils/isObject';
 import AlertManagerState from './states/AlertManagerState';
 import ModalManagerState from './states/ModalManagerState';
 import PageState from './states/PageState';
+import LabelValue from './components/LabelValue';
 
 export default {
   extenders,
@@ -167,6 +168,7 @@ export default {
   'components/TextEditorButton': TextEditorButton,
   'components/Tooltip': Tooltip,
   'components/EditUserModal': EditUserModal,
+  'components/LabelValue': LabelValue,
   Model: Model,
   Application: Application,
   'helpers/fullTime': fullTime,

framework/core/js/src/forum/compat.ts

@@ -75,6 +75,7 @@ import BasicEditorDriver from '../common/utils/BasicEditorDriver';
 import routes from './routes';
 import ForumApplication from './ForumApplication';
 import isSafariMobile from './utils/isSafariMobile';
+import AccessTokensList from './components/AccessTokensList';
 
 export default Object.assign(compat, {
   'utils/PostControls': PostControls,
@@ -150,6 +151,7 @@ export default Object.assign(compat, {
   'components/DiscussionListItem': DiscussionListItem,
   'components/LoadingPost': LoadingPost,
   'components/PostsUserPage': PostsUserPage,
+  'components/AccessTokensList': AccessTokensList,
   'resolvers/DiscussionPageResolver': DiscussionPageResolver,
   routes: routes,
   ForumApplication: ForumApplication,

framework/core/src/Extend/Conditional.php

@@ -13,17 +13,34 @@ use Flarum\Extension\Extension;
 use Flarum\Extension\ExtensionManager;
 use Illuminate\Contracts\Container\Container;
 
+/**
+ * The Conditional extender allows developers to conditionally apply other extenders
+ * based on either boolean values or results from callable functions.
+ *
+ * This is useful for applying extenders only if certain conditions are met,
+ * such as the presence of an enabled extension or a specific configuration setting.
+ */
 class Conditional implements ExtenderInterface
 {
     /**
-     * @var array<array{condition: bool|callable, extenders: ExtenderInterface[]}>
+     * An array of conditions and their associated extenders.
+     *
+     * Each entry should have:
+     * - 'condition': a boolean or callable that should return a boolean.
+     * - 'extenders': an array of extenders, a callable returning an array of extenders, or an invokable class string.
+     *
+     * @var array<array{condition: bool|callable, extenders: ExtenderInterface[]|callable|string}>
      */
     protected $conditions = [];
 
     /**
-     * @param ExtenderInterface[] $extenders
+     * Apply extenders only if a specific extension is enabled.
+     *
+     * @param string $extensionId The ID of the extension.
+     * @param ExtenderInterface[]|callable|string $extenders An array of extenders, a callable returning an array of extenders, or an invokable class string.
+     * @return self
      */
-    public function whenExtensionEnabled(string $extensionId, array $extenders): self
+    public function whenExtensionEnabled(string $extensionId, $extenders): self
     {
         return $this->when(function (ExtensionManager $extensions) use ($extensionId) {
             return $extensions->isEnabled($extensionId);
@@ -31,10 +48,14 @@ class Conditional implements ExtenderInterface
     }
 
     /**
-     * @param bool|callable $condition
-     * @param ExtenderInterface[] $extenders
+     * Apply extenders based on a condition.
+     *
+     * @param bool|callable $condition A boolean or callable that should return a boolean.
+     *                                 If this evaluates to true, the extenders will be applied.
+     * @param ExtenderInterface[]|callable|string $extenders An array of extenders, a callable returning an array of extenders, or an invokable class string.
+     * @return self
      */
-    public function when($condition, array $extenders): self
+    public function when($condition, $extenders): self
     {
         $this->conditions[] = [
             'condition' => $condition,
@@ -44,6 +65,13 @@ class Conditional implements ExtenderInterface
         return $this;
     }
 
+    /**
+     * Iterates over the conditions and applies the associated extenders if the conditions are met.
+     *
+     * @param Container $container
+     * @param Extension|null $extension
+     * @return void
+     */
     public function extend(Container $container, Extension $extension = null)
     {
         foreach ($this->conditions as $condition) {
@@ -52,7 +80,13 @@ class Conditional implements ExtenderInterface
             }
 
             if ($condition['condition']) {
-                foreach ($condition['extenders'] as $extender) {
+                $extenders = $condition['extenders'];
+
+                if (is_string($extenders) || is_callable($extenders)) {
+                    $extenders = $container->call($extenders);
+                }
+
+                foreach ($extenders as $extender) {
                     $extender->extend($container, $extension);
                 }
             }

framework/core/src/Extend/Console.php

@@ -10,6 +10,7 @@
 namespace Flarum\Extend;
 
 use Flarum\Extension\Extension;
+use Flarum\Foundation\ContainerUtil;
 use Illuminate\Contracts\Container\Container;
 
 class Console implements ExtenderInterface
@@ -61,7 +62,11 @@ class Console implements ExtenderInterface
             return array_merge($existingCommands, $this->addCommands);
         });
 
-        $container->extend('flarum.console.scheduled', function ($existingScheduled) {
+        $container->extend('flarum.console.scheduled', function ($existingScheduled) use ($container) {
+            foreach ($this->scheduled as &$schedule) {
+                $schedule['callback'] = ContainerUtil::wrapCallback($schedule['callback'], $container);
+            }
+
             return array_merge($existingScheduled, $this->scheduled);
         });
     }

framework/core/src/Foundation/Application.php

@@ -21,7 +21,7 @@ class Application
      *
      * @var string
      */
-    const VERSION = '1.8.1';
+    const VERSION = '1.8.3';
 
     /**
      * The IoC container for the Flarum application.

framework/core/src/Queue/ExceptionHandler.php

@@ -9,7 +9,6 @@
 
 namespace Flarum\Queue;
 
-use Exception;
 use Illuminate\Contracts\Debug\ExceptionHandler as ExceptionHandling;
 use Psr\Log\LoggerInterface;
 use Throwable;

framework/core/src/User/Access/UserPolicy.php

@@ -39,4 +39,15 @@ class UserPolicy extends AbstractPolicy
             return $this->allow();
         }
     }
+
+    public function uploadAvatar(User $actor, User $user)
+    {
+        if ($actor->id === $user->id) {
+            return $this->allow();
+        }
+
+        if ($actor->id !== $user->id) {
+            return $actor->can('edit', $user);
+        }
+    }
 }

framework/core/src/User/Command/UploadAvatarHandler.php

@@ -68,9 +68,7 @@ class UploadAvatarHandler
 
         $user = $this->users->findOrFail($command->userId);
 
-        if ($actor->id !== $user->id) {
-            $actor->assertCan('edit', $user);
-        }
+        $actor->assertCan('uploadAvatar', $user);
 
         $this->validator->assertValid(['avatar' => $command->file]);
 

framework/core/tests/integration/extenders/ConditionalTest.php

@@ -159,4 +159,140 @@ class ConditionalTest extends TestCase
 
         $this->app();
     }
+
+    /** @test */
+    public function conditional_does_not_instantiate_extender_if_condition_is_false_using_callable()
+    {
+        $this->extend(
+            (new Extend\Conditional())
+                ->when(false, TestExtender::class)
+        );
+
+        $this->app();
+
+        $response = $this->send(
+            $this->request('GET', '/api', [
+                'authenticatedAs' => 1,
+            ])
+        );
+
+        $payload = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertArrayNotHasKey('customConditionalAttribute', $payload['data']['attributes']);
+    }
+
+    /** @test */
+    public function conditional_does_instantiate_extender_if_condition_is_true_using_callable()
+    {
+        $this->extend(
+            (new Extend\Conditional())
+                ->when(true, TestExtender::class)
+        );
+
+        $this->app();
+
+        $response = $this->send(
+            $this->request('GET', '/api', [
+                'authenticatedAs' => 1,
+            ])
+        );
+
+        $payload = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertArrayHasKey('customConditionalAttribute', $payload['data']['attributes']);
+    }
+
+    /** @test */
+    public function conditional_does_not_instantiate_extender_if_condition_is_false_using_callback()
+    {
+        $this->extend(
+            (new Extend\Conditional())
+                ->when(false, function (): array {
+                    return [
+                        (new Extend\ApiSerializer(ForumSerializer::class))
+                            ->attributes(function () {
+                                return [
+                                    'customConditionalAttribute' => true
+                                ];
+                            })
+                    ];
+                })
+        );
+
+        $this->app();
+
+        $response = $this->send(
+            $this->request('GET', '/api', [
+                'authenticatedAs' => 1,
+            ])
+        );
+
+        $payload = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertArrayNotHasKey('customConditionalAttribute', $payload['data']['attributes']);
+    }
+
+    /** @test */
+    public function conditional_does_instantiate_extender_if_condition_is_true_using_callback()
+    {
+        $this->extend(
+            (new Extend\Conditional())
+                ->when(true, function (): array {
+                    return [
+                        (new Extend\ApiSerializer(ForumSerializer::class))
+                            ->attributes(function () {
+                                return [
+                                    'customConditionalAttribute' => true
+                                ];
+                            })
+                    ];
+                })
+        );
+
+        $this->app();
+
+        $response = $this->send(
+            $this->request('GET', '/api', [
+                'authenticatedAs' => 1,
+            ])
+        );
+
+        $payload = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertArrayHasKey('customConditionalAttribute', $payload['data']['attributes']);
+    }
+
+    /** @test */
+    public function conditional_does_not_work_if_extension_is_disabled()
+    {
+        $this->extend(
+            (new Extend\Conditional())
+                ->whenExtensionEnabled('dummy-extension-id', TestExtender::class)
+        );
+
+        $response = $this->send(
+            $this->request('GET', '/api', [
+                'authenticatedAs' => 1,
+            ])
+        );
+
+        $payload = json_decode($response->getBody()->getContents(), true);
+
+        $this->assertArrayNotHasKey('customConditionalAttribute', $payload['data']['attributes']);
+    }
+}
+
+class TestExtender
+{
+    public function __invoke(): array
+    {
+        return [
+            (new Extend\ApiSerializer(ForumSerializer::class))
+                ->attributes(function () {
+                    return [
+                        'customConditionalAttribute' => true
+                    ];
+                })
+        ];
+    }
 }

framework/core/tests/integration/extenders/ConsoleTest.php

@@ -75,6 +75,23 @@ class ConsoleTest extends ConsoleTestCase
 
         $this->assertStringContainsString('cache:clear', $this->runCommand($input));
     }
+
+    /**
+     * @test
+     */
+    public function scheduled_command_exists_when_added_with_class_syntax()
+    {
+        $this->extend(
+            (new Extend\Console())
+                ->schedule('cache:clear', ScheduledCommandCallback::class)
+        );
+
+        $input = [
+            'command' => 'schedule:list'
+        ];
+
+        $this->assertStringContainsString('cache:clear', $this->runCommand($input));
+    }
 }
 
 class CustomCommand extends AbstractCommand
@@ -95,3 +112,11 @@ class CustomCommand extends AbstractCommand
         $this->info('Custom Command.');
     }
 }
+
+class ScheduledCommandCallback
+{
+    public function __invoke(Event $event)
+    {
+        $event->everyMinute();
+    }
+}